On Wed, 2005-03-30 at 19:40 +0200, Jacek Łuczak wrote:
> Hi
>
> I made some tests and almost all Linux distros brings down while freebsd
> survive!Forkbombing is a big problem but i don't think that something like
>
> max_threads = mempages / (16 * THREAD_SIZE / PAGE_SIZE);
>
> is good solution!!!
> How about add max_user_threads to the kernel? It could be tunable via
> proc filesystem. Limit is set only for users.
> I made a fast:) patch - see below - and test it on 2.6.11,
> 2.6.11ac4,2.6.12rc1...works great!!!New forks are stoped in
> copy_process() before dup_task_struct() and EAGAIN is returned. System
> works without any problems and root can killall -9 forkbomb.
>
I really liked this approach because:
* it is similar to other *nixes. (freebsd, openbsd)
* it is easily tuneable (/proc or systcl)
* it is stupid simple - small chance that things can go wrong.
* this solves *many* things in comparation to possible problems it
causes.
Only thing that could be a problem that I come to think of is that you
cannot raise the limit through /etc/security/limits.conf or similar. Eg.
you migh want all setuid() services/daemons run with a low limit but you
want give user Bob more processes. (I don't know if this is a realistic
situation though)
The default value could be something like:
max_user_threads = max_threads / 2
or:
max_user_threads = max_threads / 4;
With a lower limit to 20 or something, just like max_threads (in case
you try run Linux on 2MiB RAM)
If a fixed value (like 300, 512, 2000) is used then will probably
systems with low amount of RAM be vulerable to the forkbomb attack.
--
Natanael Copa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]