On Dec 5, 2007, at 6:20 PM, Douglas A. Tutty wrote:
I don't know if OpenBSD has any other tricks under the hood to protect
the system from a milicious but legitimate shell user.
They might have a few, I don't know. It's worth noting that their
brag line on their website only refers to *remote* security holes.
They don't make any guarantees about protecting you from your own users.
Preventing a malicious shell user from gaining root is usually
possible, with care, but preventing a malicious user from creating a
denial-of-service situation is often impossible. You can't really
set memory and process limits low enough to prevent a user from
bogging the machine down without cutting legitimate applications off
at the knees, so a "fork bomb" almost always results in an unusable
system.
Unless you're running a public open-access system with shell access
(rare), this type of problem is usually best dealt with by having a
"friendly" chat with the user in question. If the user is local you
may want to bring a length of "sucker rod." (See item 5 of the
SECURITY THREATS section of the Linux sysklogd(8) manpage.)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
