| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Apr 2005 03:45:55 +1000 (Australia/ACT) From: Darren Reed <avalon@...igula.anu.edu.au> To: intehnet@...il.com (jim allan) Cc: bugtraq@...urityfocus.com Subject: Re: Solaris 10 Containers / Zones Security Flaw In some mail from jim allan, sie said: > In-Reply-To: <424EC41F.2060901@....net> > > agreed Robert, there are many easy ways to limit this, > my research was more about whether Sun had implemented sanity limits > in virtual memory and cpu usage as a default. which they hadn't. So what would you consider to be a "sane limit" ? Is a "sane limit" RAM-128MB ? Or some other magical number ? Or some formula that involves using the number of zones ? What about CPU? No more than 90%? > it's a sad state, but most admins wouldn't use ulimit or set maxuprc > to limit this.. Right, so the criticism you're really getting at here is that by default, Unix in general doesn't contain what a single user can do in terms of chewing up system resources as a denial of service attack. > as Jonathon Katz mentioned, it's a balence between > usability and security, but i would've thought there should have been > some sane level of limit on virtual memory or similar for the zone upon > initial creation.. Why? So that when someone runs a serious job in one and discovers that it is limited to 64MB and dies they need to reconfigure the zone? Any arbitrary limit that could be chosen would be bad, by default, for someone. The current situation, with zones and resources, is no worse than today for environments without zones, however, if you use resource pools with zones, it can be much much better. Darren
Powered by blists - more mailing lists