From: Daniel Hazelton <dhazelton@enter.net>
To: "Simon Arlott" <simon@fire.lp0.eu>
Cc: "Jan Engelhardt" <jengelh@computergmbh.de>,
"Roland Dreier" <rdreier@cisco.com>,
"Anand Jahagirdar" <anandjigar@gmail.com>,
linux-kernel@vger.kernel.org, security@kernel.org,
"Andrew Morton" <akpm@linux-foundation.org>,
akpm@digeo.com, "Jens Axboe" <jens.axboe@oracle.com>,
"Jiri Kosina" <jikos@jikos.cz>
Subject: Re: Patch related with Fork Bobmbing Attack
Date: Wed, 13 Jun 2007 10:44:41 -0400 [thread overview]
Message-ID: <200706131044.42338.dhazelton@enter.net> (raw)
In-Reply-To: <38425.simon.1181734449@5ec7c279.invalid>
On Wednesday 13 June 2007 07:34:09 Simon Arlott wrote:
> On Tue, June 12, 2007 18:32, Jan Engelhardt wrote:
> > On Jun 12 2007 10:04, Roland Dreier wrote:
> >> > + /*
> >> > + * following code does not allow Non Root User to cross its
> >> > process + * limit. it alerts administrator about fork bombing
> >> > attack and prevents + * it.
> >> > + */
> >> > if (atomic_read(&p->user->processes) >=
> >> > p->signal->rlim[RLIMIT_NPROC].rlim_cur) if (!capable(CAP_SYS_ADMIN) &&
> >> > !capable(CAP_SYS_RESOURCE) && - p->user != &root_user)
> >> > -
> >> > + p->user != &root_user) {
> >> > + if (printk_ratelimit())
> >> > + printk(KERN_CRIT"User with uid %d is
> >> > crossing its process
> >>
> >> limit\n",p->user->uid);
> >>
> >> > goto bad_fork_free;
> >> > + }
>
> Why does this need to be KERN_CRIT? You can't assume that every time a
> process limit is reached that it's a fork bomb.
I think the reasoning here is to alert the administrator(s) to the possibility
that somebody has just tried a fork-bomb. A better test, IMHO, would be to
check how fast the processes are being spawned and whether a large percentage
share the same parent. (Those two taken together would better spot most
fork-bombs, including the very simple types that are just a simple one-liner)
DRH
--
Dialup is like pissing through a pipette. Slow and excruciatingly painful.
next prev parent reply other threads:[~2007-06-13 14:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-12 16:49 Patch related with Fork Bobmbing Attack Anand Jahagirdar
2007-06-12 17:04 ` Roland Dreier
2007-06-12 17:32 ` Jan Engelhardt
2007-06-13 11:34 ` Simon Arlott
2007-06-13 14:44 ` Daniel Hazelton [this message]
2007-06-13 20:25 ` Krzysztof Halasa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200706131044.42338.dhazelton@enter.net \
--to=dhazelton@enter.net \
--cc=akpm@digeo.com \
--cc=akpm@linux-foundation.org \
--cc=anandjigar@gmail.com \
--cc=jengelh@computergmbh.de \
--cc=jens.axboe@oracle.com \
--cc=jikos@jikos.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=rdreier@cisco.com \
--cc=security@kernel.org \
--cc=simon@fire.lp0.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.