From owner-freebsd-security  Tue Aug 17 10:35:49 1999
Delivered-To: freebsd-security@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
	by hub.freebsd.org (Postfix) with ESMTP id 10D4D14EBB
	for <freebsd-security@FreeBSD.ORG>; Tue, 17 Aug 1999 10:35:46 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id KAA18291;
	Tue, 17 Aug 1999 10:36:16 -0700 (PDT)
	(envelope-from dillon)
Date: Tue, 17 Aug 1999 10:36:16 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199908171736.KAA18291@apollo.backplane.com>
To: Mike Tancsa <mike@sentex.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Any work around for this FreeBSD bug/DoS  ?
References: <4.1.19990816203409.05989960@granite.sentex.ca>
 <4.1.19990816213403.05a3b540@granite.sentex.ca> <3.0.5.32.19990817131742.02a5f6c0@staff.sentex.ca>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

:
:Thanks for the extended info.  What I am suprised at is that even with
:MAXUSERS  set to 128, I have to use something as restrictive as
:
:dialu:\
:        :copyright=/etc/COPYRIGHT:\
:        :welcome=/etc/motd:\
:        :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:        :path=~/bin /bin /usr/bin /usr/local/bin /usr/X11R6/bin:\
:        :nologin=/var/run/nologin:\
:        :cputime=unlimited:\
:        :datasize=unlimited:\
:        :stacksize=unlimited:\
:        :memorylocked-cur=10M:\
:        :memoryuse-max=30M:\
:        :maxproc-cur=9:\
:        :maxproc-max=15:\
:        :openfiles-max=16:\
:        :filesize=unlimited:\
:        :coredumpsize=unlimited:\
:        :priority=0:\
:        :ignoretime@:\
:        :umask=022:
:
:
:It seems anything above 16 files open (e.g. 32), and they are able to panic
:the system.

    There have been proposals to extend the concept of per-user resources
    (for example, maxproc is a per-user resource).  This way you would be
    able to set reasonable overall limits for the user that do not overly
    restrict the per-process limits.  However, nobody has attempted to 
    actually code the idea.  It seems to me a fairly easy thing to do through
    the use of the credential's cache (but I'm not volunteering).

						-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message