From owner-freebsd-security  Fri Mar 16 10:29:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id C21B337B718
	for <freebsd-security@freebsd.org>; Fri, 16 Mar 2001 10:29:20 -0800 (PST)
	(envelope-from roam@orbitel.bg)
Received: (qmail 8199 invoked by uid 1000); 16 Mar 2001 18:28:37 -0000
Date: Fri, 16 Mar 2001 20:28:37 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Anil Jangity <aj@entic.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Multiple vendors FTP denial of service
Message-ID: <20010316202837.C428@ringworld.oblivion.bg>
Mail-Followup-To: Anil Jangity <aj@entic.net>,
	freebsd-security@freebsd.org
References: <20010315215913.A70990@mollari.cthul.hu> <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.33.0103160832130.17245-100000@mars.entic.net>; from aj@entic.net on Fri, Mar 16, 2001 at 08:39:07AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Mar 16, 2001 at 08:39:07AM -0800, Anil Jangity wrote:
> Kris/All,
> 
> FTPD is run as root (atleast on my machine). I don't want to limit root
> resources, since I am not sure exactly what a good ball park figure for
> root would be...
> 
> I looked in ftpd(8) for some way to make it run as another user (atleast
> after it starts up) but no luck.
> 
> So, my question is, how do you propose we resource limit ftpd as you
> suggest via login.conf?

It might not be easy to do this via login.conf; if you are running your
ftpd via inetd, though, you can use /usr/bin/limits to do that:

ftp stream tcp nowait root /usr/bin/limits ftpd -d10K /usr/libexec/ftpd -l

..or you could make an ftpd wrapper:

#!/bin/sh
ulimit -d 10240
exec /usr/libexec/ftpd -l

Having said that, I, too, haven't tested whether setting resource limits
eliminates the original problem.

G'luck,
Peter

-- 
The rest of this sentence is written in Thailand, on

> @ I'm pretty sure (but haven't tested) that resource limits will prevent
> @ this problem.  Your ftpd shouldn't be using large amount of memory
> @ under normal operating procedures, so you can set those to reasonable
> @ values and not suffer any ill effects.
> @
> @ Kris

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message