2011/6/8 Raj Mathur (राज माथुर) <r...@linux-delhi.org>
> On Wednesday 08 Jun 2011, Ankit Chaturvedi wrote: > > > Is there a way we can tweak the ulimit - user limit for all users. > > > http://www.linuxforums.org/forum/security/90836-user-limits-linux.h > > > tml - wasn't so helpful. > > > > Try 'setrlimit' to set RLIMIT_NPROC to some agreeable value. NPROC is > > the number of processes a user can create. Limiting them will > > atleast leave you with enough resources to start a shell and kill > > the offending process (bash in this case). > > ulimit will not work if you don't have pam_limits module for your > > kernel (it's not built by default). Try loading pam_limits module > > manuallly and see if the limits in /etc/security/limits.conf are > > honored then. > > > > There is no definite solution to preventing a fork_bomb as such, but > > patches like this http://grsecurity.net/ may help you finding which > > user started the fork bomb, though it might be an overkill for > > single user systems. > > So will any of these solutions work when the user is logged in as root? > Yes, RLIMITS are enforced by the kernel so are applicable to all users including root. GrSec patches too add functionality to kernel so I assume it should be the same. > > In general, how are you going to prevent root from destroying your > system? > Via kernel based limits, SELinux etc. However, a root user can modify rlimits so there is very little one can do to prevent damage. SELinux/Grsec patches can prevent this to some extent through least privilege access control policies. In other words, don't hand out root account or sudoer priv to everyone. In Ubuntu, remove all regular users from sudoers and add them to a less privileged group, keeping a few power users in admin/root group. > > -- Raj > -- > Raj Mathur r...@kandalaya.org http://kandalaya.org/ > GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F > PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves > > _______________________________________________ > Ilugd mailing list > Ilugd@lists.linux-delhi.org > http://frodo.hserus.net/mailman/listinfo/ilugd > -- -- Ankit Chaturvedi GPG: 05DE FDC5 468B 7D9F 9F45 72F1 F7B9 9E16 ECA2 CC23 <http://www.google.com/profiles/ankit.chaturvedi> _______________________________________________ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
