Bugtraq mailing list archives

Re: ANNOUNCE: secure identd v0.3

From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Wed, 16 Sep 1998 20:57:28 -0400


rlimits can be used as a safety net, but I prefer that the program
itself remains in control of its resource usage. I just don't find
it very elegant to crash and die on illegal input...

For example, when all data objects have limited size, and when the
number of objects instances is limited, so is the amount of memory
required to hold those objects.

This just changes some programs into special-purpose cache managers.

In the days of 16-bit and smaller computers, real programmers had
to do real work to make their programs actually fit the machine.
Perhaps I am just showing my age.

        Wietse

Taral:

Actually, a secure box should run with RLIMIT_AS (Linux-ism?) set on all
daemons... I started using it on apache httpd to prevent the header-spam
DoS, but it seems like a good idea on all processes that shouldn't consume
much memory.

Taral

-----Original Message-----
Suggested fix: read a fixed-size read buffer from the network.  No
reasonable ident query needs to be longer than a couple bytes for
the two port numbers. When used in the right place, fixed-size
buffers are beneficial to security.

        Wietse

Current thread:

ANNOUNCE: secure identd v0.3 Paul Boehm (Sep 14)
- Re: ANNOUNCE: secure identd v0.3 Booker Bense (Sep 15)
- Re: ANNOUNCE: secure identd v0.3 Wietse Venema (Sep 15)
  - Re: ANNOUNCE: secure identd v0.3 Paul Boehm (Sep 15)
  - Re: ANNOUNCE: secure identd v0.3 Taral (Sep 16)
    - Re: ANNOUNCE: secure identd v0.3 Wietse Venema (Sep 16)
    - Re: ANNOUNCE: secure identd v0.3 Kragen (Sep 17)