Re: security probs with su (sh-utils 1.16)

To: Ingo Saitz <Ingo.Saitz@stud.uni-hannover.de>
Cc: Nathan Paul Simons <npsimons@nmt.edu>, debian-security@lists.debian.org
Subject: Re: security probs with su (sh-utils 1.16)
From: Ethan Benson <erbenson@alaska.net>
Date: Sat, 25 Mar 2000 17:39:34 -0900
Message-id: <[🔎] 20000325173934.E4999@plato.localdomain.local>
In-reply-to: <[🔎] 20000326002846.B8884@stud.uni-hannover.de>; from Ingo.Saitz@stud.uni-hannover.de on Sun, Mar 26, 2000 at 12:28:46AM +0100
References: <[🔎] Pine.LNX.4.21.0003242132130.21837-100000@moogle.tcct.nmt.edu> <[🔎] 20000326002846.B8884@stud.uni-hannover.de>

On Sun, Mar 26, 2000 at 12:28:46AM +0100, Ingo Saitz wrote:

> This is not a problem with su but with missing process limits.
> You can replace "su" with any program you like. The shell tries
> to expand the command line using the output of "cat
> /dev/urandom". You won't get EOF from /dev/urandom, so the dhell
> eats all available memory until swap is filled up. Linux then
> starts to kill those processes that allocate memory. If it hits
> e.g. your Xserver first you are lost.

that would explain why this does not work on my system.

> Type the following line into your bash prompt to get the same
> effect. Note that using /dev/urandom instead of /dev/zero raises
> the chance that the process triggering the memory limit won't be
> bash:
> 
> `cat /dev/urandom`

[eb@socrates eb]$ bash
[eb@socrates eb]$ `cat /dev/urandom`
bash: xrealloc: cannot reallocate 16777216 bytes (0 bytes allocated)
[eb@socrates eb]$

set resource limits! ;-)

> If you want to avoid such attacks, set process limits.

quite right.  however having done this i can say resource limits do
not seem to be well documented at all, sure i can find out HOW to set
each limit, what i could not find much info on was WHAT to set these
limits too.  I just asked the list and had a couple people who had set
them on thier systems to show me what they were and how much memory
etc thier system has.  at that point i just winged it and tried a few
tests to see what i how much i could limit before things started to
break.  this is however rather time consuming and painful way to set
limits.... (it seems i got them set fairly well though ;-))

does anyone know of some documentation on _what_ to set the limits to?
this would probably be dependent on the system's resources, such as
ammount of memory/swap etc.  but there has to be a more efficient way
to deal with this then hours and hours of trial and error. (i spent 2
or 3 days on this!) I think this is why almost nobody sets any
resource limits and remian vulnerable to trivial attacks like this.

also what is the best way to set resource limits, per user on wdm
(which uses PAM improperly, ignoring session modules) or xdm (which
does not use PAM at all (last time i checked))  for all other
interactive logins pam_limits works very nicely.  (the best way i
suppose would be to fix wdm's pam support, but i don't know how to do
that :(  )

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Reply to:

References:
- security probs with su (sh-utils 1.16)
  - From: Nathan Paul Simons <npsimons@nmt.edu>
- Re: security probs with su (sh-utils 1.16)
  - From: Ingo Saitz <Ingo.Saitz@stud.uni-hannover.de>

Prev by Date: Re: security probs with su (sh-utils 1.16)
Next by Date: Sendmail
Previous by thread: Re: security probs with su (sh-utils 1.16)
Next by thread: PAM+Kerberos ..?
Index(es):
- Date
- Thread