Page 1 of 1

Restrict shell loop

PostPosted: Sun Mar 20, 2016 5:26 pm
by -sanches-
How to restrict shell loop commands by RBAC?
A simplest DoS for example

Code: Select all
localhost ~ # while true;  do echo 1 > /dev/null  ; done &
[9] 3680
localhost ~ # while true;  do echo 1 > /dev/null  ; done &
[10] 3681
localhost ~ # while true;  do echo 1 > /dev/null  ; done &
[11] 3682
localhost ~ # while true;  do echo 1 > /dev/null  ; done &
[12] 3683

etc...


"RES_CPU 50 100" was set in "subject /bin/bash", but it not solved this issue.

Re: Restrict shell loop

PostPosted: Fri Apr 01, 2016 2:51 pm
by jacekalex
Code: Select all
ulimit -u  2

Code: Select all
while true;  do echo 1 > /dev/null  ; done &
bash: fork: retry: Brak procesów potomnych
bash: fork: retry: Brak procesów potomnych
bash: fork: retry: Brak procesów potomnych


Try standard ulimit or /etc/security/limits.conf to the maximum number of processes per / user.
To limiting RAM cgroup.memory, to limiting CPU cgroup.cpu, to filter access to the network cgroup.net_cls +
Code: Select all
 CONFIG_NETFILTER_XT_MATCH_CGROUP

in the kernel.
To limiting resource You does not need RBAC, standard tools give you full control. ;)

Cheers
8)