From owner-freebsd-security Wed Sep 1 15: 1: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from free-bsd.org (edslppp4.dnvr.uswest.net [216.160.128.4]) by hub.freebsd.org (Postfix) with ESMTP id 722F114D9D for ; Wed, 1 Sep 1999 15:01:04 -0700 (PDT) (envelope-from geniusj@free-bsd.org) Received: from localhost (geniusj@localhost) by free-bsd.org (8.9.3/8.9.3) with ESMTP id QAA01966; Wed, 1 Sep 1999 16:04:06 -0600 (MDT) (envelope-from geniusj@free-bsd.org) Date: Wed, 1 Sep 1999 16:04:06 -0600 (MDT) From: FreeBSD -- The Power to Serve To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: FW: Local DoS in FreeBSD In-Reply-To: <3.0.5.32.19990901162052.023c18d0@staff.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Explain what you mean? That is what login classes are for, you dont have to put "nobody" in a limited class if this is what you mean.. And you can set internal limits in apache if that's what you mean.. I feel you mean either one but I don't know :) On Wed, 1 Sep 1999, Mike Tancsa wrote: > At 02:10 PM 9/1/99 -0600, FreeBSD -- The Power to Serve wrote: > >Exactly what I mean! Limit file descriptors, and it also uses a lot of CPU > >time so you can limit that too.. It will never crash the system with the > >proper limits set :). They can run it all they want. > > Well, that sort of helps for kids just doing ./a.out, but would you put > accounting limits on your web server ? That seems like a nasty can of > configuration worms one would be opening no ? > > ---Mike > > > > > >On Wed, 1 Sep 1999, Mike Tancsa wrote: > > > >> At 11:49 AM 9/1/99 -0600, FreeBSD -- The Power to Serve wrote: > >> >If you have public access users, you should have login accounting in the > >> >first place.. and yes, it does stop it :).. I verified this on a 3.2 box > >> >with my login accounting setup.. > >> > >> How does accounting stop it ? Or do you mean it just discourages users > >> from doing it ? How much overhead does accounting add to the system ? > >> Also, limiting the amount of file descriptors can prevent it, as the 'bug' > >> is essentially a resource starving issue (e.g. fork bomb) > >> > >> ---Mike > >> ------------------------------------------------------------------------ > >> Mike Tancsa, tel 01.519.651.3400 > >> Network Administrator, mike@sentex.net > >> Sentex Communications www.sentex.net > >> Cambridge, Ontario Canada > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > >> > > > > > > > ------------------------------------------------------------------------ > Mike Tancsa, tel 01.519.651.3400 > Network Administrator, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message