|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Kurt Seifried (bugtraq
seifried.org)Date: Thu Apr 04 2002 - 15:41:52 CST
This is, to put it politely, incredibly old news. Let's face it, if you give
a user a shell acount, with no restrictions on CPU time or memory usage,
yes, they will be able to suck up as much resources as the computer can
spare (this is, among other reasons why "nice" exists). I advise you place
limitson the users, memory, cpu, stack size, file descriptors, etc, finding
"good" limits can be tricky though, and you will also want to limit
concurrent logins.
I wrote an article on using PAM (pluggable Authenticaiton Modules) which
covers these issues and a few others, available at:
http://www.samag.com/documents/s=1161/sam0009a/0009a.htm
Also you can view information on setting limits with various shells, and PAM
as well at:
http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.h
tml
goto "Limiting users overview".
And the LASG, "Limiting and monitoring users"
http://seifried.org/lasg/users/
Better to use PAM to limit users then the shell because the various shells
do not all support the limiting the same items, or soft/hard limits, and if
you miss a shell and the user "chsh"'s they can avoid it, they can't really
avoid pam. As for the "/*/../........." problem in general it was
"discovered" many many years ago (more then two).
Kurt Seifried, kurtseifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.iDefense.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]