Re: Increase default nofile ulimit
On Mon, Jun 09, 2014 at 12:10:40PM +0100, Robie Basak wrote: > AIUI, there are security implications for raising this limit system-wide > by default, since applications that use select() are often broken and > will become vulnerable with a higher limit. > > See > https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html > > for the previous discussion. Update: Kees reports that setting _FORTIFY_SOURCE=2 does now add some protection to this particular failure scenario. He says: "...but now I won’t be so worried when I see requests to raise the open descriptor limit above 1024." Source: http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/ Thanks Kees! Robie signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Increase default nofile ulimit
On 06/09/2014 07:10 AM, Robie Basak wrote: > AIUI, there are security implications for raising this limit system-wide > by default, since applications that use select() are often broken and > will become vulnerable with a higher limit. > > See > https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html > > for the previous discussion. That looks like a glibc bug from 2010. Is that still relevant? If so, why has this not been fixed? The simple fix is to replace the 1024 spec with the result of getrlimit() for the hard limit; however, Linux supplies a non-POSIX function to raise the hard limit of an arbitrary process. Likewise, the limit may be excessively large, thus wasteful of memory. I am certain the glibc developers are competent to dynamically grow the buffer when full, and could write such code within a four year time span. Whether they have or not is a different matter, but ... that's the question. Have they? -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Increase default nofile ulimit
AIUI, there are security implications for raising this limit system-wide by default, since applications that use select() are often broken and will become vulnerable with a higher limit. See https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html for the previous discussion. signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss