Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261509AbVCYH2m (ORCPT ); Fri, 25 Mar 2005 02:28:42 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261502AbVCYH2m (ORCPT ); Fri, 25 Mar 2005 02:28:42 -0500 Received: from smtp-out.tiscali.no ([213.142.64.144]:19473 "EHLO smtp-out.tiscali.no") by vger.kernel.org with ESMTP id S261509AbVCYH2c (ORCPT ); Fri, 25 Mar 2005 02:28:32 -0500 Subject: Re: fork() From: Natanael Copa To: Triffid Hunter Cc: redoubtable , linux-kernel@vger.kernel.org In-Reply-To: <42430439.6090102@funkmunch.net> References: <4242EEC3.2000605@netcabo.pt> <42430439.6090102@funkmunch.net> Content-Type: text/plain Date: Fri, 25 Mar 2005 08:28:29 +0100 Message-Id: <1111735709.14150.12.camel@nc> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1691 Lines: 49 On Fri, 2005-03-25 at 04:17 +1000, Triffid Hunter wrote: > you can limit the max number of processes by putting the following into /etc/security/limits.conf (on my distro, and quite a number of others according to google too) > > * hard nproc > > you can also limit quite a number of other things in this file, and other files in that directory. I bet your PAM nonaware daemons started at boot are not affected by those settings. The point is that if you gain access through a non-root daemon started from boot scripts, you are no longer limited by /etc/security/limits.conf. Try to set hard nproc limits for user UID and run this from your boot script: #define UID 65534 #define MAX 65535 int pids[MAX]; int main() { int count = 0; pid_t pid; if (setuid(UID) < 0) { perror("setuid"); exit(1); } while ((pid = fork()) >= 0 && count < MAX) { if (pid == 0) { sleep(300); exit(); } pids[count++] = pid; } printf("Forked %i new processes\n", count); while (count--) kill(pids[count], SIGTERM); } You will see that even if user UID is limited in /etc/security/limits.conf it will be able to fork many more processes. > > It should exist a global limit in case someone could spawn > > a shell without limits through some flawed application. I agree on this one. Or the RLIMIT_NPROC should be set to a lower value by default. -- Natanael Copa - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/