On Thu, 21 Nov 2002, David G. Andersen wrote:

> In PR 45353, I've submitted a patch to reserve a handfull of
> file table entries for root-only use, to mitigate the effects
> of user processes that leak file descriptors:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=45353
>
> Even with per-process file descriptor limits, it's pretty
> easy for a buggy program that does any kind of forking to
> run the system out of file table entries (or for a malicious
> user to do so). The patch above is trivial, and at least
> enables root to login and fix things up a bit. I've been
> running it locally for about a week, and it's happy.
>
> Is the form of the solution acceptable? (And if so, anyone
> interested in committing it to -current for a while? ;-)
>
> -Dave

Your patch looks good, I think it could probably go in without any
modifications.

HOWEVER, we're in a code freeze leading up to 5.0-release, and local DoSes
aren't a critical bug. Hence, I'm going to wait until after 5.0-release
is out the door before I go ahead with committing your patch.

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]