Very Computer

> Ok, I want to allow certain people to have shell accounts on my computer,
> but I want to restrict them more than just saying "don't do this, don't do
> that".  Really, I'd like to say "at any point in time, I don't want this
> user (or a member of this group) using more than this percentage of cpu".
> I've been told, however, that such control isn't possible in linux.  Failing
> that, I've been reading up on ulimits in bash and /etc/security/limits.conf
> (btw, I use redhat 6.1).  I added these lines to /etc/security/limits.conf:
> *          nproc           150


> Therefore, as I understand it, setting the maximum number of processes per
> user to 150, setting the maximum amount of cpu time allowed to members
> of group "unwheel" to 10 minutes, and setting the default priority of any
> process run by a member of group "unwheel" to 10.
> I then logged in as a member of group "unwheel".  I compiled and ran the
> code:
> main() {
>    for(;;) {
>            malloc(1000);
>            fork();
>    }
> }
> The system basically froze; on occasion I could type as a different user
> (or as root) but even killall segfaulted when I tried to kill all the
> processes of that user.  It was like I had never even set the limits in
> /etc/security/limits.conf.
> This is the kind of thing I want to prevent.  I want to make sure that
> malicious users can't do things like this, or various other DoS attacks
> I'm sure they can find all over the internet.  If anyone has any ideas,
> recommended reading, etc., I would appreciate it.
> Thanks,
> Jeremy

> I was looking at the sample limits.conf file on my system and there are many
> other items you can use to limit a user's resources on your system. You
> probably want to limit the amount of memory space you allow to be used as
> well. Also do you need to allow 150 processes per user? Maybe scale back that
> number to 40-50 processes.  It seems like it would better to start out with
> conservative values and then as you go you can always change the values to
> higher values if the limits prove to be unusable for your users.

> # /etc/security/limits.conf
> #
> #Each line describes a limit for a user in the form:
> #
> #<domain>        <type>  <item>  <value>
> #
> #Where:
> #<domain> can be:
> #        - an user name

> #        - the wildcard *, for default entry
> #
> #<type> can have the two values:
> #        - "soft" for enforcing the soft limits
> #        - "hard" for enforcing hard limits
> #
> #<item> can be one of the following:
> #        - core - limits the core file size (KB)
> #        - data - max data size (KB)
> #        - fsize - maximum filesize (KB)
> #        - memlock - max locked-in-memory address space (KB)
> #        - nofile - max number of open files
> #        - rss - max resident set size (KB)
> #        - stack - max stack size (KB)
> #        - cpu - max CPU time (MIN)
> #        - nproc - max number of processes
> #        - as - address space limit
> #        - maxlogins - max number of logins for this user
> #        - priority - the priority to run user process with
> #
> #<domain>      <type>  <item>         <value>
> #

> #*               soft    core            0
> #*               hard    rss             10000



> #ftp             hard    nproc           0

> > Ok, I want to allow certain people to have shell accounts on my computer,
> > but I want to restrict them more than just saying "don't do this, don't do
> > that".  Really, I'd like to say "at any point in time, I don't want this
> > user (or a member of this group) using more than this percentage of cpu".
> > I've been told, however, that such control isn't possible in linux.  Failing
> > that, I've been reading up on ulimits in bash and /etc/security/limits.conf
> > (btw, I use redhat 6.1).  I added these lines to /etc/security/limits.conf:

> > *             nproc           150

> > Therefore, as I understand it, setting the maximum number of processes per
> > user to 150, setting the maximum amount of cpu time allowed to members
> > of group "unwheel" to 10 minutes, and setting the default priority of any
> > process run by a member of group "unwheel" to 10.

> > I then logged in as a member of group "unwheel".  I compiled and ran the
> > code:

> > main() {
> >       for(;;) {
> >               malloc(1000);
> >               fork();
> >       }
> > }

> > The system basically froze; on occasion I could type as a different user
> > (or as root) but even killall segfaulted when I tried to kill all the
> > processes of that user.  It was like I had never even set the limits in
> > /etc/security/limits.conf.

> > This is the kind of thing I want to prevent.  I want to make sure that
> > malicious users can't do things like this, or various other DoS attacks
> > I'm sure they can find all over the internet.  If anyone has any ideas,
> > recommended reading, etc., I would appreciate it.

> > Thanks,
> > Jeremy

> --
> Anthony Schlemmer

>I've never used this file myself, but would you not need to reboot so
>the kernel, or whichever daemon(s) read this file get reset?

>Just a thought.... :-)

>> I was looking at the sample limits.conf file on my system and there are many
>> other items you can use to limit a user's resources on your system. You
>> probably want to limit the amount of memory space you allow to be used as
>> well. Also do you need to allow 150 processes per user? Maybe scale back that
>> number to 40-50 processes.  It seems like it would better to start out with
>> conservative values and then as you go you can always change the values to
>> higher values if the limits prove to be unusable for your users.

>> # /etc/security/limits.conf
>> #
>> #Each line describes a limit for a user in the form:
>> #
>> #<domain>        <type>  <item>  <value>
>> #
>> #Where:
>> #<domain> can be:
>> #        - an user name

>> #        - the wildcard *, for default entry
>> #
>> #<type> can have the two values:
>> #        - "soft" for enforcing the soft limits
>> #        - "hard" for enforcing hard limits
>> #
>> #<item> can be one of the following:
>> #        - core - limits the core file size (KB)
>> #        - data - max data size (KB)
>> #        - fsize - maximum filesize (KB)
>> #        - memlock - max locked-in-memory address space (KB)
>> #        - nofile - max number of open files
>> #        - rss - max resident set size (KB)
>> #        - stack - max stack size (KB)
>> #        - cpu - max CPU time (MIN)
>> #        - nproc - max number of processes
>> #        - as - address space limit
>> #        - maxlogins - max number of logins for this user
>> #        - priority - the priority to run user process with
>> #
>> #<domain>      <type>  <item>         <value>
>> #

>> #*               soft    core            0
>> #*               hard    rss             10000



>> #ftp             hard    nproc           0

>> > Ok, I want to allow certain people to have shell accounts on my computer,
>> > but I want to restrict them more than just saying "don't do this, don't do
>> > that".  Really, I'd like to say "at any point in time, I don't want this
>> > user (or a member of this group) using more than this percentage of cpu".
>> > I've been told, however, that such control isn't possible in linux.  Failing
>> > that, I've been reading up on ulimits in bash and /etc/security/limits.conf
>> > (btw, I use redhat 6.1).  I added these lines to /etc/security/limits.conf:

>> > *             nproc           150

>> > Therefore, as I understand it, setting the maximum number of processes per
>> > user to 150, setting the maximum amount of cpu time allowed to members
>> > of group "unwheel" to 10 minutes, and setting the default priority of any
>> > process run by a member of group "unwheel" to 10.

>> > I then logged in as a member of group "unwheel".  I compiled and ran the
>> > code:

>> > main() {
>> >       for(;;) {
>> >               malloc(1000);
>> >               fork();
>> >       }
>> > }

>> > The system basically froze; on occasion I could type as a different user
>> > (or as root) but even killall segfaulted when I tried to kill all the
>> > processes of that user.  It was like I had never even set the limits in
>> > /etc/security/limits.conf.

>> > This is the kind of thing I want to prevent.  I want to make sure that
>> > malicious users can't do things like this, or various other DoS attacks
>> > I'm sure they can find all over the internet.  If anyone has any ideas,
>> > recommended reading, etc., I would appreciate it.

>> > Thanks,
>> > Jeremy

>> --
>> Anthony Schlemmer

>--

>    _/_/_/_/   _/_/_/_/                 David Gillam
>   _/     _/  _/                      
>  _/      _/ _/   _/_/        
> _/     _/  _/     _/                       USA
>_/_/_/_/   _/_/_/_/                Fax - 01-208-246-3867

> >I've never used this file myself, but would you not need to reboot so
> >the kernel, or whichever daemon(s) read this file get reset?

> >Just a thought.... :-)

> I've rebooted, restarted everything, all to no avail.

> It seems that these limits apply only to the shell; not to programs executed
> from the shell.  For instance, given these limits, a user can still DoS the
> system using a compiled C program, but `:(){ :|:&};:" does nothing--it causes
> bash to complain "fork: no resource available".

> I'm still trying to figure out how to keep these users from DoS'ing the system
> as regular users, though, so any ideas are welcome.

> Thanks,
> Jeremy

> >> I was looking at the sample limits.conf file on my system and there are many
> >> other items you can use to limit a user's resources on your system. You
> >> probably want to limit the amount of memory space you allow to be used as
> >> well. Also do you need to allow 150 processes per user? Maybe scale back that
> >> number to 40-50 processes.  It seems like it would better to start out with
> >> conservative values and then as you go you can always change the values to
> >> higher values if the limits prove to be unusable for your users.

> >> # /etc/security/limits.conf
> >> #
> >> #Each line describes a limit for a user in the form:
> >> #
> >> #<domain>        <type>  <item>  <value>
> >> #
> >> #Where:
> >> #<domain> can be:
> >> #        - an user name

> >> #        - the wildcard *, for default entry
> >> #
> >> #<type> can have the two values:
> >> #        - "soft" for enforcing the soft limits
> >> #        - "hard" for enforcing hard limits
> >> #
> >> #<item> can be one of the following:
> >> #        - core - limits the core file size (KB)
> >> #        - data - max data size (KB)
> >> #        - fsize - maximum filesize (KB)
> >> #        - memlock - max locked-in-memory address space (KB)
> >> #        - nofile - max number of open files
> >> #        - rss - max resident set size (KB)
> >> #        - stack - max stack size (KB)
> >> #        - cpu - max CPU time (MIN)
> >> #        - nproc - max number of processes
> >> #        - as - address space limit
> >> #        - maxlogins - max number of logins for this user
> >> #        - priority - the priority to run user process with
> >> #
> >> #<domain>      <type>  <item>         <value>
> >> #

> >> #*               soft    core            0
> >> #*               hard    rss             10000



> >> #ftp             hard    nproc           0

> >> > Ok, I want to allow certain people to have shell accounts on my computer,
> >> > but I want to restrict them more than just saying "don't do this, don't do
> >> > that".  Really, I'd like to say "at any point in time, I don't want this
> >> > user (or a member of this group) using more than this percentage of cpu".
> >> > I've been told, however, that such control isn't possible in linux.  Failing
> >> > that, I've been reading up on ulimits in bash and /etc/security/limits.conf
> >> > (btw, I use redhat 6.1).  I added these lines to /etc/security/limits.conf:

> >> > *             nproc           150

> >> > Therefore, as I understand it, setting the maximum number of processes per
> >> > user to 150, setting the maximum amount of cpu time allowed to members
> >> > of group "unwheel" to 10 minutes, and setting the default priority of any
> >> > process run by a member of group "unwheel" to 10.

> >> > I then logged in as a member of group "unwheel".  I compiled and ran the
> >> > code:

> >> > main() {
> >> >       for(;;) {
> >> >               malloc(1000);
> >> >               fork();
> >> >       }
> >> > }

> >> > The system basically froze; on occasion I could type as a different user
> >> > (or as root) but even killall segfaulted when I tried to kill all the
> >> > processes of that user.  It was like I had never even set the limits in
> >> > /etc/security/limits.conf.

> >> > This is the kind of thing I want to prevent.  I want to make sure that
> >> > malicious users can't do things like this, or various other DoS attacks
> >> > I'm sure they can find all over the internet.  If anyone has any ideas,
> >> > recommended reading, etc., I would appreciate it.

> >> > Thanks,
> >> > Jeremy

> >> --
> >> Anthony Schlemmer

> >--

> >    _/_/_/_/   _/_/_/_/                 David Gillam
> >   _/     _/  _/
> >  _/      _/ _/   _/_/
> > _/     _/  _/     _/                       USA
> >_/_/_/_/   _/_/_/_/                Fax - 01-208-246-3867