| View previous topic :: View next topic |
| Author |
Message |
Phoenix591
Guru
Joined: 17 Sep 2007
Posts: 495
|
 Posted: Fri Apr 04, 2008 4:01 pm Post subject: One security tip |
 |
|
| keep dd in a seperate group and make it 770 , it is too easy to steal resources and cause a local DoS with a simple bash loop such as while /bin/true ; do dd if=/usr/bin/* of=/dev/null & ; done & . which will continuously spawn dd processes reading your entire /usr/bin/ . oh, and I guess if others would share a security tip to continue this thread, that would be nice. |
|
| Back to top |
|
 |
i92guboj
Bodhisattva
Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)
|
| Posted: Fri Apr 04, 2008 4:04 pm Post subject: Re: One security tip |
|
|
| g2g591 wrote: | | keep dd in a seperate group and make it 770 , it is too easy to steal resources and cause a local DoS with a simple bash loop such as while /bin/true ; do dd if=/usr/bin/* of=/dev/null & ; done & . which will continuously spawn dd processes reading your entire /usr/bin/ . oh, and I guess if others would share a security tip to continue this thread, that would be nice. |
Read on ulimit to know how to limit the resources that a given user can use. |
|
| Back to top |
|
|
aronparsons
Tux's lil' helper
Joined: 04 Oct 2004
Posts: 117
Location: Virginia
|
| Posted: Fri Apr 04, 2008 6:59 pm Post subject: Re: One security tip |
|
|
| i92guboj wrote: | | g2g591 wrote: | | keep dd in a seperate group and make it 770 , it is too easy to steal resources and cause a local DoS with a simple bash loop such as while /bin/true ; do dd if=/usr/bin/* of=/dev/null & ; done & . which will continuously spawn dd processes reading your entire /usr/bin/ . oh, and I guess if others would share a security tip to continue this thread, that would be nice. |
Read on ulimit to know how to limit the resources that a given user can use. |
/etc/security/limits.conf specifically. You'll need to set hard limits if you have untrusted users. |
|
| Back to top |
|
|
timeBandit
Bodhisattva
Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit
|
| Posted: Fri Apr 04, 2008 7:20 pm Post subject: Re: One security tip |
|
|
| g2g591 wrote: | | keep dd in a seperate group and make it 770 , it is too easy to steal resources and cause a local DoS with a simple bash loop such as while /bin/true ; do dd if=/usr/bin/* of=/dev/null & ; done & . which will continuously spawn dd processes reading your entire /usr/bin/ . oh, and I guess if others would share a security tip to continue this thread, that would be nice. |
This gains nothing--the same "vulnerability" exists for cp, tar, cpio, mv, zip, gzip, cat, more, all shells, .... What would you have users do, log in and watch the pretty lights and nothing more? Read up on ulimit/limits.conf, as advised.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
i92guboj
Bodhisattva
Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)
|
| Posted: Fri Apr 04, 2008 7:29 pm Post subject: Re: One security tip |
|
|
| timeBandit wrote: | | g2g591 wrote: | | keep dd in a seperate group and make it 770 , it is too easy to steal resources and cause a local DoS with a simple bash loop such as while /bin/true ; do dd if=/usr/bin/* of=/dev/null & ; done & . which will continuously spawn dd processes reading your entire /usr/bin/ . oh, and I guess if others would share a security tip to continue this thread, that would be nice. |
This gains nothing--the same "vulnerability" exists for cp, tar, cpio, mv, zip, gzip, cat, more, all shells, .... What would you have users do, log in and watch the pretty lights and nothing more? Read up on ulimit/limits.conf, as advised. |
Yep. In fact, you don't even need a program. We all know about the infamous bash logic bombs (whoever who's reading this, please, don't run it because it will take your system down):
This creates a function called ":" (it could be any other name, it's just cooler), and then launches it. Since it's a recursive function and it's forked on each recursion, it will soon suck all the resources from your machine, forcing you to reboot unless you are extremely patient and know now to fight against the bomb.
So, even if you limit the permissions (which is impossible of course), you can still be screwed by a simple bash function that does nothing, but forking itself once and again, and again and again. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
