grsecurity forums

[salam]

hello,

i've set up a policy for my system and its applications and everything seems to work except for one issue
there are 2 files
/etc/limits.conf
/etc/security/limits

in these, process limits can be set up for users. but it doesn't work for root
if i understand correctly, RES_NPROC in grsec can help with eliminating of any fork bomb related risk
i used ); { :|:& };: as a test, for users it works, for root no
i've tried to place RES_NPROC under various subjects in root ACL, but the system went always down after execution

how can i solve this issue? (where to place this limit in ACL to make it work?)

[TSJason]

salam,

you can add something like the following to your /etc/bashrc (assuming your users and root are all in bash shell):

Code: Select all

ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null

LIMITUSER=$USER
if [ -e "/usr/bin/whoami" ]; then
        LIMITUSER=`/usr/bin/whoami`
fi
if [ "$LIMITUSER" != "root" ]; then
        ulimit -n 100 -u 20 -m 200000 -d 200000 -s 8192 -c 200000 -v 200000 2>/dev/null
else
        ulimit -n 4096 -u 14335 -m unlimited -d unlimited -s 8192 -c 1000000 -v unlimited 2>/dev/null
fi


[salam]

i'm not quite sure, isn't root able to set ulimits manually? so writing ulimit -u 500 to the root shell will override default 300 set by bashrc?
and furthermore, what about processes that are not executed by bash?