LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-21-2006, 04:27 PM   #1
introuble
Member
 
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700

Rep: Reputation: 31
ulimit


This is the current output of `ulimit -a`:

Code:
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
max nice                        (-e) 20
file size               (blocks, -f) unlimited
pending signals                 (-i) unlimited
max locked memory       (kbytes, -l) unlimited
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) unlimited
max rt priority                 (-r) unlimited
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) unlimited
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
Now this looks wrong to me because .. well .. for starters .. I'm vulnerable to a fork bomb and probably other attacks.

I have a couple of questions:

#1. Where do you set the above limits? Can you only specify them on command line and if so, will they "survive" a reboot?

#2. Could you recommend some limits please?
 
Old 07-22-2006, 03:33 AM   #2
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Obviously I would go for "max user processes". Set it to whatever value fits for you when you're under load and see how many of them are running looking at what top(1) says.

The next is "max locked memory". You can manage to bring down a Linux system by mmap()ing a large file and then calling mlock() on it. Fortunately, only the root user may call mlock().

The place to set limits should be /etc/security/limits.conf. It must exist in every Linux distribution as it uses PAM. Don't use /etc/profile or /etc/rc.local for that. The former may be skipped and the latter may apply to daemons started later.

Note: The stack size limit is too low. Raise it to 65536 at least. Memory limits aren't easy to come by. See "man getrlimit"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ulimit comman is for what xshashiy Linux - Software 2 10-05-2005 06:52 AM
ulimit -t juanbobo Linux - Security 3 06-10-2005 09:43 AM
Ulimit -v Help !!!!!!!!!!!!!!!!!!!!!! raees Linux - Software 1 07-04-2004 10:01 AM
ulimit -n evilrico Linux - Distributions 0 03-14-2003 04:23 PM
ulimit Serena Linux - Software 3 08-04-2002 12:22 AM


All times are GMT -5. The time now is 05:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration