Security In Slackware??

xgreen · 03-18-2005, 10:15 AM

is this happening to slackware....

http://www.securityfocus.com/columni...8?ref=rssdebia

xgreen · 03-18-2005, 10:32 AM

i've tried this in shell as normal user (from slashdot)

){ :&:;};:

and my slackware go slow and slow and slow and finally hang!!!!!

keefaz · 03-18-2005, 11:40 AM

You could set the limit in /etc/login.defs at ULIMIT value, something like 524288
(as it is in 512-byte units, 524288/512 = 1024 processes)

chbin · 03-18-2005, 12:39 PM

I don't get it? I could not find any thing at that site? I'm guessing it has something to do with a user using up all the mem and cpu time of the system?

What is such a big deal of a user being able to slow down a machine? All they would have to do is keep opening up process that they have permission to, or open really big files that they have permission to and eat all the memory. It's called the user using the system. They can't gain any elevated privilages by doing this. If the Admin doesn't like this which he will find out very quickly he just takes about the users account. How is that different that any other OS in the world. Seems kinda like a desperate person trying to find something?

keefaz · 03-18-2005, 01:02 PM

This is rather a bug in awstats.pl that executes code from values in url
(awstats.pl is a tool for web admin / ISP to do statistics for web usage)
This should have been fixed in newer version

mcd · 03-18-2005, 03:45 PM

so is there a way to protect ourselves against this?

sh1ft · 03-18-2005, 03:46 PM

Don't worry about it if you're a desktop user. It's only relevent if you give other people local or remote access to your box and you suspect they may try malicious activities. Don't get your panties in a knot over it.

slakmagik · 03-20-2005, 01:12 AM

I was wondering about this - I'm still playing around in Arch - used the same obfuscated thing above first and then forkbomb.sh - brought Arch to a hard lock almost instantly and had to reset twice. Then I changed the ulimit because I'm quite capable of forkbombing myself if I get stupid with scripting. But as far as a security thing, as someone else said, I can launch a DOS on myself by pulling the cord from the wall and all the ulimits in the world won't fix that. BFD.

*makes note to fix Slack later*

carboncopy · 03-20-2005, 01:45 AM

Quote:

Originally posted by keefaz
You could set the limit in /etc/login.defs at ULIMIT value, something like 524288
(as it is in 512-byte units, 524288/512 = 1024 processes)

The article mentioned that it is both shell AND kernel is set to unlimited process which causes problem.

I believe this would limit the shell, and therefore effectively void the situation.

But, I would like to know how to fix this at kernel level. Anyone?

Thanks.

p.s. It is just for learning, no effective threat to my system, as I am the only user.

predator.hawk · 03-27-2005, 01:26 PM

I've tried quite a few limits and nothing so far has prevented a fork bombing. Although its not a massive problem, its annoying when your box locks.

Edit: I'd be happy if someone found a fix that didn't require using pam.

Ilgar · 03-27-2005, 02:13 PM

Check this one out:
http://gentoo-wiki.com/SECURITY_Limit_User_Processes

keefaz · 03-27-2005, 02:25 PM

You could set the limit for bash and sh (for other shell I don't know) in /etc/profile
like

Code:

...
# For non-root users, add the current directory to the search path:
if [ ! "`id -u`" = "0" ]; then
    PATH="$PATH:."
    ulimit -u 256
fi

[edit]

With 1024 value, this code

Code:

:(){ :&:;};:

...did lock my machine so I set the value to 256 which prevent that

win32sux · 03-27-2005, 06:10 PM

i've ran the forkbomb.sh example on my slackware box as a non-root user and it slowed the box to a crawl then made it hang to the point where nothing could be done (not even by root) except hit the power button...

Code:

#!/bin/bash
while true; do
./forkbomb.sh &
done

i had "top" running in a terminal when i executed forkbomb.sh and for a couple seconds i was able to see the swap usage skyrocket before "top" segfaulted and then everything else locked-up...

so anyways, i tried setting the ULIMIT in /etc/login.defs but i still get forkbombed...

this is what ULIMIT looks like by default in my /etc/login.defs on my slackware 10.x box:

Code:

#ULIMIT         2097152

when giving the "ulimit" command as a non-root user it would output "unlimited"...

so i changed it to:

Code:

ULIMIT         131072

when i logged back in "ulimit" would output "65536"... i executed forkbomb.sh and again my box almost completely locked-up after a couple seconds...

i have 256 megs of ram and 600 megs of swap...

i read in the article that debian wasn't affected, what is the default configuration that debian uses??? can we replicate it on slackware???

why didn't the change i made to /etc/login.defs prevent the forkbombing??

win32sux · 03-27-2005, 06:25 PM

i found another discussion about the article at lwn.net:

http://lwn.net/Articles/128281/

keefaz · 03-27-2005, 06:33 PM

Win32sux, did you try:
ulimit -u 256
before execute your forkbomb.sh script ?