Date: Wed, 1 Sep 1999 21:19:03 -0400 From: "Joe Gleason" <clash@tasam.com> To: "Systems Administrator" <geniusj@ods.org>, "Nick Hibma" <hibma@skylink.it> Cc: "FreeBSD -- The Power to Serve" <geniusj@free-bsd.org>, "Mike Tancsa" <mike@sentex.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: FW: Local DoS in FreeBSD Message-ID: <019d01bef4e1$46125ca0$256b52c6@tasam.com> References: <Pine.BSF.4.10.9909011510150.48475-100000@ods.org>
next in thread | previous in thread | raw e-mail | index | archive | help
True, I consider myself an a-typical Joe, but still the point is valid that a FreeBSD should be fairly resiliant and stable without needing to do alot of tweaking. There is also the argument that setting resictions by default could mess up people who don't know to look at the resrictions when something doesn't work. Probably some happy medium could probably be achived. I think I would be happy with a default config in which: The average unprived user could not crash the system, but they could use alot of resources and slow the system down drasticly. Joe Gleason Tasam > The average Joe doesn't run FreeBSD > > > -------------------------------------------------------------------------- ---- > Jason DiCioccio | geniusj@free-bsd.org > FreeBSD - The Power to Serve | http://www.freebsd.org > | http://www.ods.org > -------------------------------------------------------------------------- ---- > > On Wed, 1 Sep 1999, Nick Hibma wrote: > > > > > That's one of the comments Microsoft makes when a security hole is > > discovered, switch off that, increase the security level here. It always > > makes me kind of mad, because that's not what the Joe Average does or > > is considers something he should do until it's too late. > > > > One of the features I like about Unix is for example free space > > available solely to the root user. It could be imagined that these > > things also apply to file handles, memory/swap space and other scarce > > resources. > > > > Nick > > > > > > > Exactly what I mean! Limit file descriptors, and it also uses a lot of CPU > > > time so you can limit that too.. It will never crash the system with the > > > proper limits set :). They can run it all they want. > > > > > > > > > On Wed, 1 Sep 1999, Mike Tancsa wrote: > > > > > > > At 11:49 AM 9/1/99 -0600, FreeBSD -- The Power to Serve wrote: > > > > >If you have public access users, you should have login accounting in the > > > > >first place.. and yes, it does stop it :).. I verified this on a 3.2 box > > > > >with my login accounting setup.. > > > > > > > > How does accounting stop it ? Or do you mean it just discourages users > > > > from doing it ? How much overhead does accounting add to the system ? > > > > Also, limiting the amount of file descriptors can prevent it, as the 'bug' > > > > is essentially a resource starving issue (e.g. fork bomb) > > > > > > > > ---Mike > > > > ------------------------------------------------------------------------ > > > > Mike Tancsa, tel 01.519.651.3400 > > > > Network Administrator, mike@sentex.net > > > > Sentex Communications www.sentex.net > > > > Cambridge, Ontario Canada > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > -- > > e-Mail: hibma@skylink.it > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?019d01bef4e1$46125ca0$256b52c6>