From owner-freebsd-security Mon Dec 4 18:39:44 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 4 18:39:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (epsilon.lucida.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 0EF7737B400 for ; Mon, 4 Dec 2000 18:39:42 -0800 (PST) Received: (qmail 69797 invoked by uid 1000); 5 Dec 2000 02:39:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 Dec 2000 02:39:40 -0000 Date: Mon, 4 Dec 2000 21:39:39 -0500 (EST) From: Matt Heckaman X-Sender: matt@epsilon.lucida.ca To: "David G. Andersen" Cc: FreeBSD-SECURITY Subject: Re: [spam score 10.00/10.0 -pobox] Re: Fw: NAPTHA Advisory Updated - BindView RAZOR In-Reply-To: <200012050138.SAA03007@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 4 Dec 2000, David G. Andersen wrote: ... : Nope. It wasn't a kernel problem you were encountering - it was a : systemwide resource limit being reached. It's not that there's a _bug_ in : the kernel, it's that the processes file table limits weren't isolated : from each other. The right solution to this is more isolation of : different processes (e.g. resource control). It would be nice if one could set login.conf(5) style resource limits per daemon instead of per login. Thus we could say, well "{q,send}mail can have 1024 fds" while apache can have 4096.. etc. Maybe there is a way to do this (djb's tcpserver? xinetd?) but I'm not currently aware of one. One thing though, it would be nice to see FreeBSD's default fd & nmbcluster setting be raised, as it really isn't going to be enough for a lot of people in normal use, and damn sure won't stand up to any kind of attack like this. Just an opinion though :) * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE6LFVsdMMtMcA1U5ARAkh/AKDmPOD28La1CY15lq/BiktuWW0kkACg3PN1 m/6arbHHdoLL412tfk8N6Hw= =vJij -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message