J> Date: Wed, 16 Oct 2002 13:09:20 +0100 J> From: Jamie
J> In light of the recent DDOS / Buffer overflow exploits that J> have popped up recently, I have been thinking, J> J> Couldn't we just do a system wide CPU% usage limit, on every J> user... No. It's not an issue of restricting CPU activity. What happens in the classic "remote exploit" is someone sends a carefully- crafted request that tricks the buggy software into running arbitrary code. IIRC, phrack.org has some good tutorials on how buffer exploits work. Print string vulnerabilities are similar. Race conditions are a different beast. J> I have looked into /etc/security/limits.conf, as well as J> ulimit, but it seems these both work on a time spent, limit, J> as opposed to a %used limit. Correct. J> I want to say, don't let any process by user, httpd, J> collectively, or singularly, use more than 60% of the system J> cpu. Different issue from the above concerns about exploits. J> Ulimit is of no use as the user doesn't login, and J> limits.conf, only seems to limit the amount of cpu time one J> process is allowed, as opposed to doing what I require. J> J> I would like to lock down a few users aswell, who run some J> perl scripts, which have the 'potential' to be used to J> resource starve the box... J> J> Anyone got any thoughts / recommendations on how to J> effectively, not allow user X to use more then Y% of the cpu, J> across all their processes? IMHO, Linux does an okay job arbitrating between processes vying for CPU. I think BSD is better. It sounds like you want something along the lines of virtual machines (a la OS/400) or scheduling classes (a la SysV). Solaris offers the latter... but I've been told Sun/Cobalt has no interest in straying from Linux on x86. IIRC, there is a "virtual machine" distribution of Linux... Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
