On Sun, Mar 26, 2000 at 12:28:46AM +0100, Ingo Saitz wrote: > This is not a problem with su but with missing process limits. > You can replace "su" with any program you like. The shell tries > to expand the command line using the output of "cat > /dev/urandom". You won't get EOF from /dev/urandom, so the dhell > eats all available memory until swap is filled up. Linux then > starts to kill those processes that allocate memory. If it hits > e.g. your Xserver first you are lost.
that would explain why this does not work on my system. > Type the following line into your bash prompt to get the same > effect. Note that using /dev/urandom instead of /dev/zero raises > the chance that the process triggering the memory limit won't be > bash: > > `cat /dev/urandom` [EMAIL PROTECTED] eb]$ bash [EMAIL PROTECTED] eb]$ `cat /dev/urandom` bash: xrealloc: cannot reallocate 16777216 bytes (0 bytes allocated) [EMAIL PROTECTED] eb]$ set resource limits! ;-) > If you want to avoid such attacks, set process limits. quite right. however having done this i can say resource limits do not seem to be well documented at all, sure i can find out HOW to set each limit, what i could not find much info on was WHAT to set these limits too. I just asked the list and had a couple people who had set them on thier systems to show me what they were and how much memory etc thier system has. at that point i just winged it and tried a few tests to see what i how much i could limit before things started to break. this is however rather time consuming and painful way to set limits.... (it seems i got them set fairly well though ;-)) does anyone know of some documentation on _what_ to set the limits to? this would probably be dependent on the system's resources, such as ammount of memory/swap etc. but there has to be a more efficient way to deal with this then hours and hours of trial and error. (i spent 2 or 3 days on this!) I think this is why almost nobody sets any resource limits and remian vulnerable to trivial attacks like this. also what is the best way to set resource limits, per user on wdm (which uses PAM improperly, ignoring session modules) or xdm (which does not use PAM at all (last time i checked)) for all other interactive logins pam_limits works very nicely. (the best way i suppose would be to fix wdm's pam support, but i don't know how to do that :( ) -- Ethan Benson http://www.alaska.net/~erbenson/
