Control: sevirity -1 normal On Mon, 2017-08-21 at 13:17 +0200, Vincent Lefevre wrote: > Severity: grave > Justification: causes non-serious data loss and DoS from an end user.
The severity is a bit questionable and, at the very least not a flaw in or unique to nslcd. Any local user that does not have resource limits applied to them can DoS the whole system easily so I'm lowering the severity to normal. > It appears that nslcd can be killed by the OOM Killer when some user > process takes all the memory. In such a case, it is no longer > possible to connect to the machine by SSH. Thus this is DoS by an end > user, with possible data loss concerning what is running on the > machine. The OOM is indeed a bit of Russian roulette on your system. You can tune it a bit with vm.panic_on_oom and vm.overcommit_memory sysctls or perform the following action that is equivalent to what newer nslcd does: echo -1000 > /proc/`cat /var/run/nslcd/nslcd.pid`/oom_score_adj The patch should be pretty easy to backport though. I've put it on my list but can't really guarantee a turn-around-time. Thanks, -- -- arthur - [email protected] - https://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part

