Subject: Re: Fork bomb protection patch (Was: Re: CVS commit: syssrc/sys/kern)
To: Jaromir Dolecek <jdolecek@netbsd.org>
From: Brian Chase <vaxzilla@jarai.org>
List: tech-kern
Date: 12/08/2002 13:26:18
On Sun, 8 Dec 2002, Jaromir Dolecek wrote:

> Chance is nobody ever thought about solution like this. It is in
> FreeBSD tree for about half a year only now. I guess that it did
> not cause any ill effects for them so far, since there are no
> further refinements to the behaviour in later commits, and the code
> is still there (just shuffled a bit due to unrelated kernel changes).
> They also have it pulled to stable branch, so FreeBSD 4.7
> is likely to include it.

You know, another way to interpret this lack of anyone saying anything
about the change could be attributed to the very same reasons that no
one complains about the way things work currently.  In practice, do fork
bombs ever really cause anyone pain?

Speaking as a professional sysadmin who has administered many hundreds
of Unix systems over the past ten years, the only times I have ever
fallen prey to a fork bomb were those handful of times when I
deliberately ran them as root, against myself, as a matter of curiosity.

> Generally, I'd be really interested if the new behaviour causes
> any problems on any real system. The change is very clever hack.
> It definitely appears to solve the problem in hand in quite
> elegant way.

You keep /saying/ it's elegant, but that doesn't make it so.  Though it
is just a matter of opinion, it really grinds on my nerves to hear the
change described like this.

The solution you've proposed (and committed to the tree at that)
addresses one very specific and limited type of resource denial out of a
whole class of those attacks.  In light of these facts, I'd say the fix
is about as "elegant" as a battery operated Roto-Apple-Matic purchased
from a late night television advert. (ONLY $19.95! CALL NOW!)  I should
clarify the metaphor a bit...

NetBSD, and Unices in general, already have a perfectly good tool for
peeling apples; it's called a knife.  The knife does take a bit of
thought and some practice to become skilled with it.  However, that same
knife works just as well for peeling potatoes, zucchini, pears, carrots,
etc. and it even chops and slices, too!  Yes it's true that using our
simple knife doesn't have the pushbutton convenience of the
Roto-Apple-Matic, but the knife is extremely versatile and it doesn't
waste shelf space while it sits idle, collecting a layer of dust from
disuse.

Oh, but surely I'm being rude.  You've come to us, quite obviously with
the best of intentions, and stuffed our holiday stockings with lovely
new Roto-Apple-Matics!  It is the thought that counts.  Isn't it?  Well,
it's a very special device this Roto-Apple-Matic!  It's a fine /fine/
thing this wondrous technological marvel.  I shall certainly have to
peel some apples with this at some point.  You don't happen to still
have the receipt, do you?

-brian.

(Given we're at a bit of an impass on this, my requests are that (a) the
 free slot count for root be tunable, (b) the delay time be tunable, and
 that (c) this delay time be something that's enabled by the presence of
 a kernel configuration option.  I don't think that's too much to ask.)