From owner-freebsd-stable@FreeBSD.ORG Tue Mar 14 08:48:17 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60FDF16A400 for ; Tue, 14 Mar 2006 08:48:17 +0000 (UTC) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FDFA43D45 for ; Tue, 14 Mar 2006 08:48:15 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k2E8m48k036080; Tue, 14 Mar 2006 10:48:04 +0200 (EET) (envelope-from dmitry@atlantis.dp.ua) Date: Tue, 14 Mar 2006 10:48:04 +0200 (EET) From: Dmitry Pryanishnikov To: Jon Dama In-Reply-To: Message-ID: <20060314095808.I12991@atlantis.atlantis.dp.ua> References: <20060302181625.I3905@atlantis.atlantis.dp.ua> <76FAD2DB-CD18-42D4-95C8-F016CFB17B00@segpub.com.au> <20060303110936.R86586@atlantis.atlantis.dp.ua> <20060303185157.GB692@turion.vk2pj.dyndns.org> <20060304001224.G356@atlantis.atlantis.dp.ua> <20060304065138.GD692@turion.vk2pj.dyndns.org> <20060310121758.S80837@atlantis.atlantis.dp.ua> <20060310123942.GI37572@deviant.kiev.zoral.com.ua> <20060310153737.X40396@atlantis.atlantis.dp.ua> <20060310193248.GC688@turion.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Kostik Belousov , Peter Jeremy , freebsd-stable@freebsd.org, Michael Proto Subject: Re: RELENG_4 on flash disk and swap X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2006 08:48:17 -0000 Hello! I won't reply to the overcommit part of your letter, since my concern is rather local: I'm just not sure whether FreeBSD does it's best during the DoS-attack in swapless environment. On Mon, 13 Mar 2006, Jon Dama wrote: > Also, when the system is page-starved it kills the largest consumer of > pages that has the same UID as the process that pushed the system over the > limit---not merely the largest consumer of pages. So you see, running > critical services that carefully pre-allocate and fault their memory is > possible within the overcommit framework. I fail to see any UID check in this code (/sys/vm/vm_pageout.c from RELENG_4_11, the last part of vm_pageout_scan()): /* * If we are out of swap and were not able to reach our paging * target, kill the largest process. */ if ((vm_swap_size < 64 && vm_page_count_min()) || (swap_pager_full && vm_paging_target() > 0)) { #if 0 if ((vm_swap_size < 64 || swap_pager_full) && vm_page_count_min()) { #endif bigproc = NULL; bigsize = 0; for (p = allproc.lh_first; p != 0; p = p->p_list.le_next) { /* * if this is a system process, skip it */ if ((p->p_flag & P_SYSTEM) || (p->p_pid == 1) || ((p->p_pid < 48) && (vm_swap_size != 0))) { continue; } /* * if the process is in a non-running type state, * don't touch it. */ if (p->p_stat != SRUN && p->p_stat != SSLEEP) { continue; } /* * get the process size */ size = vmspace_resident_count(p->p_vmspace) + vmspace_swap_count(p->p_vmspace); /* * if the this process is bigger than the biggest one * remember it. */ if (size > bigsize) { bigproc = p; bigsize = size; } } if (bigproc != NULL) { killproc(bigproc, "out of swap space"); bigproc->p_estcpu = 0; bigproc->p_nice = PRIO_MIN; resetpriority(bigproc); wakeup(&cnt.v_free_count); } } Neither I see UID check in the fresh CURRENT. Also, even if UID check were here, it wouldn't buy much for us, since during the DoS attack the target is the main listener (say, sshd or sendmail), and it always runs as root because otherwise it couldn't listen at port < 1024. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE