Control: sevirity -1 normal

On Mon, 2017-08-21 at 13:17 +0200, Vincent Lefevre wrote:
> Severity: grave
> Justification: causes non-serious data loss and DoS from an end user.

The severity is a bit questionable and, at the very least not a flaw in
or unique to nslcd. Any local user that does not have resource limits
applied to them can DoS the whole system easily so I'm lowering the
severity to normal.

> It appears that nslcd can be killed by the OOM Killer when some user
> process takes all the memory. In such a case, it is no longer
> possible to connect to the machine by SSH. Thus this is DoS by an end
> user, with possible data loss concerning what is running on the
> machine.

The OOM is indeed a bit of Russian roulette on your system. You can
tune it a bit with vm.panic_on_oom and vm.overcommit_memory sysctls or
perform the following action that is equivalent to what newer nslcd
does:

echo -1000 > /proc/`cat /var/run/nslcd/nslcd.pid`/oom_score_adj

The patch should be pretty easy to backport though. I've put it on my
list but can't really guarantee a turn-around-time.

Thanks,

-- 
-- arthur - [email protected] - https://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to