OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gregor Binder (gbinderSYSFIVE.COM)
Date: Tue Apr 03 2001 - 02:34:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jose Nazario on Mon, Apr 02, 2001 at 06:15:58PM -0400:

    Jose,

    > > Looking at my SunOS7 box, it seems perfectly possible to me that a
    > > single, unpriviledged user could exhaust the process table (fork bomb).
    >
    > POSIX resource limits work well here.

    you're right, it can be done with setrlimit, but I wouldn't say it works
    well :) Reason, there is only one limit that can be set on a per UID
    basis (total number of processes), the rest is working on a per process
    basis (mem usage, fd's, ...). Second, you would have to use something
    homegrown to set the login environment to make sure this can be set on a
    per user basis, and be easily configurable (in addition to making sure
    that all service startup scripts that run unpriv execute this as well).
    Third, you need to take additional steps that the setup can't be tricked
    by logging in twice (for very simple user accounts, this could maybe be
    achieved by setting maxnprocs to something very small (2?)).

    The way I see it, POSIX resource controls are not really satisfying. The
    potential that this is not working the intended way is too high to make
    it really useful. It needs to much maintenance (say you restrict someone
    to running two processes, he finds out he likes another shell better,
    and calls support because he doesn't understand why he exhausted his
    limit), it can cause failure (say, the same user is logged in and cron
    tries to fire up one of his jobs), and is not really secure after all
    (same guy, writes a program that mallocs as much as it can and forks and
    does the same thing again, and then exec's this program (while you had
    to set a very high mem limit for his second process and did not assume
    the login shell would use some substantial amount of that).

    -DNEED_GLOBAL_LIMITS_FOR_EVERYTHING_ON_A_PER_USER_BASIS ;)

    Regards, 

    --
Gregor Binder       <gregor.bindersysfive.com>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55