lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200706131044.42338.dhazelton@enter.net>
Date:	Wed, 13 Jun 2007 10:44:41 -0400
From:	Daniel Hazelton <dhazelton@...er.net>
To:	"Simon Arlott" <simon@...e.lp0.eu>
Cc:	"Jan Engelhardt" <jengelh@...putergmbh.de>,
	"Roland Dreier" <rdreier@...co.com>,
	"Anand Jahagirdar" <anandjigar@...il.com>,
	linux-kernel@...r.kernel.org, security@...nel.org,
	"Andrew Morton" <akpm@...ux-foundation.org>, akpm@...eo.com,
	"Jens Axboe" <jens.axboe@...cle.com>,
	"Jiri Kosina" <jikos@...os.cz>
Subject: Re: Patch related with Fork Bobmbing Attack

On Wednesday 13 June 2007 07:34:09 Simon Arlott wrote:
> On Tue, June 12, 2007 18:32, Jan Engelhardt wrote:
> > On Jun 12 2007 10:04, Roland Dreier wrote:
> >> > +	/*
> >> > +         * following code does not allow Non Root User to cross its
> >> > process +         * limit. it alerts administrator about fork bombing
> >> > attack and prevents +         * it.
> >> > +         */
> >> >  	if (atomic_read(&p->user->processes) >=
> >> > p->signal->rlim[RLIMIT_NPROC].rlim_cur) if (!capable(CAP_SYS_ADMIN) &&
> >> > !capable(CAP_SYS_RESOURCE) && -				p->user != &root_user)
> >> > -
> >> > +				p->user != &root_user) {
> >> > +			if (printk_ratelimit())
> >> > +                                printk(KERN_CRIT"User with uid %d is
> >> > crossing its process
> >>
> >> limit\n",p->user->uid);
> >>
> >> >  			goto bad_fork_free;
> >> > +		}
>
> Why does this need to be KERN_CRIT? You can't assume that every time a
> process limit is reached that it's a fork bomb.


I think the reasoning here is to alert the administrator(s) to the possibility 
that somebody has just tried a fork-bomb. A better test, IMHO, would be to 
check how fast the processes are being spawned and whether a large percentage 
share the same parent. (Those two taken together would better spot most 
fork-bombs, including the very simple types that are just a simple one-liner)

DRH

-- 
Dialup is like pissing through a pipette. Slow and excruciatingly painful.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ