Scott McDermott wrote:
> > The usual way to guard against fork bombs is to limit the number of
> > processes per user with `ulimit -Hu'.
>
> Yeah, I've tried it, but it has to be unacceptably low to limit forkbomb
> CPU usage to something reasonable to allow ready recovery.
Hmm. I found that with a limit of 10 processes per user, it was much
easier to recover from a forkbomb than with the default of 256. Of
course, there are many factors involved, e.g. a system that starts
swapping heavily will degrade less if it has a fast HDD.
Also, having root's shell at a higher scheduling priority than the
forkbomb can make a significant difference.
> > Also, root can increase his scheduling priority. Adding `nice -n -10'
> > to root's ~/.profile may make it easier to gain control of an
> > overloaded system.
>
> Well, nice requires a command, so I would have to invoke another
> instance of bash, or have login use a different string.
Sorry, I should have suggested `renice'. You could just re-exec the
shell via nice, but you would have to take steps to prevent an
infinite loop.
> If I prepended
> root's entry in passwd with the nice command, then would this only
> affect the login shell (which is what I want)?
The nice level is inherited, so it would affect all processes by
default.
> > > Another question...killing the forkbombs with "for P in `pidof
> > > forkbomb`; do kill -KILL $P; done" works but "killall forkbomb" does not
> > > (ie, it just respawns itself around the kills). Why is this?
> >
> > Probably just fluke. If any more processes are forked after the
> > evaluation of `pidof forkbomb', the loop won't catch them.
>
> It's not a fluke, it is reproducible and consistent.
Then it looks as if this particular forkbomb dies if its parent is
killed.
It should be fairly obvious that the `for' loop suffers from a race
condition. killall will also suffer from some form of race condition,
although it may be able to kill processes faster than a shell loop.
The only solution that is likely to be immune from race conditions is
su -c 'kill -KILL -1' <user>
as this will call kill(-1, SIGKILL), which should kill all of the
processes owned by that user in one go, without giving any of them a
chance to fork any children.
--
Glynn Clements <[EMAIL PROTECTED]>
