Bugtraq mailing list archives
Re: limit maximum nr. of processes.
From: altellez () IP6SEGURIDAD COM (Alfonso Lazaro)
Date: Fri, 3 Sep 1999 13:18:02 +0200
El dia Wed, Sep 01, 1999 at 10:53:48AM +0200, Petter Wahlman <petter () proact no> escribió: to limit the maximum number of processes you can use the Linux-PAM edit /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so you have to add the last two lines then edit /etc/security/limits.conf # /etc/security/limits.conf # #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> # #Where: #<domain> can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # #<item> can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit # - maxlogins - max number of logins for this user # #<domain> <type> <item> <value> # #* soft core 0 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4 as you can see you can limit the number of process and much more like cpu, stack ...
i have made a loadable kernel module that lets you limit the maximum number of processes members of the group USER_GID can execute. this can e.g be used to prevent DoS attacks like: int main() { while(1) fork(); return 1; } Setting the limit is easily done through the proc interface: arjuna(root):fork~>cat /proc/maxprocs gid: 500 restricted to: 40 processes arjuna(root):fork~>echo 64 > /proc/maxprocs arjuna(root):fork~>cat /proc/maxprocs gid: 500 restricted to: 64 processes [The module does currently only support v.2.2.X of the Linux kernel.] ________________________________________________________________________________ Petter Wahlman bactus () sol no #define QUESTION ((bb) || !(bb)) - Shakespeare. echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA6E616D6C68615720726574746550snlbxq'|dc ________________________________________________________________________________
/*************************************************************** * secfork v1.0a - petter wahlman <bactus () sol no> * * Limit the maximum number of processes members * of the group USER_GID can execute. * * compile: * gcc foo.c -DMODULE -D__KERNEL__ -O2 -fomit-frame-pointer \ * -Wstrict-prototypes -Wall -Wunused -c -o secfork * * install: * insmod secfork * * remove: * rmmod secfork * * usage: * echo 64 > /proc/maxprocs # set limit to 64 processes * ***************************************************************/ #ifndef __KERNEL__ # define __KERNEL__ #endif #ifndef MODULE # define MODULE #endif #include <linux/config.h> #define __NO_VERSION__ #include <linux/module.h> #include <linux/version.h> char kernel_version [] = UTS_RELEASE; /* #if CONFIG_MODVERSIONS==1 #define MODVERSIONS #include <linux/modversions.h> #endif */ #include <linux/kernel.h> #include <linux/types.h> #include <linux/fs.h> #include <linux/mm.h> #include <linux/errno.h> #include <linux/sched.h> #include <linux/proc_fs.h> #include <asm/uaccess.h> #include <asm/io.h> #include <sys/syscall.h> #include <errno.h> MODULE_AUTHOR("petter wahlman <bactus () sol no>"); EXPORT_NO_SYMBOLS; #define MAXPROCS 40 #define USER_GID (int)500 #define MAXDATA (int)8 static unsigned long maxprocs = MAXPROCS; extern void *sys_call_table[]; asmlinkage int (*old_fork) (struct pt_regs); static struct user_struct { long count; struct user_struct *next, **pprev; unsigned int uid; }user_t; /***( module_output )***/ static ssize_t module_output(struct file *file, char *buf, size_t len, loff_t *offset) { static int i, finished = 0; char msg[MAXDATA+50]; if (finished) { finished = 0; return 0; } sprintf(msg, "gid: %d restricted to: %ld processes\n", USER_GID, maxprocs); for(i = 0; i < len && msg[i]; i++) put_user(msg[i], buf+i); finished = 1; return i; } /***( module_input )***/ static ssize_t module_input(struct file *file, const char *buf, size_t length, loff_t *offset) { static char data[MAXDATA]; int i; for (i = 0; i < sizeof(data)-1 && i < length; i++) get_user(data[i], buf+i); data[i] = '\0'; maxprocs = simple_strtoul(data, NULL, 10); return i; } static int module_permission(struct inode *inode, int op) { if (op == 4 || (op == 2 && current->euid == 0)) return 0; return -EACCES; } int module_open(struct inode *inode, struct file *file) { MOD_INC_USE_COUNT; return 0; } int module_close(struct inode *inode, struct file *file) { MOD_DEC_USE_COUNT; return 0; } static struct file_operations fops = { NULL, /* lseek */ module_output, module_input, NULL, /* readdir */ NULL, /* select */ NULL, /* ioctl */ NULL, /* mmap */ module_open, NULL, /* flush */ module_close }; static struct inode_operations iops = { &fops, NULL, /* create */ NULL, /* lookup */ NULL, /* link */ NULL, /* unlink */ NULL, /* symlink */ NULL, /* mkdir */ NULL, /* rmdir */ NULL, /* mknod */ NULL, /* rename */ NULL, /* readlink */ NULL, /* follow_link */ NULL, /* readpage */ NULL, /* writepage */ NULL, /* bmap */ NULL, /* truncate */ module_permission }; static struct proc_dir_entry proc_entry = { 0, 8, "maxprocs", /* The file name */ S_IFREG | S_IRUGO | S_IWUSR, 1, /* links */ 0, 0, /* uid, gid */ 0, /* size */ &iops, NULL /* read function - in ino structure */ }; /***( new_fork )***/ int new_fork(struct pt_regs regs) { static int n; if (current->uid == 0) return old_fork(regs); for (n = 0; n < NGROUPS; n++) if (current->groups[n] == USER_GID) { if (current->user->count >= maxprocs) return -EPERM; else return old_fork(regs); } return old_fork(regs); } /***( init_module ***/ int init_module(void) { printk("secfork v1.0a - petter wahlman <bactus () sol no>..\n"); old_fork = sys_call_table[__NR_fork]; sys_call_table[__NR_fork] = new_fork; return proc_register(&proc_root, &proc_entry); } void cleanup_module(void) { sys_call_table[__NR_fork] = old_fork; proc_unregister(&proc_root, proc_entry.low_ino); printk("secfork unloaded..\n"); }
-- Saludos. =========================================================== Alfonso Lazaro Tellez altellez () ip6seguridad com Analista de seguridad IP6Seguridad http://www.ip6seguridad.com Tfno: +34 91-3430245 C\Alberto Alcocer 5, 1 D Fax: +34 91-3430294 Madrid ( SPAIN ) ===========================================================
Current thread:
- limit maximum nr. of processes. Petter Wahlman (Sep 01)
- Updated Fix Information for Buffer Overflow in Netscape Enterprise and FastTrack Web Servers X-Force (Sep 02)
- Re: limit maximum nr. of processes. Alfonso Lazaro (Sep 03)
- Re: limit maximum nr. of processes. Andrea Costantino (Sep 07)
- ProFTP-1.2.0pre4 buffer overflow -- once more Renaud Deraison (Sep 07)
- Exploiting DCOM to gain Administrative rights on Windows NT 4 Mnemonix (Sep 07)