forkbombs?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sun Mar 20 23:44:48 UTC 2005 

On Sun, 20 Mar 2005 16:39:56 CST, Justin Conover said:

> Or if there is something similiar already in the kernel?

There's been a "max user processes" ulimit for *ages*.  The only reason it's
not shipped set to a value "out of the box" is because systems tend to 2 basic
types:

1) Single-user desktops, where fork bombs aren't *that* big a risk, and it's
basically "user shoots self in foot".  Setting an arbitrary 'ulimit -u 40' will
more likely break things than add any *real* security.

2) Multi-user servers, where the installer software has no *idea* what an
"appropriate" number value should be.  How many instances of Apache, and how
many CGI's, will be running at a time, and how many should be allowed before a
forkbomb problem is declared?

If the sysadmin isn't clued enough to (on a fedora system) 'vi /etc/pam.d/system-auth'
and add a line 'session required pam_limits.so', and then put reasonable values
into /etc/security/limits, there really isn't anything SELinux can do to supply
a reasonable value - we *could* pull a number from an orifice, but it would be
in great need of cleaning before use....

(Just as an aside, I'll point out that rexFBD is fundementally *broken* - one of
its options (max procs/user) is redundant with the ulimit code already shipping.
Meanwhile, its "max forks per second" element is just screaming "Use me to DoS the
box" on the one hand (an attacker can run up N-1 forks/sec and then let the module
kill the Apache server when it forks the next CGI), and totally Fails To Get The
Point - the problem with a forkbomb is that you *can't* handle any more forks/sec
because all the *already existing* forked processes are now running up your page
rate and causing thrashing of the system. Your system is much less likely to
notice a piece of code that does this:

	for (;;) {
		if (fork()) {wait();}
		else exit();
	}

You can probably run 3,000 of those forks/sec and not feel too bad.  On the
other hand, this will probably kill you after as few as a few dozen instances:

	for (;;) {
		if (!fork()) {
		int i;  char *blam = malloc(25000000);
		for (;;)
			for (i=0;i<25000000;i+=4096) {
				blam[i]++;
			}
	}

25M - you probably can't set the RSS limit that low and get work done (hint -
the X server probably will barely start in that space).  Get only 50 of these
running, and you now have 1.25G of memory being dirtied over and over.  You're
dead unless you have more than 1.25G of memory.  You have a more studly box,
tweak the 25M and the 50. Once this runs out your RAM and starts to thrash, you
are more surely dead than 3,000 fork/sec will ever do to you....

See? The fork bomb isn't even about fork()....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050320/74ad8c6d/attachment.sig>

More information about the fedora-selinux-list mailing list