On Thursday 15 July 2010 07:38:08 Andrew Benton wrote: > Hello world. > > I was reading today about a fork bomb > http://en.wikipedia.org/wiki/Fork_bomb > and running the example code :(){ :|:& };: locked my system up hard. A > bit more reading lead me to conclude that the simplest way to restrict > the number of processes a user can spawn is by editing /etc/limits. echo > \* U128 >> /etc/limits > Is that a sensible limit? Will it cause any problems compiling or > running applications? Are there any other resources that should be > limited as a precaution? What do the rest of you put in /etc/limits? > /etc/limits is installed as part of shadow but the book doesn't give any > guidance as to what it should contain. Shouldn't the book at least set > some sane defaults? > > Andy
Welcome to the Self-Inflicted Foot Perforation Club. :) Every system is different. For example, I have a script that runs as many nc() processes as it can in the background for a 1/2 second then quit; I was testing a firewall, creating a DoS situation and then preventing it from affecting the firewall during startup. I let it run free, and could not generate more than 15-20 thousand processes, and usually not more than 5,000. That was on a quad PhII with 8GB RAM. On slower, older systems, I often locked up the system with errant scripts. This went back to SysV68 in the early '90s, and even back to my first computer: the AT&T UNIXPC. Back then, /etc/limits wasn't well known or didn't exist. The solution I created was to always 'nice --20 sh' before testing; that way I'd always have a shell to kill errant scripts (though it was sometimes a race). Instead of changing /etc/limits, you can use the ulimit command in your script. Try the command 'ulimit -a' in bash. If you think something might go awry, set some limits. Suspect a program of a memory leak? Cap its RAM and VM usage. Think it suffers excessive recursion? Limit its stack. -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
