Re: forkbombing Linux distributions

[Natanael Copa <mlists@tanael.org>]

Hi list!

(I'm new to this list so I'm sorry this mail has not correct thread id)

I have been following this forkbombing discussions and I would like to
point out a few things:

* When setting limits /etc/limits (or /etc/security/limits.conf) you
will prevent logged in users to fork too many processes. However, this
setting will not prevent a missbehaving daemon that is started from a
bootscript to fork too many processes, even if running as non root.

* Linux is very generous allowing maximum numbers of processes for
non-root users by default in comparation to other *nixes.

The kernel defaults is calculated from the amount of RAM in
kernel/fork.c with in those lines:

        max_threads = mempages / (8 * THREAD_SIZE / PAGE_SIZE);

        /*
         * we need to allow at least 20 threads to boot a system
         */
        if(max_threads < 20)
                max_threads = 20;

        init_task.signal->rlim[RLIMIT_NPROC].rlim_cur = max_threads/2;
        init_task.signal->rlim[RLIMIT_NPROC].rlim_max = max_threads/2;

The forkbomb is mentioned already in 2001-06-18 by Rik van Riel that
suggested mempages / (16 * THREAD_SIZE / PAGE_SIZE)

http://marc.theaimsgroup.com/?l=linux-kernel&m=99283072806620&w=2
http://marc.theaimsgroup.com/?l=linux-kernel&m=99617386529767&w=2

But I cannot find out why it was set back again to 8 * ... I think this
is the main reason that almost all distros are vulerable to the stupid
fork bomb attack.

Would it be an idea to set it back to:

mempages / (16 * THREAD_SIZE / PAGE_SIZE)

and let the sysadmins raise the limit with /proc/sys/kernel/threads-max
if they need more?

--
Natanael Copa