View previous topic :: View next topic |
Author |
Message |
garo Bodhisattva
Joined: 15 Jul 2002 Posts: 860 Location: Edegem,BELGIUM
|
Posted: Sat Sep 28, 2002 10:49 pm Post subject: How can i guard my system against too many processes ? |
|
|
Yesterday, when i wrote following program:
Code: | #!/usr/bin/perl
while(){
fork();
} |
and i executed it as a normal user (not root), the system crashed completly, i tried "killall -9" with the name of the program as argument, and later perl as argument to kill the processes, but i couldn't stop them.
What can I do to protect myself against this (a other user can also write a program like this), and if it happens, how can i kill the processes? |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Sat Sep 28, 2002 11:07 pm Post subject: |
|
|
ulimit -u should help you here. In Debian, I think system-wide defaults were set in /etc/login.defs, and that file appears to exist in Gentoo also, so that's where I would start trying to put it. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
CowboyNeal n00b
Joined: 16 May 2002 Posts: 44 Location: The Netherlands
|
Posted: Sun Sep 29, 2002 12:57 am Post subject: |
|
|
rac wrote: | ulimit -u should help you here. In Debian, I think system-wide defaults were set in /etc/login.defs, and that file appears to exist in Gentoo also, so that's where I would start trying to put it. |
Better check /etc/security/limits.conf |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Sun Sep 29, 2002 1:02 am Post subject: |
|
|
CowboyNeal wrote: | Better check /etc/security/limits.conf |
Excellent - PAM to the rescue. Yes, that "nproc" looks perfect. Thanks. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
garo Bodhisattva
Joined: 15 Jul 2002 Posts: 860 Location: Edegem,BELGIUM
|
Posted: Sun Sep 29, 2002 7:44 am Post subject: |
|
|
Thanks, I never knew that i had this "/etc/security" directory, but i have still one question Code: |
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
|
What are soft and hard limits ? |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Sun Sep 29, 2002 5:06 pm Post subject: |
|
|
garo wrote: | What are soft and hard limits ? |
Users can change soft limits, but not to levels where they would violate hard limits. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
garo Bodhisattva
Joined: 15 Jul 2002 Posts: 860 Location: Edegem,BELGIUM
|
Posted: Mon Sep 30, 2002 5:15 am Post subject: |
|
|
So soft limits are used by users to protect their own, and hard limits by the sysadmin to protect everybody ? |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Mon Sep 30, 2002 6:09 am Post subject: |
|
|
garo wrote: | So soft limits are used by users to protect their own, and hard limits by the sysadmin to protect everybody ? |
That sounds like a pretty good way to phrase it. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
Tharkun Tux's lil' helper
Joined: 02 May 2002 Posts: 106
|
Posted: Mon Sep 30, 2002 10:41 am Post subject: |
|
|
You system didn't crash, really! It just soooo fucking slow ... :) If your process settings are not low enough such a fork bomb can still make your machine quite slow and with the normal limits it can pretty much halt the system but it does not crash, a crash is when you get "Kernel Panic, Aiee!" on the console :)
IIRC with standard settings it took about 20-30 minutes for my system to become responsive again :)
Also as root you can just kill all processes of the user that has the fork bomb running. Sucks if the user is you and you're logged into X and dont want it to go down :P But depending on the limit on processes you have to be patient while waiting for the login process :P |
|
Back to top |
|
|
garo Bodhisattva
Joined: 15 Jul 2002 Posts: 860 Location: Edegem,BELGIUM
|
Posted: Mon Sep 30, 2002 2:08 pm Post subject: |
|
|
Quote: | You system didn't crash, really! It just soooo fucking slow ... |
I know, because i was still able to give commands (i only had to wait 15 minutes after each command), but i am not very selective with the term "crash" |
|
Back to top |
|
|
CowboyNeal n00b
Joined: 16 May 2002 Posts: 44 Location: The Netherlands
|
Posted: Wed Oct 02, 2002 9:54 pm Post subject: |
|
|
garo wrote: | Quote: | You system didn't crash, really! It just soooo fucking slow ... |
I know, because i was still able to give commands (i only had to wait 15 minutes after each command), but i am not very selective with the term "crash" |
That's because the default NPROC limit is set to a sane value (512 orso), not unlimited. I crashed a dual-sparc server running solaris, once. Very stupid, I know, but at the time I thought it would be fun. 'They' couldn't even stop it, because 'kill' is a program, not a shell-command . |
|
Back to top |
|
|
gillesg Tux's lil' helper
Joined: 17 Sep 2002 Posts: 90
|
Posted: Thu Oct 10, 2002 12:54 am Post subject: |
|
|
rac wrote: | garo wrote: | What are soft and hard limits ? |
Users can change soft limits, but not to levels where they would violate hard limits. |
And how do you change the system hard limits?
Using the file /etc/security/limits.conf I can modify soft and Hard limits for a user only to the extend of the system limits.
if my /etc/security/limits.conf is empty,
the result of ulimit -a is
Code: |
gillesg $ ulimit -aH
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) unlimited
cpu time (seconds, -t) unlimited
max user processes (-u) 2037
virtual memory (kbytes, -v) unlimited
gillesg $ ulimit -aS
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 2037
virtual memory (kbytes, -v) unlimited
|
changing /etc/security/limits.conf to
Code: |
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
gillesg soft nproc 4096
gillesg hard core 1000000
gillesg hard stack 65536
gillesg soft stack 16386
gillesg hard nofile 1030
gillesg soft nofile 512
# End of file
|
Now when I login my ulimit -a is
Code: |
gillesg $ ulimit -aH
core file size (blocks, -c) 1000000
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) 65536
cpu time (seconds, -t) unlimited
max user processes (-u) 2037
virtual memory (kbytes, -v) unlimited
gillesg $ ulimit -aS
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) 16386
cpu time (seconds, -t) unlimited
max user processes (-u) 2037
virtual memory (kbytes, -v) unlimited
|
How can I make open files behind higher than 1024?
Thanks.
Gilles |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Thu Oct 10, 2002 2:17 am Post subject: |
|
|
gillesg wrote: | How can I make open files behind higher than 1024? |
Code: | # ulimit -n
1024
# ulimit -n 4096
# ulimit -n
4096 | ...does this not work for you? _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
gillesg Tux's lil' helper
Joined: 17 Sep 2002 Posts: 90
|
Posted: Thu Oct 10, 2002 3:14 am Post subject: |
|
|
rac wrote: | gillesg wrote: | How can I make open files behind higher than 1024? |
Code: | # ulimit -n
1024
# ulimit -n 4096
# ulimit -n
4096 | ...does this not work for you? |
It does work for root, but not for a regular user.
As root: no problem, and all child process are ok on the ulimit -a side.
As gillesg:
Code: | gillesg$ ulimit -n 1256
bash: ulimit: cannot modify open files limit: Operation not permitted
|
|
|
Back to top |
|
|
Tharkun Tux's lil' helper
Joined: 02 May 2002 Posts: 106
|
Posted: Thu Oct 10, 2002 2:30 pm Post subject: |
|
|
/usr/src/linux/include/linux/limits.h |
|
Back to top |
|
|
Xor Tux's lil' helper
Joined: 07 Jul 2002 Posts: 144
|
Posted: Thu Oct 10, 2002 3:00 pm Post subject: |
|
|
inspired by the idea to nuke my system..... I tried it.... and it woked....
instead of fideling with a limits.conf, I try the approach with grsecurity (there I'm also able to tell the forks/s and also max process based on the gid)
As mentioned, System didn't crash, but hey... someone invented journaled-filesystems... and what are they good for if you don't use 'em
---
jepp.... the process gets killed... no more fork bombs |
|
Back to top |
|
|
gillesg Tux's lil' helper
Joined: 17 Sep 2002 Posts: 90
|
Posted: Thu Oct 10, 2002 4:48 pm Post subject: |
|
|
I have not yet tried it, but grepping thru the include, I roughly got an idea.
It might be ok for open files, but I do not get it then for max user processes.
In fact I am setting Oracle 9i on this platform.
In the install doc they are saying to set ulimit -n 65536
ulimit -u 16384 This works for the current shell, but any other shell do not see it.
And if root does not set it and for a child shell, it is lost.
How can that be done ? |
|
Back to top |
|
|
gillesg Tux's lil' helper
Joined: 17 Sep 2002 Posts: 90
|
Posted: Tue Oct 15, 2002 5:26 am Post subject: going over the limit -H value |
|
|
How do you modify for the whole system the parameter
modified by ulimit -u (max user process)
and ulimit -n (max open files)
Once my box has booted root can set those value (-n and -u)
over the value displayed by ulimit -aH.
By any other user cannot do that. They get a message :
Code: | bash: ulimit: cannot modify max user processes limit: Operation not permitted |
I have found that I can modify almost all other parameters thru limits.conf, but those 2 do not seems to work.
Thanks you for your insight
Gilles |
|
Back to top |
|
|
|