[K12OSN] Is Fedora fork bomb attack vulnerable?
Calvin Dodge
caldodge at fpcc.net
Fri Mar 18 21:40:02 UTC 2005
On Fri, Mar 18, 2005 at 03:15:45PM -0600, Les Mikesell wrote:
> On Fri, 2005-03-18 at 14:43, Dan Young wrote:
> > On Fri, 2005-03-18 at 13:14 -0600, Doug Simpson wrote:
> > > No is not vulnerable, or
> > > No it is not protected?
> >
> > The "problem" seems to be rather overblown:
> > https://www.redhat.com/archives/fedora-devel-list/2005-March/msg01150.html
> >
> > On a terminal server, this is a people problem which should be fixed w/
> > people solutions, not technical ones. In my opinion...
>
> There is just not a good default setting. It is probably more likely
> that a linux install will be on a single-user pc where that user
> wants unlimited use of the available resources than on a multiuser
> box. If you want to limit resource usage you still can with ulimit
> settings.
Good idea.
For an example, here's /etc/profile.d/ulimit.sh, which I created
and put on the LTSP servers at RMSEL.
####################
#limit CPU time to stop runaway Netscape/Mozilla
#limit data size due to runaway artsd (1 gigabyte!)
if [ $UID -ge 500 ]
then
ulimit -t 300
ulimit -d 200000
ulimit -m 300000
ulimit -v 300000
ulimit -u 100
fi
#####################
I added the "ulimit -u 100" today - it will limit any user to a maximum
of 100 running processes.
That's more than enough for elementary school students, but a low enough
number to defeat a "fork bomb".
(Yes, this could be handled in /etc/security/limits.conf, but that would
mean changing every student's primary group to "users" or "students" (or
similar group), then changing the permissions on all their files.
For me the ulimit solution was easier - just one file per server (4 total).
Calvin
--
Calvin Dodge
Certified Linux Bigot (tm)
http://www.caldodge.fpcc.net
More information about the K12OSN
mailing list