Am 10.10.2017 um 15:31 schrieb David Sommerseth:
Hi David,
> I did introduce LimitNPROC=10 to avoid a scenario where a faulty plug-in
> or script hook would spawn too many processes and overload the system in
> various ways. There are many reasons why this could happen, it could be
> a local issue or something triggered user input (username, password) or
> in some really dark corner cases even certificate details could be
> abused to.
>
> The intention was to have this limit to on a per unit file basis. But I
> clearly have overlooked that using the same username in multiple OpenVPN
> configuration files can cause challenges, as that limit is shared among
> all config clients.
I think another downside is that this limit is not enforced for
processes running as root, which is probably the majority of cases.
>
> I can acknowledge that 10 processes might be too little. But I do think
> the potential DoS protection is valuable; and even Lennart Poettering
> does not recommend removing it [1]. So I think it can be increased, and
> then it should be documented better how to increase this manually by
> using 'systemctl edit openvpn-server@.service' and modifying this
> setting this way.
>
> Would a default of 30 or 50 processes be sufficient?
I'm still not sure how setting ulimit -u on a systemd service that run
as root, but might start several processes as non-root actually works.
ulimit -u seems to be a per-process thing, but counts processes
globally. The only thing I can think of that if process A has
LimitNPROC=10, every time this process (directly or through a child)
tries to create a new process with i.e. UID 1000, the system checks
whether the total number of processes with UID 1000 on the whole system
exceeds 10. If yes, that fork is denied. If another process had
LimitNPROC=20 it would only be denied if more than 20 processes ran.
To me this knob seems useless. It does not protect against a misbehaving
plugin running as root, and it's failure mode is quite surprising, since
it depends on the UID this particular binary will be executed and what
other processes (totally unrelated to OpenVPN) are currently running on
the same UID.
I think what we actually want is
TasksMax=N
Specify the maximum number of tasks that may be created in the
unit. This ensures that the number of tasks accounted for the
unit (see above) stays below a specific limit. This either
takes an absolute number of tasks or a percentage value that is
taken relative to the configured maximum number of tasks on the
system. If assigned the special value "infinity", no tasks
limit is applied. This controls the "pids.max" control group
attribute. For details about this control group attribute, see
pids.txt[6].
Implies "TasksAccounting=true". The system default for this
setting may be controlled with DefaultTasksMax= in systemd-
system.conf(5).
I'm not sure about the consequences of TasksAccounting and there are
only very few uses of it
(https://codesearch.debian.net/search?q=TasksMax%3D&perpkg=1), but this
looks like the thing we actually want.
Bernhard
