On Fri, 2005-03-18 at 13:23, Matthew Miller wrote: > On Fri, Mar 18, 2005 at 01:08:31PM -0500, M.Rudra wrote: > > As a non-geek user I am concerned as I thought Linux is very secure. > > So I googled "fork bombing" and after reading them, I have some doubts : > > This isn't really a general security issue. If a user on your system does > this, find them and (metaphorically) smack them around. > > If you want to prevent this from happening accidentally, or if you have a > critical server with users you don't trust (a situation to be avoided!) you > can _reduce_ the chances of something like this happening by configuring > resource limits, but since all computers do have finite resources, it's hard > to have a generally-useful shared machine without some possibility of > someone going out of their way to use more than their share. This is the wrong approach. A user level account should not be allowed to consume resources to the point that the whole system crashes. Per the article, this is an old trick that was fixed in many different versions of Unix. There should be limits on the resources a user process can request, or at least throttling so that once a certain threshold is reached the user process does not get anymore until it releases some. Similar limit is placed on a user allocating disk space. The system reserves about 5% of the disk which only root can use. This prevents someone from eating all of /tmp or some other file system and preventing root from being able to execute programs that require some disk resources, possibly while trying to fix the problem the user process created. While this is not an exploit that results in root level access it is a denial of service that could be used by anyone that achieves user level access to a system. And users should never be trusted. They will find some way to mess things up. :) Definitely something that should be fixed. -- Scot L. Harris webid@xxxxxxxxxx Those who can, do; those who can't, write. Those who can't write work for the Bell Labs Record.
