Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've recently been getting into Linux security and found out that my Slackware 10(.1) boxes are vulnerable to the ancient forkbomb attack. (Tested using a script found on the 'net as a non-priveleged user.) How can I guard against it? What commands and utilities can I use?
There are a number of different ways to handle fork bomb resource starvation. You can use ulimit (see it's manpage), you can use PAM (set the max process option in /etc/security/limits.conf), and I think the grsecurity patch also a feature that prevents this as well.
For what it's worth, this isn't really a 'vulnerability' per se. As far as I know, the limits are intentionally left off as fork bombs are really only a problem for those with untrusted users. For those trying to get maximum performance (like parallel processing applications or webserver under significant load) having a limit less than the machine performance max could be a bad thing.
This isn't too hard to code Just take your favorite language and write an infinite loop that calls fork() repeatedly. It works by consuming resources (RAM, file descriptors, etc) by continuously forking processes until the system runs out of resources and crashes or becomes unusable. So basically you can file this under "stupid user tricks" as it's slightly more elegant than clicking the Mozilla icon 12,000 times....
//Moderator note: I'd rather no one post code for this, even as lame as it is...
Last edited by Capt_Caveman; 06-30-2005 at 01:00 AM.
The reason I'm looking into this is so that when I set up a real multi-user system (via ssh, for example), I won't have some joker crash it by using a simple script. I looked into your suggestions and found the following man page for ulimit (PAM apparently isn't part of Slackware 10.x):
Quote:
NAME
ulimit - get and set user limits
SYNOPSIS
#include <ulimit.h>
long ulimit(int cmd, long newlimit);
DESCRIPTION
Warning: This routine is obsolete. The include file is no longer provided by
glibc. Use getrlimit(2), setrlimit(2) and sysconf(3) instead. For the
shell command ulimit, see bash(1).
The ulimit call will get or set some limit for the current process. The cmd
argument can have one of the following values.
UL_GETFSIZE
Return the limit on the size of a file, in units of 512 bytes.
UL_SETFSIZE
Set the limit on the size of a file.
3 (Not implemented for Linux.) Return the maximum possible address of
the data segment.
4 (Implemented but no symbolic constant provided.) Return the maximum
number of files that the calling process can open.
Unfortunately, that doesn't help me much, as all I get when typing "ulimit" is "unlimited". I don't have a /etc/security directory; if I made one, how would the system read it? What would I put in it?
Will one of you please post an example ulimit command? Thanks!
Originally posted by DaneM Thanks for your replies!
The reason I'm looking into this is so that when I set up a real multi-user system (via ssh, for example), I won't have some joker crash it by using a simple script. I looked into your suggestions and found the following man page for ulimit (PAM apparently isn't part of Slackware 10.x):
Unfortunately, that doesn't help me much, as all I get when typing "ulimit" is "unlimited". I don't have a /etc/security directory; if I made one, how would the system read it? What would I put in it?
Will one of you please post an example ulimit command? Thanks!
--Dane
Process limits are inherited. The ulimit command is a shell builtin because of this: The limits you're applying with this command affect the current process and any child process it creates. To obtain help about ulimit, type "help ulimit" at the command prompt
There are "soft" limits and "hard" limits.
To quote Richard Stevens:
"1- A soft limit can be changed by any process to a value less than or equal to its hard limit.
2- Any process can lower its hard limit to a value greater than or equal to its soft limit. This lowering of the hard limit is irreversible for normal users.
3- Only a superuser process can raise a hard limit."
When you change limits with the ulimit command, specify -H to view and setup hard limits. By default, the command prints and setups soft limits. Try and find some limits that work (on a user account) and make the soft limit equal to the hard limit.
Remember that they are inherited. You could setup limits based on UID and even for groups of users, in a script (e.g /etc/profile)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.