ULIMIT for root

Bruno Galindro da Costa bruno.galindro at gmail.com
Tue Aug 14 22:01:40 UTC 2012


   The kernel process root's ulimit values? I'm trying to prevent forkbomb
with root account, but no success...

   I've changed the max number of process in /etc/security/limits.conf for
root and non root users, rebooted the machine, verified that the limit is
correctly set (via ulimit -u) but the bash forkbomob still works even with
a 100 max process setted. But with a normal user, the kernel prevents the
attack. So, it was processing the ulimit values only for non root users.

root at ubuntu100464bits:~# cat /etc/pam.d/login
auth            required        pam_tally2.so deny=3 even_deny_root
auth            optional        pam_faildelay.so  delay=3000000
auth            required        pam_securetty.so
auth            requisite       pam_nologin.so
session         [success=ok ignore=ignore module_unknown=ignore
default=bad] pam_selinux.so close
session         required        pam_env.so readenv=1
session         required        pam_env.so readenv=1
@include        common-auth
auth            optional        pam_group.so
*session         required        pam_limits.so*
session         optional        pam_lastlog.so
session         optional        pam_motd.so
session         optional        pam_mail.so standard
@include        common-account
@include        common-session
@include        common-password
session         [success=ok ignore=ignore module_unknown=ignore
default=bad] pam_selinux.so open

root at ubuntu100464bits:~# cat /etc/security/limits.conf
*root    -    nproc    100*
*        -    nproc    100

root at ubuntu100464bits:~# lsb_release -a
No LSB modules are available.
Distributor ID:Ubuntu
*Description:Ubuntu 10.04.4 LTS*

root at ubuntu100464bits:~# ulimit -u

root at ubuntu100464bits:~# uname -a
Linux ubuntu100464bits *2.6.32-41-generic* #94-Ubuntu SMP Fri Jul 6
18:00:34 UTC 2012 x86_64 GNU/Linux

root at ubuntu100464bits:~# *:(){ :|:& };:*       <-------   THIS IS THE FORK

    I'm doing something wrong?

Bruno Galindro da Costa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20120814/69591c46/attachment.html>

More information about the ubuntu-users mailing list