linux.. securing it against rogue programs?

Tony Hammitt tony at speedscript.com
Sun Feb 25 23:06:19 CST 2001 

You can limit the number of processes started by an interactive shell by
using either 'ulimit' on bash, etc. or 'limit' on tcsh.  Both modify the
'maxproc' internal variable which will count up the number of processes
you have running and deny forks if you try to exceed the limit.

I don't know if it is possible to limit the systemwide number of processes,
maybe someone else has some info.  I suppose that you could include
'ulimit maxproc 20' in /etc/profile or a user's .bashrc, lock the file, then
have them start up in a restricted shell like 'bash -r', but I don't know if 
that would really prevent them from changing anything.

It's kind of dangerous to play around with these kinds of things, but
the problem does need to be addressed.  Not like any of us power users
ever accidentally crash their computers (haha :-).  Hey, this could even
be some other worthless benchmark like BogoMIPS, how long it takes
to hang your box with the given program should measure the system
capacity somehow =-]

You could always just turn off swap, too.  Then you'd just run out of
memory and the processes would get killed.  But it's hard to say whether
that would let you gracefully shut down, the system would stay busy...

Have a fun rest of the day, I should get back to work...

Later,

    Tony

----- Original Message ----- 
From: Aravind Gottipati <slttg at cc.usu.edu>
To: <kclug at kclug.org>
Sent: Sunday, February 25, 2001 1:14 PM
Subject: linux.. securing it against rogue programs?

> hi,
> I was on irc the other day and somone posted this one line
> script/program
> 
> WARNING: YOU WILL PROBABLY END UP DOING A HARD REBOOT, IF YOU RUN THIS
> SCRIPT FOR MORE THAN 10 SECONDS.
> 
> echo "main() { while (1) fork (); }" > p.c;cc p.c;./a.out
> 
> I knew what it would do.. fork processes forever and eventually eat up
> all the memory. I still gave it a try because I wanted to see how my box
> would react to it. I let it run for about 20 seconds and after that
> nothing on my box would work anymore.. I ended up doing a hard reboot :(
> 
> A short little program like this could be written by any user that konws
> a little C. It is scary to me that any one using a typical unix box can
> run this and bring a whole box to a halt. How do I protect my boxes
> against such mishaps? Are there programs/scripts that would protect
> boxes against things like this or even better not let any processes use
> 100% of the memory just in case there are any suck problems.. While we
> are it, I wouldn't mind it if you want to add other "WAYS TO BRING DOWN
> A BOX EASILY" to this thread :).  Maybe we can make this a topic on one
> of our demo days.. 
> 
> thank you,
> Aravind
>   
> -- 
> Don't look for the meaning of life! It may have no meaning, or, even 
> worse, it may have a meaning of which you disapprove.
> -- Anonymous
> 
> 
>

More information about the Kclug mailing list