Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Linux and forkbomb - with link
  • From: Randall R Schulz <rschulz@xxxxxxxxx>
  • Date: Mon, 21 Mar 2005 06:03:25 -0800
  • Message-id: <200503210603.25804.rschulz@xxxxxxxxx>

On Monday 21 March 2005 04:54, Sven 'Darkman' Michels wrote:
> Randall R Schulz wrote:
> | I find it hard to believe an interactive user would need much more
> | than 100 processes. Logged in to a KDE session with the usual
> | panoply of gadgets running, I'm using only 43 processes. Perhaps
> | some users with special needs might, but they can be granted more.
> Well, maybe i'm not a normal user, but i don't use kde at all at the
> moment on my desktop and have around 125 processes running. And i'm
> not doing any multimedia stuff at all atm. So its not that easy to
> say 'noone will need more than around 100 processes'. The next
> problem is, even with only a few you can crash a box. Finetuneing the
> limits is hard if you want to do some 'general rules', some apps may
> need more then x meg of ram, so they won't work anymore. If you allow
> users to start maybe 100 processes with 16 meg ram each you'll need
> up to 1,6gb of ram for just one user to prevent him from bombing your
> box. If he eats up all your mem, your kernel will normaly start to
> kill processes. With the newer OOM Killer this may work better then
> it did in the last years because the OOM Killer just started to kill
> stuff, if you had an bad day, he would start with things like sshd...

I just picked that number based on my own experience. But surely even
you don't need thousands of processes?

> | The malicious script is utterly trivial. Robustly solving the
> | problem with out interfering with legitimate patterns of use is
> | probably much harder.
> the only bomb i can actually remember is this one:
> (:(){ :|:;};:)
> (kids, don't try this at home ;-)
> It looks so easy and kills so much ;-)

You can find several by Googling for "Fork Bomb"

> | However, on my SuSE 9.1 system, unmodified w.r.t. to the pertinent
> | limits, I've three times had the system rendered useless and was
> | forced to press the hardware reset button (!) by a runaway process
> | that consumed so much memory that nothing else could happen.
> Well yeah, but the problem still exsist: where to set the limit to?
> Not every user will be able to set such limits, so you have to set
> them in a clever way. Take openoffice as a start, it needs much more
> cpu and ram then many many other apps. If you allow enough of mem/cpu
> to run openoffice, then you're maybe back to the original problem:
> your limits won't work for such a bomb. As said in other posts, if
> someone will bring your box down, he can do it (as long as he's a
> local user).

Yes. That's my point. It's not an easy problem to solve for exactly the
reason that there's just a continuum of legitimate needs which
eventually become pathological (at different points for systems with
different hardware capacity). What exactly characterizes pathological
demand or load?

> Sven

Randall Schulz

< Previous Next >
Follow Ups