Re: Patch related with Fork Bobmbing Attack

[Daniel Hazelton]

On Wednesday 13 June 2007 07:34:09 Simon Arlott wrote:
> On Tue, June 12, 2007 18:32, Jan Engelhardt wrote:
> > On Jun 12 2007 10:04, Roland Dreier wrote:
> >> > +	/*
> >> > +         * following code does not allow Non Root User to cross its
> >> > process +         * limit. it alerts administrator about fork bombing
> >> > attack and prevents +         * it.
> >> > +         */
> >> >  	if (atomic_read(&p->user->processes) >=
> >> > p->signal->rlim[RLIMIT_NPROC].rlim_cur) if (!capable(CAP_SYS_ADMIN) &&
> >> > !capable(CAP_SYS_RESOURCE) && -				p->user != &root_user)
> >> > -
> >> > +				p->user != &root_user) {
> >> > +			if (printk_ratelimit())
> >> > +                                printk(KERN_CRIT"User with uid %d is
> >> > crossing its process
> >>
> >> limit\n",p->user->uid);
> >>
> >> >  			goto bad_fork_free;
> >> > +		}
>
> Why does this need to be KERN_CRIT? You can't assume that every time a
> process limit is reached that it's a fork bomb.


I think the reasoning here is to alert the administrator(s) to the possibility 
that somebody has just tried a fork-bomb. A better test, IMHO, would be to 
check how fast the processes are being spawned and whether a large percentage 
share the same parent. (Those two taken together would better spot most 
fork-bombs, including the very simple types that are just a simple one-liner)

DRH

-- 
Dialup is like pissing through a pipette. Slow and excruciatingly painful.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/