[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SELinux

http://home.tiscali.cz:8080/~cz210552/forkbomb.html

software that can be used to test your system.

2005/9/24, Arvind Autar <arvind.autar@gmail.com>:
> Hello,
>
> Selinux is perhaps not there yet, but debian could give it a hand No
> third party hand if I may say so.
>
> However, how much of the time is it the software devolpers mistake
> rather then SELinux's mistake?
>
> Another different question, how does debian handle fork bomb
> protection? Is this kernel related?
>
> >cat /etc/security/limits.conf
>
> @dev hard core 100000
> @dev soft nproc 20
> @dev hard nproc 35
> @dev -    maxlogins 10
>
> If the user is added to the group "dev" then it will prevent atacks
> like: perl -e "fork while fork"
>  http://en.wikipedia.org/wiki/Fork_bomb
>
> however, atacks like: in c: main(){while(1){fork();}}; in bash:  while
> : ; do tail /dev/urandom & done ; wait
> do seem to work. There is a lack of documentation about this issue on
> the debian.org documentation references. Maybe someone could clear
> this up. A protection against these things would be nice, just like in
> the old days when there was a default setting in the host tcp/ip
> wrapper.
>
> Cheers,
>
> Arvind
>
> (Could you please be so kind and CC me, I'm not subscribed )
>
>
> 2005/9/21, Mike McCarty <mike.mccarty@sbcglobal.net>:
> > Arvind Autar wrote:
> > > Helllo,
> > >
> > > I have been using debian for quite some time now, how ever I have
> > > watched several distrobutions implentating so many great ideas, and I
> > > have been wondering why such a robust distorbution as debian
> > > GNU/Linux(*) hasn't done this. One of them is:
> > >
> > > SELinux
> > >
> > > If SELinux is also suitable for desktop users for example if we look
> > > at the targeted policy (for fedora and RHEL) it
> > > shows that it doesn't restrict users sessions. Short conclusion, there
> > > is no loss  of functionality, why hasn't debian implented SELinux as
> > > default?
> >
> > Over in the Fedora lists, quite a number of the defects are related
> > to SELinux. I've noticed that enabling SELinux took away quite a bit
> > of functionality, not by design, but by defect.
> >
> > If it gets added to Debian, I suggest that it be shipped disabled.
> >
> > Frankly, unless one is running an Apache server or the like, I see
> > no usefulness in it. And even if one runs a server like Apache,
> > who is to say that SELinux doesn't add as many exploitable defects
> > as holes it plugs, if not more?
> >
> > Mike
> > --
> > p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> > This message made from 100% recycled bits.
> > You have found the bank of Larn.
> > I can explain it for you, but I can't understand it for you.
> > I speak only for myself, and I am unanimous in that!
> >
>
Reply to: