Date: Wed, 30 Apr 1997 00:49:29 +1000 From: David Nugent <davidn@labs.usn.blaze.net.au> To: Andrzej Bialecki <abial@korin.warman.org.pl> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Who enforces the `limits` ? (Or: The Forkin' Monster) Message-ID: <199704291449.AAA04849@labs.usn.blaze.net.au> In-Reply-To: Your message of "Tue, 29 Apr 1997 14:21:58 %2B0200." <Pine.NEB.3.95.970429140901.20882A-100000@korin.warman.org.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
> It was Friday afternoon, and I was rather bored. So I wrote the following > program: Which kernel? I'll assume 2.2... > I compiled it and run as a normal user. It effectively locked up my > machine. For all practical purposes <g> it constitutes very effective DoS > attack. FreeBSD prior 3.0 doesn't (readily) distinguish between a "normal" user and any other. Any per-user resource limits are system wide, unless special steps are taken to change that. One suggestion is to add some ulimits/limits calls into /etc/profile and /etc/csh.login and lower the default hard limits. > * How to defend against such a hostile process? 3.0-current contains support for /etc/login.conf, where resource limits can be set for classes of users. Unfortunately, this is not in 2.2 (well.. yet - I'd certainly consider it stable enough for inclusion and I'm willing to bring it all into the RELENG_2_2 branch if there is demand). > * How to enforce the `limits`, as shown by e.g. csh, in order to protect > system from running out of resources (e.g. kernel proc table entries)? You need to do this at login. > To put it mildly, I feel rather uncomfortable, knowing that any user can > do such harm to my system. Yes, so do I. David Nugent - Unique Computing Pty Ltd - Melbourne, Australia Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704291449.AAA04849>