From owner-freebsd-security Wed Sep 1 20:33:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.ods.org (fbsd2.ods.org [205.252.42.124]) by hub.freebsd.org (Postfix) with SMTP id 1DAC614EC6 for ; Wed, 1 Sep 1999 20:33:03 -0700 (PDT) (envelope-from geniusj@ods.org) Received: (qmail 50430 invoked by uid 1000); 1 Sep 1999 23:35:14 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Sep 1999 23:35:14 -0000 Date: Wed, 1 Sep 1999 19:35:14 -0400 (EDT) From: Systems Administrator To: Mike Tancsa Cc: FreeBSD -- The Power to Serve , freebsd-security@FreeBSD.ORG Subject: Re: FW: Local DoS in FreeBSD In-Reply-To: <4.1.19990901212536.04e852f0@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You should raise nmbclusters as well as do the accounting ------------------------------------------------------------------------------ Jason DiCioccio | geniusj@free-bsd.org FreeBSD - The Power to Serve | http://www.freebsd.org | http://www.ods.org ------------------------------------------------------------------------------ On Wed, 1 Sep 1999, Mike Tancsa wrote: > At 06:04 PM 9/1/99 , FreeBSD -- The Power to Serve wrote: > >Explain what you mean? That is what login classes are for, you dont have > >to put "nobody" in a limited class if this is what you mean.. And you can > >set internal limits in apache if that's what you mean.. I feel you mean > >either one but I don't know :) > > I mean that putting the web user (in my case user webuser-- a UID <> > nobody) in a login.conf set class would seemingly be very restrictive. In > my tests, I had to set a user to have less than 16 open files and ~ 5 > processes max to prevent them from crashing a 3.x stable box. These sorts > of limits to me at first glance would be unworkable in apache. > > ---Mike > > > > >On Wed, 1 Sep 1999, Mike Tancsa wrote: > > > >> At 02:10 PM 9/1/99 -0600, FreeBSD -- The Power to Serve wrote: > >> >Exactly what I mean! Limit file descriptors, and it also uses a lot of CPU > >> >time so you can limit that too.. It will never crash the system with the > >> >proper limits set :). They can run it all they want. > >> > >> Well, that sort of helps for kids just doing ./a.out, but would you put > >> accounting limits on your web server ? That seems like a nasty can of > >> configuration worms one would be opening no ? > >> > >> ---Mike > >> > >> > >> > > >> >On Wed, 1 Sep 1999, Mike Tancsa wrote: > >> > > >> >> At 11:49 AM 9/1/99 -0600, FreeBSD -- The Power to Serve wrote: > >> >> >If you have public access users, you should have login accounting in the > >> >> >first place.. and yes, it does stop it :).. I verified this on a 3.2 box > >> >> >with my login accounting setup.. > >> >> > >> >> How does accounting stop it ? Or do you mean it just discourages users > >> >> from doing it ? How much overhead does accounting add to the system ? > >> >> Also, limiting the amount of file descriptors can prevent it, as the > 'bug' > >> >> is essentially a resource starving issue (e.g. fork bomb) > >> >> > >> >> ---Mike > >> >> ------------------------------------------------------------------------ > >> >> Mike Tancsa, tel 01.519.651.3400 > >> >> Network Administrator, mike@sentex.net > >> >> Sentex Communications www.sentex.net > >> >> Cambridge, Ontario Canada > >> >> > >> >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> >> with "unsubscribe freebsd-security" in the body of the message > >> >> > >> > > >> > > >> > > >> ------------------------------------------------------------------------ > >> Mike Tancsa, tel 01.519.651.3400 > >> Network Administrator, mike@sentex.net > >> Sentex Communications www.sentex.net > >> Cambridge, Ontario Canada > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > >> > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > ********************************************************************** > Mike Tancsa, Network Admin * mike@sentex.net > Sentex Communications Corp, * http://www.sentex.net/mike > Cambridge, Ontario * 01.519.651.3400 > Canada * > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message