From: Triffid Hunter <triffid_hunter@funkmunch.net>
To: redoubtable <redoubtable@netcabo.pt>
Cc: linux-kernel@vger.kernel.org
Subject: Re: fork()
Date: Fri, 25 Mar 2005 04:17:29 +1000 [thread overview]
Message-ID: <42430439.6090102@funkmunch.net> (raw)
In-Reply-To: <4242EEC3.2000605@netcabo.pt>
you can limit the max number of processes by putting the following into /etc/security/limits.conf (on my distro, and quite a number of others according to google too)
* hard nproc <max # processes>
you can also limit quite a number of other things in this file, and other files in that directory.
redoubtable wrote:
> Hey,
>
> I read a document on securityfocus about fork bombinb a linux system.
> Although they didn't speak about the effectiveness of resource limits I
> guess that should be discussed because it's possible to make a linux
> machine extremely slow (compared to FreeBSD for instance) even with well
> configured resource limits.
> I revised kernel/fork.c and I found a way to prevent this problem by
> removing all associated processes with the parent, but that's far from
> portable and should not be used for the sake of compatibilities. I guess
> the function fork() should be revised.
> And what about creating a 'maxprocs' sysctl var (even if left high) when
> the resource limits problem is fixed? It would help security when it is
> needed and wouldn't bother other applications. RLIMITs on login are not
> trustworthy. It should exist a global limit in case someone could spawn
> a shell without limits through some flawed application.
>
> Thanks, and please advise.
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
next prev parent reply other threads:[~2005-03-24 18:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-24 16:45 fork() redoubtable
2005-03-24 18:17 ` Triffid Hunter [this message]
2005-03-25 7:28 ` fork() Natanael Copa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42430439.6090102@funkmunch.net \
--to=triffid_hunter@funkmunch.net \
--cc=linux-kernel@vger.kernel.org \
--cc=redoubtable@netcabo.pt \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox