lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <67027.1248734813@turing-police.cc.vt.edu>
Date:	Mon, 27 Jul 2009 18:46:53 -0400
From:	Valdis.Kletnieks@...edu
To:	Lasse Kärkkäinen <tronic+bpsk@....iki.fi>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: Securing a system with limits.conf

On Sun, 26 Jul 2009 07:10:41 +0300, =?ISO-8859-1?Q?Lasse_K=E4rkk=E4inen?= said:

> - How should things be configured to reliably prevent non-priveleged 
> users from DoS'ing a machine.

This depends on your threat model.  What are you trying to defend against:

1) Clued user doing something stupid on their laptop?
2) Unclued user doing the same?
3) Clued user who just got bitten by an exploit in Firefox?
4) Clued user doing something stupid on a large database/web server?
5) Malicious user on a multi-user timesharing system?

bash$ :(){ :|:&};:

Consider the above line of bash code, in each of the 5 scenarios. Same
attack, but the configuration settings you use to deal with it may be
vastly different.

Now repeat the analysis, but assume you have a determined attacker who has
acquired access to *3* different logins on the machine and can use them
simultaneously, in collusion.  Now try to come up with a solution that
doesn't annoy the 3 users in question when they're legitimately logged on.

Bottom line: At best, you can make it more difficult for a local user to DoS
the box.  You can't *prevent* it unless you're willing to impose a lot of
limits your users won't like.

And sometimes, the correct security tool is not a system tunable setting,
but a baseball bat.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ