From owner-freebsd-security Wed Sep 1 18:18: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id F3D6615546 for ; Wed, 1 Sep 1999 18:17:55 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id VAA19893; Wed, 1 Sep 1999 21:16:43 -0400 (EDT) Message-Id: <4.1.19990901212536.04e852f0@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 01 Sep 1999 21:29:15 -0400 To: FreeBSD -- The Power to Serve From: Mike Tancsa Subject: Re: FW: Local DoS in FreeBSD Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <3.0.5.32.19990901162052.023c18d0@staff.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:04 PM 9/1/99 , FreeBSD -- The Power to Serve wrote: >Explain what you mean? That is what login classes are for, you dont have >to put "nobody" in a limited class if this is what you mean.. And you can >set internal limits in apache if that's what you mean.. I feel you mean >either one but I don't know :) I mean that putting the web user (in my case user webuser-- a UID <> nobody) in a login.conf set class would seemingly be very restrictive. In my tests, I had to set a user to have less than 16 open files and ~ 5 processes max to prevent them from crashing a 3.x stable box. These sorts of limits to me at first glance would be unworkable in apache. ---Mike > >On Wed, 1 Sep 1999, Mike Tancsa wrote: > >> At 02:10 PM 9/1/99 -0600, FreeBSD -- The Power to Serve wrote: >> >Exactly what I mean! Limit file descriptors, and it also uses a lot of CPU >> >time so you can limit that too.. It will never crash the system with the >> >proper limits set :). They can run it all they want. >> >> Well, that sort of helps for kids just doing ./a.out, but would you put >> accounting limits on your web server ? That seems like a nasty can of >> configuration worms one would be opening no ? >> >> ---Mike >> >> >> > >> >On Wed, 1 Sep 1999, Mike Tancsa wrote: >> > >> >> At 11:49 AM 9/1/99 -0600, FreeBSD -- The Power to Serve wrote: >> >> >If you have public access users, you should have login accounting in the >> >> >first place.. and yes, it does stop it :).. I verified this on a 3.2 box >> >> >with my login accounting setup.. >> >> >> >> How does accounting stop it ? Or do you mean it just discourages users >> >> from doing it ? How much overhead does accounting add to the system ? >> >> Also, limiting the amount of file descriptors can prevent it, as the 'bug' >> >> is essentially a resource starving issue (e.g. fork bomb) >> >> >> >> ---Mike >> >> ------------------------------------------------------------------------ >> >> Mike Tancsa, tel 01.519.651.3400 >> >> Network Administrator, mike@sentex.net >> >> Sentex Communications www.sentex.net >> >> Cambridge, Ontario Canada >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> with "unsubscribe freebsd-security" in the body of the message >> >> >> > >> > >> > >> ------------------------------------------------------------------------ >> Mike Tancsa, tel 01.519.651.3400 >> Network Administrator, mike@sentex.net >> Sentex Communications www.sentex.net >> Cambridge, Ontario Canada >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message