On Fri, Oct 27, 2000 at 01:24:07PM +0200, Robert Waldner wrote: > >the solution: configure resource limits. > > How? guess ;-) seriously though i tried very hard to find any documentation/howto on configuring resource limits and didn't come up with much. i just messed with it for a long time, and got some examples from a few on folks on this list. my account has the following resource limits, they are much tighter for untrusted accounts: [eb@socrates eb]$ ulimit -a core file size (blocks) 1000000 data seg size (kbytes) 102400 file size (blocks) unlimited max locked memory (kbytes) 5120 max memory size (kbytes) 46080 open files 150 pipe size (512 bytes) 8 stack size (kbytes) 8192 cpu time (seconds) 63072000 max user processes 70 virtual memory (kbytes) 51200 [eb@socrates eb]$ the only thing i really run into problems with on this is running MOL or VMWARE. i have hard limits set higher, those are soft so i can raise them for those specific programs. (i just have a wrapper shell script to raise the limits then exec the bloated program.) these limits seem to withstand most DoS type attacks, such as Netscape ;-) note that this will probably not stop a determined user from crashing your machine, there are ways to work around these by running multiple processes/logins. this just makes it harder. if you have an obnoxious user who deliberatly is trying to take your machine down i recommend /usr/sbin/userdel. also note that max memory size (aka RSS) is ignored by current kernels. linux resource limits still suck unfortunatly. virtual memory limits is really what is doing the protection AFAIK. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp9i2hFXJaob.pgp
Description: PGP signature