Re: Patch Related with Fork Bombing Attack
On 13/07/07 13:39, Anand Jahagirdar wrote: > This patch Warns the administrator about the fork bombing attack > (whenever any user is crossing its process limit). I have used > +printk(KERN_WARNING "User with uid %u is > crossing the process limit\n",p->user->uid); I have mentioned this before when it was KERN_CRIT, why is this KERN_WARNING? It seems reasonable to have loglevel at KERN_WARNING, then it'd go to all consoles. Just because a fork bomb would trigger this doesn't mean you can assume it is one and raise its severity. If the limit is working correctly then there is no need to print anything... Also, users can arbitrarily lower their limit at any time and trigger this printk: $ ulimit -Su 0 $ uptime bash: fork: Resource temporarily unavailable If you really think this is needed then the message needs changing, because they haven't actually gone over the limit. I'm not sure how best to word it. What about the other limits? Max memory size and cpu time sound just as important as max user processes to me. -- Simon Arlott - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Patch Related with Fork Bombing Attack
On 13/07/07 13:39, Anand Jahagirdar wrote: This patch Warns the administrator about the fork bombing attack (whenever any user is crossing its process limit). I have used +printk(KERN_WARNING User with uid %u is crossing the process limit\n,p-user-uid); I have mentioned this before when it was KERN_CRIT, why is this KERN_WARNING? It seems reasonable to have loglevel at KERN_WARNING, then it'd go to all consoles. Just because a fork bomb would trigger this doesn't mean you can assume it is one and raise its severity. If the limit is working correctly then there is no need to print anything... Also, users can arbitrarily lower their limit at any time and trigger this printk: $ ulimit -Su 0 $ uptime bash: fork: Resource temporarily unavailable If you really think this is needed then the message needs changing, because they haven't actually gone over the limit. I'm not sure how best to word it. What about the other limits? Max memory size and cpu time sound just as important as max user processes to me. -- Simon Arlott - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Patch Related with Fork Bombing Attack
On Fri, Jul 13, 2007 at 06:09:02PM +0530, Anand Jahagirdar wrote:
>Hello All
{snip}
>Index: root/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
>===
>--- root.orig/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
>2007-06-26 20:40:06.0 +0530
>+++ root/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
>2007-06-26 20:41:41.0 +0530
Please make your patch be in `patch -p1' form.
See: http://www.zip.com.au/~akpm/linux/patches/stuff/tpp.txt to learn more.
Regards!
--
If loving computers is wrong, I don't want to be right.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Patch Related with Fork Bombing Attack
On Fri, Jul 13, 2007 at 06:09:02PM +0530, Anand Jahagirdar wrote:
Hello All
{snip}
Index: root/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
===
--- root.orig/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
2007-06-26 20:40:06.0 +0530
+++ root/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
2007-06-26 20:41:41.0 +0530
Please make your patch be in `patch -p1' form.
See: http://www.zip.com.au/~akpm/linux/patches/stuff/tpp.txt to learn more.
Regards!
--
If loving computers is wrong, I don't want to be right.
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Patch Related with Fork Bombing Attack
Hello All
I have searched for Maintainers List to get the correct
Maintainer for my patch. But i am not getting exact maintainer to
which i should forward my patch. Will any body please tell me,to which
maintainer i should forward my patch for its inclusion?
Summery of the Patch:
This patch Warns the administrator about the fork bombing attack
(whenever any user is crossing its process limit). I have used
printk_ratelimit function in this patch. This function helps to
prevent flooding of syslog and prints message as per the values set by
root user in following files:-
1) /proc/sys/kernel/printk_ratelimit:- This file contains value for,
how many times message should be printed in syslog.
2) /proc/sys/kernel/printk_ratelimit_burst: - This file contains value
for, after how much time message should be repeated.
This patch is really helpful for administrator/root user from security
point of view. They can take action against attacker by looking at
syslog messages related with fork bombing attack.
Added comments will definitely help developers.
Signed-Off-by: Anand Jahagirdar <[EMAIL PROTECTED]>
Index: root/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
===
--- root.orig/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
2007-06-26 20:40:06.0 +0530
+++ root/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
2007-06-26 20:41:41.0 +0530
@@ -957,12 +957,19 @@
retval = -EAGAIN;
-
+/*
+ * following code does not allow Non Root User to cross its process
+ * limit and it alerts administrator about user crossing the process
limit.
+ */
+
if (atomic_read(>user->processes) >=
p->signal->rlim[RLIMIT_NPROC].rlim_cur)
if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
- p->user != _user)
+ p->user != _user) {
+if (printk_ratelimit())
+printk(KERN_WARNING "User with uid %u is
crossing the process limit\n",p->user->uid);
+
goto bad_fork_free;
-
+ }
atomic_inc(>user->__count);
atomic_inc(>user->processes);
Patch Related with Fork Bombing Attack
Hello All
I have searched for Maintainers List to get the correct
Maintainer for my patch. But i am not getting exact maintainer to
which i should forward my patch. Will any body please tell me,to which
maintainer i should forward my patch for its inclusion?
Summery of the Patch:
This patch Warns the administrator about the fork bombing attack
(whenever any user is crossing its process limit). I have used
printk_ratelimit function in this patch. This function helps to
prevent flooding of syslog and prints message as per the values set by
root user in following files:-
1) /proc/sys/kernel/printk_ratelimit:- This file contains value for,
how many times message should be printed in syslog.
2) /proc/sys/kernel/printk_ratelimit_burst: - This file contains value
for, after how much time message should be repeated.
This patch is really helpful for administrator/root user from security
point of view. They can take action against attacker by looking at
syslog messages related with fork bombing attack.
Added comments will definitely help developers.
Signed-Off-by: Anand Jahagirdar [EMAIL PROTECTED]
Index: root/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
===
--- root.orig/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
2007-06-26 20:40:06.0 +0530
+++ root/Desktop/a1/linux-2.6.17.tar.bz2_FILES/linux-2.6.17/kernel/fork.c
2007-06-26 20:41:41.0 +0530
@@ -957,12 +957,19 @@
retval = -EAGAIN;
-
+/*
+ * following code does not allow Non Root User to cross its process
+ * limit and it alerts administrator about user crossing the process
limit.
+ */
+
if (atomic_read(p-user-processes) =
p-signal-rlim[RLIMIT_NPROC].rlim_cur)
if (!capable(CAP_SYS_ADMIN) !capable(CAP_SYS_RESOURCE)
- p-user != root_user)
+ p-user != root_user) {
+if (printk_ratelimit())
+printk(KERN_WARNING User with uid %u is
crossing the process limit\n,p-user-uid);
+
goto bad_fork_free;
-
+ }
atomic_inc(p-user-__count);
atomic_inc(p-user-processes);
Re: Patch Related With Fork Bombing Attack
(not CCing security, since it's not a security bug and it's too late to verify if they should be on cc. Will do later.) Anand Jahagirdar <[EMAIL PROTECTED]> wrote: > This patch Warns the administrator about the fork bombing attack > (whenever any user is crossing its process limit). I have used > printk_ratelimit function in this patch. This function helps to > prevent flooding of syslog and prints message as per the values set by > root user in following files:- > > 1) /proc/sys/kernel/printk_ratelimit:- This file contains value for, > how many times message should be printed in syslog. [...] I'm wondering: Can these ratelimits be used to tell real forkbombs from normal oops-i-hit-the-limits? I imagine if you have your private ratelimit, that might just do the trick. Beware: I have no idea on how much such an extra ratelimit would cost, and if having that ratelimit-based detector would actually be a gain. -- Ever notice how fast Windows runs? Neither did I. Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Patch Related With Fork Bombing Attack
(not CCing security, since it's not a security bug and it's too late to verify if they should be on cc. Will do later.) Anand Jahagirdar [EMAIL PROTECTED] wrote: This patch Warns the administrator about the fork bombing attack (whenever any user is crossing its process limit). I have used printk_ratelimit function in this patch. This function helps to prevent flooding of syslog and prints message as per the values set by root user in following files:- 1) /proc/sys/kernel/printk_ratelimit:- This file contains value for, how many times message should be printed in syslog. [...] I'm wondering: Can these ratelimits be used to tell real forkbombs from normal oops-i-hit-the-limits? I imagine if you have your private ratelimit, that might just do the trick. Beware: I have no idea on how much such an extra ratelimit would cost, and if having that ratelimit-based detector would actually be a gain. -- Ever notice how fast Windows runs? Neither did I. Friß, Spammer: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Patch Related With Fork Bombing Attack
Hello All As per the discussion in the thread with subject as Patch Related with Fork Bombing Attack on LKML,I have modified my patch. I request you for the inclusion of my attached patch named "fork.patch". Summery of the Patch: This patch Warns the administrator about the fork bombing attack (whenever any user is crossing its process limit). I have used printk_ratelimit function in this patch. This function helps to prevent flooding of syslog and prints message as per the values set by root user in following files:- 1) /proc/sys/kernel/printk_ratelimit:- This file contains value for, how many times message should be printed in syslog. 2) /proc/sys/kernel/printk_ratelimit_burst: - This file contains value for, after how much time message should be repeated. This patch is really helpful for administrator/root user from security point of view. They can take action against attacker by looking at syslog messages related with fork bombing attack. Added comments will definitely help developers. Signed-Off-by: Anand Jahagirdar <[EMAIL PROTECTED]> fork.patch Description: Binary data
Patch Related With Fork Bombing Attack
Hello All As per the discussion in the thread with subject as Patch Related with Fork Bombing Attack on LKML,I have modified my patch. I request you for the inclusion of my attached patch named fork.patch. Summery of the Patch: This patch Warns the administrator about the fork bombing attack (whenever any user is crossing its process limit). I have used printk_ratelimit function in this patch. This function helps to prevent flooding of syslog and prints message as per the values set by root user in following files:- 1) /proc/sys/kernel/printk_ratelimit:- This file contains value for, how many times message should be printed in syslog. 2) /proc/sys/kernel/printk_ratelimit_burst: - This file contains value for, after how much time message should be repeated. This patch is really helpful for administrator/root user from security point of view. They can take action against attacker by looking at syslog messages related with fork bombing attack. Added comments will definitely help developers. Signed-Off-by: Anand Jahagirdar [EMAIL PROTECTED] fork.patch Description: Binary data
