Re: Patch related with Fork Bobmbing Attack

From: Daniel Hazelton
Date: Wed Jun 13 2007 - 10:44:59 EST


On Wednesday 13 June 2007 07:34:09 Simon Arlott wrote:
> On Tue, June 12, 2007 18:32, Jan Engelhardt wrote:
> > On Jun 12 2007 10:04, Roland Dreier wrote:
> >> > + /*
> >> > + * following code does not allow Non Root User to cross its
> >> > process + * limit. it alerts administrator about fork bombing
> >> > attack and prevents + * it.
> >> > + */
> >> > if (atomic_read(&p->user->processes) >=
> >> > p->signal->rlim[RLIMIT_NPROC].rlim_cur) if (!capable(CAP_SYS_ADMIN) &&
> >> > !capable(CAP_SYS_RESOURCE) && - p->user != &root_user)
> >> > -
> >> > + p->user != &root_user) {
> >> > + if (printk_ratelimit())
> >> > + printk(KERN_CRIT"User with uid %d is
> >> > crossing its process
> >>
> >> limit\n",p->user->uid);
> >>
> >> > goto bad_fork_free;
> >> > + }
>
> Why does this need to be KERN_CRIT? You can't assume that every time a
> process limit is reached that it's a fork bomb.


I think the reasoning here is to alert the administrator(s) to the possibility
that somebody has just tried a fork-bomb. A better test, IMHO, would be to
check how fast the processes are being spawned and whether a large percentage
share the same parent. (Those two taken together would better spot most
fork-bombs, including the very simple types that are just a simple one-liner)

DRH

--
Dialup is like pissing through a pipette. Slow and excruciatingly painful.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/