[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Almost a DoS...

On Sun, 18 Mar 2001, Juha Saarinen wrote:

>time ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
>as a normal user on Wolverine system (2.4.2-0.1.25) chews up all available
>memory (real + swap) PDQ. However, it looks like the OOM Killer is
>working... it terminated the offending process, and all was well again.

I do not see this as a problem whatsoever.  One can just as
easily write a fork bomb that fills the process table, or malloc
bomb and kill the machine.  It is nothing new to write a program
or execute some command like the above and cause problems.

It comes down to 2 things:  security and convenience

The two are 100% mutually exclusive.  It is unix policy to NOT
have policy, but to leave that up to the system administrator.
The mechanisms exist now today to handle all of these situations
if one is in an environment where such a problem is a concern.

One only need configure their system properly to prevent the
above from doing any harm whatsoever.

>Still, it might be an idea to limit the effects of commands like the above.

Sure, you can do that no problem:

man ulimit

It's not a new command and it does the job.  No sense in a
default install of the OS imposing arbitrary limitations on
anyone's system though.  There would be absolutely no way
whatsoever to decide on ny sane values to use that would even fit
a "general case" mostly because the "general case" doesn't need
any limitations.

It is something best left up to an admin to decide if it is
required for security, and then to enable it ad choose resource
limitations that are suitable to the system and users involved
and the level of risk.

Key phrase:  Risk management.

Of course this assumes the admin is knowledgeable in configuring
systems to minimize risk in hostile environments.

Mike A. Harris                  Shipping/mailing address:
OS Systems Engineer             190 Pittsburgh Ave., Sault Ste. Marie,
Red Hat Inc.                    Ontario, Canada, P6C 5B3
http://www.redhat.com           Phone: (705)949-2136

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]