No, i was a normal user. Thats why i was so surprised. -----Urspr|ngliche Nachricht----- Von: Kurt Seifried [mailto:listuser@seifried.org] Gesendet: Montag, 23. April 2001 10:05 An: Peer-Christoph Mettelem; suse-security Betreff: Re: [suse-security] Recursive Shellscript Let me guess. you did this as root. Oh my god, surprise surprise. Learn about imposing limits via PAM. (hint: www.sysadminmag.com http://www.sysadminmag.com ). Kurt Seifried, seifried@securityportal.com mailto:seifried@securityportal.com Securityportal - your focal point for security on the 'net ----- Original Message ----- From: Peer-Christoph Mettelem mailto:Peer-Christoph.Mettelem@bezreg-muenster.nrw.de To: suse-security mailto:suse-security@suse.com Sent: Monday, April 23, 2001 1:48 AM Subject: [suse-security] Recursive Shellscript Hi, I just wrote a shell script which looks like this: while true do $0 done I executed it as normal user and then the following happened: As you can imagine, very many shells were started (i wasnt able to count them because the system wasnt responding any more). And then the system started killing system processes like X and smbd. I got the following output on console 10: Apr 23 09:11:54 AlBundy kernel: VM: killing process kmail Apr 23 09:12:52 AlBundy kernel: VM: killing process smbd Apr 23 09:13:03 AlBundy kernel: VM: killing process smbd Apr 23 09:13:05 AlBundy kernel: VM: killing process xconsole Apr 23 09:13:13 AlBundy kernel: VM: killing process X The system recovered itself by killing X. That worked because i started the script from a shell in KDE. But if the script would be started within a telnet session, it could be more dangerous. I dont know if this is a security hole, but it might be. My system: SuSE 7.0 (kernel 2.2.18) Lots of updates and patches installed PII 350 MHz 320 MB RAM Peer-Christoph Mettelem BezRegMS (NRW, Germany) Software developer (trainee) PS.: This is my first mail to the mailing list. Sorry if its OT or something...

Yo,

To effectively prevent such 'attacks', use the "userdel" program which was wriiten for such purposes.

Yeah, Disconnect power is just as usefull.

From the man page:

CAVEATS userdel will not allow you to remove an account if the user is currently logged in. You must kill any running processes which belong to an account that you are delet- ing. I think this one is too easy and something should be done, specially if "this one is rather old". I've not heard one single argument why this couldn't and shouldn't be fixed. If the kernel is killing processes it might just as well try to locate the offending PID and kill that tree (childs included). I wouldn't care if the kernel temporarily halted all user processes for a few seconds while it sat down and thought about something effective. A procedure could be: 1) Detect resource depletion 2) prevent any user-process resource consumption 3) Count that resource for all pid's 4) Add the resource count of all childs to the parent (and again, all the way to the root) 5) Walk the parent -> child tree and look for one PID that suddenly has more than 50% of the resource 6) Kill that process tree 7) Resume normal operation Or something... CIAO, Peter

On Wed, 25 Apr 2001, Peter van den Heuvel wrote:

I think this one is too easy and something should be done, specially if "this one is rather old". I've not heard one single argument why this couldn't and shouldn't be fixed. If the kernel is killing processes it might just as well try to locate the offending PID and kill that tree (childs included). I wouldn't care if the kernel temporarily halted all user processes for a few seconds while it sat down and thought about something effective. A procedure could be: 1) Detect resource depletion 2) prevent any user-process resource consumption 3) Count that resource for all pid's 4) Add the resource count of all childs to the parent (and again, all the way to the root) 5) Walk the parent -> child tree and look for one PID that suddenly has more than 50% of the resource 6) Kill that process tree 7) Resume normal operation

Or something...

CIAO, Peter

This is untested, but my reading of the manpages leads me to believe that this trivial fork bomb would be stopped dead by a simple inclusion of `ulimit -Hu 100` in /etc/profile . -- Rick Green "I have the heart of a little child, and the brain of a genius. ... and I keep them in a jar under my bed"

...

This is untested, but my reading of the manpages leads me to believe that this trivial fork bomb would be stopped dead by a simple inclusion of `ulimit -Hu 100` in /etc/profile .

À propos /etc/profile: is it *always* sure, that limits set in this file will be applied, or can a user avoid its execution by other means (changing defaultshell, at- or cron-job, ...) ? Peter

It is _not_ ensured. For cron and at you'd need to run the respective daemons with the limits already. They inherit their limit to their children. Also, if you run a command like this: ssh remotehost -l remoteuser do_nasty_things then /etc/profile isn't read as well. So the whole thing is a bit tricky to come by. As Sebastian pointed out already: userdel is your friend. If that doesn't work with your business model, user very restrictive methods to get rid of such people. Real BOFHs know some methods... Thanks, Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

...

It is _not_ ensured.

...

Also, if you run a command like this:

ssh remotehost -l remoteuser do_nasty_things

then /etc/profile isn't read as well.

What about /etc/security/limits.conf ? Bjoern Engels

Exactly. This is why I pointed people at my article on sysadmin re PAM. Also I have updated the LASG a bit (finally!): http://www.securityportal.com/lasg/users/ Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net

...

I have updated the LASG a bit (finally!): http://www.securityportal.com/lasg/users/

Is there a single-file download ? I'd like to print that stuff.

No. Why? I don't want people printing it. Why? Dead trees suck. Printed docs go out of date. The online version will ALWAYS be available at www.seifried.org/lasg/ so there is no worry about is going bye bye. If you wanna print you gotta do it the hard way =)

Bjoern Engels

Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net

hello, isn't there a limit on the number of processes, size of memory that you set in pam.conf ? I actually limited it to around 5 or something to a user ( aka me !) and found i could not login :)

regards omicron

Sense and reason is the limit. 5 might not be enough to run through /etc/profile. If you configure such limits, always make sure that root is not concerned by these limits. Otherwise you have to reboot to get rid of the constraints since the limits get inherited. Roman. -- - - | Roman Drahtmüller "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -

Yo,

...

isn't there a limit on the number of processes, size of memory that you set in pam.conf ? I actually limited it to around 5 or something to a user ( aka me !) and found i could not login :)

Sense and reason is the limit. 5 might not be enough to run through /etc/profile.

If you configure such limits, always make sure that root is not concerned by these limits. Otherwise you have to reboot to get rid of the constraints since the limits get inherited.

A little something that might help dealing with situations like these... I'm doing admin for mostly remote machines (cipe tunnels, very restrictive firewall rules) and playing with config items like under discussion always makes me very nervous. Recovering from a lock-myself-out situation might easily force me to fly to Canada (living in the Netherlands). So, I started using a little procedure: copy config to /tmp, edit, run, move back if OK. If get locked out I can always call for someone to play the power switch. That procedure got a little more formalized and I added a "sleep", followed by a "reboot -r" to the end of the file. If everything was OK, I would be able to hit ^C, remove the sleep-reboot and move the file back. Because I ones forgot to remove these (luckily at home). I made a little improvement and now the end of my /etc/rc.d/rc.firewall (one of the most often changed config items) reads: # This is completely free software to anyone, except for security agencies who must first # mail me the phone number where they can be reached between 22:00 and 08:00 hours. if [ `basename $0` != "rc.firewall" ] then echo "Script started as $0." echo "You have one minute to show you are still effectively connected by hitting ^C." echo "If you do not kill this script within one minute the machine will reboot." for Loop in 60 50 40 30 20 10 do echo echo -n "Hit ^C now! Reboot in ${Loop} seconds!" sleep 10 done echo echo echo "Rebooting machine..." shutdown -r 0 fi I always copy this code and paste the config's filename so there's minimal chance at mistakes. Now I can safely copy to test.firewall, add "iptables -i ${MyOnlyWayIn} -j DROP" to the top of the INPUT chain, run it, and then (some two minutes later) decide against it and toss the added security. CIAO, Peter

* Steffen Dettmer wrote on Sat, Apr 28, 2001 at 16:44 +0200:

The idea:

ssh $HOST $FIREWALL_START ssh $HOST $FIREWALL_WATCHERKILL

I implemented such a thing. It seems to be reliable and usable. First tests looked good. To share the results here some note and details (some parts [...] cut): 1. launching the watcher, in bash shell code: function launch_watcher() { #make sure we are the onliest instance: [...] #launch watcher ($0 watcher) { export caller=$0; export WATCH_ME=$$; export TIMEOUT; nohup setsid $0 watcher 2>&1 | $LOGGER & last=$! if [ "$PIPESTATUS" != "0" ] ; then echo "error launching watcher process!"; echo "error launching watcher process!" | $LOGGER; exit 1; fi } & sleep 2; #now we need to check if the watcher is still running (it # exits immediatly on error ps ax | egrep "\? .* $0" | egrep -v "(grep|$$)" > /dev/null if [ "$?" != "0" ] ; then echo "Watcher already DIED!" echo "check syslog!" test -r /var/log/messages && tail /var/log/messages exit 1; else echo "Watcher session is running." fi } 2. The watcher itself: function watcher() { function signal_handler() { echo "Watcher: Signal \"OK\" caught --> Exiting." exit 0; } #called correctly? [...] trap "signal_handler" SIGUSR1 #give firewall some time to set up rules [...] #check if firewall is still running and kill in this case if kill -0 $WATCH_ME 2>/dev/null ; then echo "Watcher: $WATCH_ME alive...TIMED OUT. KILLING IT NOW." kill -TERM $WATCH_ME 2>/dev/null [...] sleep 1 force_ssh_open_direct; echo "Watcher: exiting." exit 1 fi echo "Watcher: waiting for OK..." #give admin some time to call "firewall ok" which kill # this process. After that time we open SSH for (( n=0 ; n waiting..." sleep 1; #more safe than sleep $TIMEOUT done [...] echo "Watcher: Forcing SSH to be open." force_ssh_open_direct; echo "Watcher: exiting." exit 1 } 3. killing the watcher (param "ok"): function kill_watcher() { #make sure we are the onliest instance except watchers: [...] #serach for other instances PIDS=`ps ax | egrep "$BASENAME.*watcher" | egrep -v "(grep|$$)"|awk '{ print $1 }'` [...] #send USR1 ("OK") for PID in $PIDS ; do kill -USR1 $PID done; [...] #send KILL if alive [...] } 4. putting it together: [...case $1 in...] start) conf_options; #load config file launch_watcher; #watcher into background parse_hosts; #some checks... init_chains; #set up ruls [...] watcher) #not be specified by commandline! watcher 2>&1 | $LOGGER; ;; ok) kill_watcher; ;; [...] 5. Usage: # ~ ssh remote_firewall <login> # ~ /etc/rc.d/firewall start Firewall (watch, rp, icmp) $Revision: 1.53 $ Watcher session is running. [...] Firewall set up successfully. Total number of rules: 100 (now run "/etc/rc.d/firewall.std ok") # ~ /etc/rc.d/firewall.std ok Firewall (watch, rp, icmp) $Revision: 1.53 $ Ok, sending "OK" to watcher. Done. # ~ exit :) On Error the watcher inserts SSH rule an reports that via syslog (logger) into /var/log/messages or whatever:: firewall[32684]: Watcher: activated firewall[32620]: Firewall set up successfully. Total number of rules: 100 firewall[32684]: Watcher: set up (by PID:32620) finished after 17 seconds. firewall[32684]: Watcher: waiting for OK... firewall[32684]: Watcher: Me (32684) is still alive after 20 seconds! firewall[32684]: Watcher: firewall seems to be closed to much! firewall[32684]: Watcher: Forcing SSH to be open. firewall[32684]: Watcher: inserting ssh accept rules in input chain... firewall[32684]: Watcher: opening output chains COMPLETLY (!)... firewall[32684]: Watcher: exiting. otherwise just a nice: firewall[1659]: Watcher: Signal "OK" caught --> Exiting. Yep, I thing I like it :) Comments? Have a nice weekend! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.

On Wed, 25 Apr 2001, Peter van den Heuvel wrote:

Yo,

...

To effectively prevent such 'attacks', use the "userdel" program which was wriiten for such purposes.

Yeah,

Disconnect power is just as usefull. No, it would require physical access :) I still prefer userdel.

...

From the man page:

CAVEATS userdel will not allow you to remove an account if the user is currently logged in. You must kill any running processes which belong to an account that you are delet- ing.

I think this one is too easy and something should be done, specially if "this one is rather old". I've not heard one single argument why this

Yes, although its not easy. This issue comes up one or two times each year. Usually you give trusted ppl access to your machine. If they start fork-bombing or alike its reason enough to remove them. I don't know if Linux's tracking system of who is using how much of what suffices now or should be extended. Just decreasing or disallowing things isnt a solution, because even some security breaches come up due to 'just decrease' behavior (as seen with old capability bug for example). bye, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~