ulimit strangeness

Magnus Therning magnus at therning.org
Thu Aug 18 11:52:18 CDT 2005


Are there reasons for the following:

 - /etc/security/limits.conf contains only comments. (Running 'limits'
   show that there are some limits, but not everything is limited.)

 - /etc/security/limits.conf has the following permissions:

    % ls -l /etc/security/limits.conf
    -rw-r--r--  1 root root 1519 2004-10-26 15:40 /etc/security/limits.conf

   Despite this quote from limits.conf(5):

     The limits.conf file (/etc/security/limits.conf) describes the
     resource limits you wish to impose.  It should be owned by root and
     readable  by root account only.

I know there is a Hardened Ubuntu project (at least there was one), but
I still think that the base system should do its best to be secure by
default. Having defaults that allow a fork bomb, a truly ancient attack,
is not my definition of "secure by default".

/M

P.S. I saw on LWN[1] a few months ago that several distros were
vulnerable to this[2], however at that time Debian escaped. Now it seems
Debian Sarge is vulnerable as well[3], a clear regression IMHO.

1. http://lwn.net/
2. http://www.securityfocus.com/columnists/308
3. http://ubuntuforums.org/archive/index.php/t-20775.html

-- 
Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://therning.org/magnus

Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.

The NSA regularly lies to people who ask it for advice on export
control. They have no reason not to; accomplishing their goal by any
legal means is fine by them. Lying by government employees is legal.
      -- John Gilmore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050818/3e08c33a/attachment.pgp


More information about the ubuntu-devel mailing list