tech-kern: Re: Fork bomb protection patch

Subject: Re: Fork bomb protection patch
To: <>
From: David Laight <david@l8s.co.uk>
List: tech-kern
Date: 12/07/2002 16:30:32

> n=`sysctl -n proc.$$.rlimit.maxproc.hard`
> sysctl -w proc.$$.rlimit.maxproc.soft=$n
> sysctl -w proc.1.rlimit.maxproc.soft=$n

Any user can do this for themselved using rlimit().
ISTM that maxproc.hard and descriptors.hard should be set
to 'reasonable' limits - not to the kernel limit.

My default built x86 system has:
proc.curproc.rlimit.maxproc.soft = 160
proc.curproc.rlimit.maxproc.hard = 532
proc.curproc.rlimit.descriptors.soft = 64
proc.curproc.rlimit.descriptors.hard = 1772

So a single unprivileged uses can grab all the file
descriptors an well as all the processes.
shall we have a dup() bomb thread?


	David

-- 
David Laight: david@l8s.co.uk