Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262893AbVCXSPN (ORCPT ); Thu, 24 Mar 2005 13:15:13 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262645AbVCXSOv (ORCPT ); Thu, 24 Mar 2005 13:14:51 -0500 Received: from funkmunch.net ([202.173.190.158]:32426 "EHLO mail.funkmunch.net") by vger.kernel.org with ESMTP id S262893AbVCXSOl (ORCPT ); Thu, 24 Mar 2005 13:14:41 -0500 Message-ID: <42430439.6090102@funkmunch.net> Date: Fri, 25 Mar 2005 04:17:29 +1000 From: Triffid Hunter User-Agent: Mozilla Thunderbird 1.0 (X11/20050321) X-Accept-Language: en-us, en MIME-Version: 1.0 To: redoubtable Cc: linux-kernel@vger.kernel.org Subject: Re: fork() References: <4242EEC3.2000605@netcabo.pt> In-Reply-To: <4242EEC3.2000605@netcabo.pt> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1813 Lines: 37 you can limit the max number of processes by putting the following into /etc/security/limits.conf (on my distro, and quite a number of others according to google too) * hard nproc you can also limit quite a number of other things in this file, and other files in that directory. redoubtable wrote: > Hey, > > I read a document on securityfocus about fork bombinb a linux system. > Although they didn't speak about the effectiveness of resource limits I > guess that should be discussed because it's possible to make a linux > machine extremely slow (compared to FreeBSD for instance) even with well > configured resource limits. > I revised kernel/fork.c and I found a way to prevent this problem by > removing all associated processes with the parent, but that's far from > portable and should not be used for the sake of compatibilities. I guess > the function fork() should be revised. > And what about creating a 'maxprocs' sysctl var (even if left high) when > the resource limits problem is fixed? It would help security when it is > needed and wouldn't bother other applications. RLIMITs on login are not > trustworthy. It should exist a global limit in case someone could spawn > a shell without limits through some flawed application. > > Thanks, and please advise. > > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/