Re: Linux kernels DoSable by file-max limit

[Jim Breton]

On Mon, Jul 08, 2002 at 09:30:34PM -0400, Michal Zalewski wrote:
 And they can still most likely bypass your limit by putting something
 smart in their .procmailrc / .forward / .qmail, or in so many other ways.

One could use 'initscript' to plug many of those holes:

INITSCRIPT(5)  Linux System Administrator's Manual  INITSCRIPT(5)

NAME
   initscript - script that executes inittab commands.

SYNOPSIS
   /bin/sh /etc/initscript id runlevels action process

   When  the  shell  script  /etc/initscript is present, init
   will use it to execute the commands  from  inittab.   This
   script  can  be  used  to set things like ulimit and umask
   default values for every process.

Re: pam session

[Jim Breton]

On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
 This is espacially anoying if you
 use pam_limits.so to set rlimits. Every user could
 cirrcumvent them easily by calling ssh in this way:
 ssh user@server /bin/sh

True.  Fwiw you can work around this by putting ulimit calls in your 
sshd invocation script.  For example:

#!/bin/sh

ulimit -d #
ulimit -f #
ulimit -l #
ulimit -m #
ulimit -n #
ulimit -s #

[etc.]

Also most Linux distributions' 'init' packages support an
/etc/initscript which will be used for invoking all children of init.
man initscript:

DESCRIPTION
   When  the  shell  script  /etc/initscript is present, init
   will use it to execute the commands  from  inittab.   This
   script  can  be  used  to set things like ulimit and umask
   default values for every process.

which is a good safety net for unforeseen issues like this one, as
well as for protecting against resource exhaustion via cron jobs, etc..

I imagine you could do the same thing on other *nixes by putting the
call somewhere early in the bootscripts.


P.S. I see this issue you raised is now being discussed on the
openssh-unix-dev list.
http://marc.theaimsgroup.com/?l=openssh-unix-devr=1w=2b=200106