Fedora Linux Support Community & Resources Center
  #1  
Old 18th March 2005, 07:22 PM
devjonfos Offline
Registered User
 
Join Date: Jun 2004
Posts: 33
fork bombing

Does anybody know about this http://www.securityfocus.com/columni...8?ref=rssdebia?

The article says Red Hat is vulnerable. Does that also mean Fedora is vulnerable?

Can someone test this like the auther did?
Quote:
I wrote up a very simple bourne shell script on my work machine...and executed it under my non-privileged account.
Reply With Quote
  #2  
Old 18th March 2005, 10:24 PM
jtang613 Offline
Registered User
 
Join Date: Apr 2004
Location: Ottawa, Canada
Posts: 1,931
That was an eye-opener! Just for kicks I tried the fork-bomb on my computer -- IT LOCKED UP AFTER 3 SECONDS. It seems that any 'normal' (non-root) user can log in and crash just about any stock Fedora / RedHat box.

Apparently it's an issue with how many processes are allowed by default. Just going to google the fix now. I'll post the fix when I find it.

Jason
Reply With Quote
  #3  
Old 18th March 2005, 10:25 PM
Zigzagcom Offline
Registered User
 
Join Date: Feb 2005
Location: CALIFORNIA, yeah
Age: 87
Posts: 1,657
I googled "fork scripts for linux", and found a few sites that posted some scripts. Since I do not know what I am doing, I refrained from downloading and running any of them, although I was terribly tempted ....you know, just for kicks. Next time around I have some time to mess with it, I'm going to set up FC3 on one of my 20GB HD's and try it.

If you could post a "how to" or a step by step, I would really appreciate it. I think that aspiring admins should be able to understand what can happen, and how to prevent it. It's just above my head right now to figure it out on my own.

Last edited by Zigzagcom; 18th March 2005 at 10:29 PM.
Reply With Quote
  #4  
Old 18th March 2005, 11:26 PM
jtang613 Offline
Registered User
 
Join Date: Apr 2004
Location: Ottawa, Canada
Posts: 1,931
I found a temporary fix. But this really falls short of resolving the core issue. It treats the symptom rather than curing the disease. However, it *does* prevent the system from completely locking up.

Set a hard limit for the number of processes allowed for each user. The fork-bomb relies on spawning copies of itself until a) system locks up b) user address space is full or c) user process limit is reached.

My system locked when approx 4000 procs occurred. It's probably a safe assumption that no single user ever *needs* to run more than 100 procs cuncurrently so a proc limit of 200 should give reasonable protection. But there's nothing to stop someone logging in 20 times and fork-bombing the system. But that can be dealt with by setting other limits.

Edit /etc/security/limits.conf and add a line similar to the following:
Code:
@users    hard    nproc    200
hth,
Jason
Reply With Quote
  #5  
Old 19th March 2005, 12:09 AM
Id4qiBd2 Offline
Registered User
 
Join Date: Nov 2004
Posts: 19
Everyone make sure you read the comments in /etc/security/limits.conf. Using the @users group may not work for everyone. I'm using:

Code:
*    hard    nproc    300
I don't *think* that will impede with any normal functionality on a server type box (no GUI running). Comments?
Reply With Quote
  #6  
Old 19th March 2005, 12:51 AM
jtang613 Offline
Registered User
 
Join Date: Apr 2004
Location: Ottawa, Canada
Posts: 1,931
Quote:
Originally Posted by Id4qiBd2
Everyone make sure you read the comments in /etc/security/limits.conf. Using the @users group may not work for everyone.
I would expect nothing less from anyone editting any config file. The @users group was merely to illustrate the technique.

Quote:
I don't *think* that will impede with any normal functionality on a server type box (no GUI running). Comments?
A properly configured server probably has separate users / groups for server processes. The individual limits can (should) be adjusted accordingly.

Jason
Reply With Quote
  #7  
Old 20th March 2005, 02:33 PM
hlfmanhlfamzng Offline
Registered User
 
Join Date: Jul 2004
Location: Arris Dome
Posts: 216
I wonder why this has gone unnoticed for so long.....

And has anybody reported this to red hat? The fix that is listed should problably come standard in every install. Call me CrAzY! :-P
Reply With Quote
  #8  
Old 20th March 2005, 02:38 PM
jtang613 Offline
Registered User
 
Join Date: Apr 2004
Location: Ottawa, Canada
Posts: 1,931
Not unnoticed, just ignored. There are several RH erratas that discuss this issue, but no one seems to have taken any action to change the default settings.
Reply With Quote
  #9  
Old 20th March 2005, 04:22 PM
macemoneta Offline
Registered User
 
Join Date: May 2004
Location: NJ
Posts: 913
It's not that fedora hasn't done anything, it's that one limit doesn't work for everyone. The default limit in FC is 8K processes (ulimit -a). This is fine for large servers, the most likely to be the target of a fork-bomb.

For desktop machines, and small servers, a lower limit may be needed. The reason that I say "may" is because desktops and small servers tend to have a single user (you). Depending on what you are doing with the machine, you may or may not want a small process limit.
Reply With Quote
  #10  
Old 22nd March 2005, 05:35 AM
Jman Offline
Registered User
 
Join Date: Mar 2004
Location: Minnesota, USA
Age: 29
Posts: 7,909
These are nasty. I tried a fork bomb once, the bash one. Do not run this, unless you are willing to reboot.
Code:
:(){ :|:& };:
(Courtesy of Wikipedia) A bit of a warning, this bit of code may appear in forum signatures and the like, becuase it looks kind of interesting.
Reply With Quote
  #11  
Old 22nd March 2005, 05:53 AM
macemoneta Offline
Registered User
 
Join Date: May 2004
Location: NJ
Posts: 913
Quote:
Originally Posted by Jman
These are nasty. I tried a fork bomb once, the bash one. Do not run this, unless you are willing to reboot.
Code:
:(){ :|:& };:
(Courtesy of Wikipedia) A bit of a warning, this bit of code may appear in forum signatures and the like, becuase it looks kind of interesting.
It has no effect on any of my (properly configured) Fedora systems. The number of processes spikes for about a second, then returns to it's normal count. There is no impact on system performance. The loop is terminated automatically.

I suggest that folks change the system limits as above, or add statements similar to the following to /etc/profile:

For a 512MB RAM system:

# No core files by default
ulimit -c 0 > /dev/null 2>&1
# 512MB virtual memory limit
ulimit -v 524288 > /dev/null 2>&1
# 256MB resident memory limit
ulimit -m 262144 > /dev/null 2>&1
# 128 max processes per user
ulimit -u 128 >/dev/null 2>&1

For a 1GB RAM system:

# No core files by default
ulimit -c 0 > /dev/null 2>&1
# 768MB virtual memory limit
ulimit -v 786432 > /dev/null 2>&1
# 384MB resident memory limit
ulimit -m 393216 > /dev/null 2>&1
# 128 max processes per user
ulimit -u 128 >/dev/null 2>&1

There are many resources that can be exhausted on any system. Disk space (use quotas), CPU (ulimit may help) are other areas that you may want to look at. The bottom line though is that no one can set a perfect limit for all resources, because everyone's use of a system is different (more true of individual desktops). For example, if you run applications that parallelize operations, the process limit above may be too low for you. If you only run console applications, with multiple users logging in, it may be too high.

There's no magic bullet to solving resource consumption issues.

Last edited by macemoneta; 22nd March 2005 at 06:19 AM. Reason: Remove extraneous '&'; correct statement comment.
Reply With Quote
  #12  
Old 22nd March 2005, 06:02 AM
james_in_denver Offline
Registered User
 
Join Date: Oct 2004
Posts: 1,227
Jtang, the "ulimit" setting is not a temporary fix.....

It is a very practical and certain means for a system administrator to manage resources on his computer.

Every other "mainframe" quality O/S implements a maximum process per account system, include OS/390, VAX/VMS, and just about every vareity of *nux out there.

It is just that this problem would occur infrequently at most. First off, this attack is based on the ability of "joe-user" to create a shell script, then "joe-user" needs to execute the code.

In the vast majority of cases, "joe-user" does not have an "interactive shell" to a server, typically servers are accessed via a web-interface.

Furthermore, in a "single user"/"home" environment" this will not be an issue either, unless you plan on "fork-bombing" yourself, in which case, you deserve the outcome.

There are a few, very limited circumstances, where I could see this being used maliciously.

However, in the end, it is no more of a security risk than someone having access to a "windows console".

Sure, if you allowed people to ssh to your server, and you didn't have user limits configured properly, somebody could lock it up. But only a very un-educated administrator would allow arbitrary ssh access to their server.
__________________
Only dead fish go with the flow....

Hmmm, what did I miss?
Reply With Quote
  #13  
Old 26th May 2006, 12:10 AM
tkoco Offline
Registered User
 
Join Date: May 2006
Location: Georgia
Posts: 127
Well, the fork bomb has been defused in FC5. I tried it on a new install and no amount of fork bombs could disable my system. I simply killed the terminal window and all those self-replicating shells died with it. Kudos to the development group!
Reply With Quote
  #14  
Old 30th May 2006, 02:34 PM
ibbo Offline
Registered User
 
Join Date: Jun 2005
Location: Leeds
Posts: 1,264
Fascinating, killed my system with ease and speed (more than once). Could not kill the shell on any occasion to do the above.

Impresive that some seemingly random series of charectors can kill you with such ease.

Ibbo
__________________
A Hangover Lasts A Day, But Our Drunken Memories Last A Lifetime
--
Linux user #349545
(GNU/Linux)iD8DBQBAzWjX+MZAIjBWXGURAmflAKCntuBbuKCWenpm XoA7LNydllVQOwCfdjyzXscddzQvlhBedAcD7qfKmHo==zx0H
Reply With Quote
  #15  
Old 30th May 2006, 02:51 PM
InKo Offline
Registered User
 
Join Date: Dec 2005
Location: EU
Age: 38
Posts: 637
Quote:
Originally Posted by Jman
Code:
:(){ :|:& };:
great! I tried your code on RHEL4 server and it is dead. wow! i like it!
__________________
The software required «Windows 98 or better», so I installed Linux.
Reply With Quote
Reply

Tags
bombing, fork

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fork bomb and pam_limits? aleph Programming & Packaging 3 11th January 2009 04:41 AM
working of fork() shreedhan Using Fedora 0 1st August 2008 04:06 AM


Current GMT-time: 20:50 (Sunday, 21-12-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
...Lake Titicaca, Peru Photos - Plaza de La Almudena Photos - Cosmo's Negril - Spiaggia Ostia Lido