From owner-freebsd-security Wed Sep 1 19: 6:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 1640B14EC0 for ; Wed, 1 Sep 1999 19:06:56 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id TAA27155; Wed, 1 Sep 1999 19:05:38 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id TAA04072; Wed, 1 Sep 1999 19:05:36 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id TAA08666; Wed, 1 Sep 1999 19:05:35 -0700 (PDT) From: Don Lewis Message-Id: <199909020205.TAA08666@salsa.gv.tsc.tdk.com> Date: Wed, 1 Sep 1999 19:05:34 -0700 In-Reply-To: Garrett Wollman "Re: FW: Local DoS in FreeBSD" (Sep 1, 4:46pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Garrett Wollman , Nick Hibma Subject: Re: FW: Local DoS in FreeBSD Cc: FreeBSD -- The Power to Serve , Mike Tancsa , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 1, 4:46pm, Garrett Wollman wrote: } Subject: Re: FW: Local DoS in FreeBSD } < said: } } > One of the features I like about Unix is for example free space } > available solely to the root user. It could be imagined that these } > things also apply to file handles, memory/swap space and other scarce } > resources. } } We have known for some time that the problem originally described } exists, but developing an acceptable solution has been a challenge. } Now that sockets carry around user credentials, it may perhaps not be } as difficult as it used to be. } } What needs to be done is to impose a per-UID resource limit on the } amount of socket buffer space available. } } What's not clear is: } } 1) At what level do you impose this limit? } } 2) Should the limit be statistical or exact? } } 3) What is a sensible default value? A fairly simple, short term measure would be to have a per-UID limit on the size of socket buffers. Most processes don't need huge buffers, and this would allow you relax the per-UID limits on descriptors and processes for an equivalent level of resource consumption. Maybe there should be a potentially tighter per-UID limit on sockets than the overall descriptor limit, since sockets consume quite a bit more kernel resources than descriptors. It should be possible to track the overall socket buffer space for each UID, but how do you enforce the limit? Do you cause the socket(), socketpair(), accept(), and setsockopt() calls to fail? Will userland code react well to this? Do you enforce an mbuf limit block write()/send*() when the limit is reached? What about packets received over the network, do they get tossed? Do you kill the process with the most mbufs when a shortage occurs ;-) Any resemblence to the swap overcommit debate is intended. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message