W dniu 10 maja 2011 01:23 użytkownik Stephen John Smoogen
<smooge@xxxxxxxxx> napisał:
> 2011/5/9 Michał Piotrowski <mkkp4x4@xxxxxxxxx>
>>
>> 2011/5/10 Lennart Poettering <mzerqung@xxxxxxxxxxx>:
>> > On Mon, 09.05.11 23:54, Michał Piotrowski (mkkp4x4@xxxxxxxxx) wrote:
>> >> No, only for /run/user/ - because there is a simple workaround that
>> >> can be used on affected systems if the administrator considers his
>> >> system as vulnerable for malicious users.
>> >
>> > Again, we had /dev/shm for years on Linux. This weakness in the security
>> > model is not news, not at all.
>>
>> Yes, but /run/user is a new thing and it gives wonderful opportunity
>> to DoS services for all system users. Thats my POV. And my POV is that
>> it should be documented - users should be aware about this. Also FPL
>> agreed with my arguments.
>>
>> That's all. If you do not agree with that, then I'm giving up :)
>>
>
> Let's make this simple:
>
> FAQ: How can I make my system unusable? How can I create a denial of service?
>
> Answer: On default systems there are multiple ways to do this, please
> choose one or more of the following:
>
> a) Denial of CPU. The Fork Bomb is the standard way to kill a system:
> In a shell type the following:
>
> :(){ :|: & };:
>
> perl -e 'fork while fork'
I wonder if there is a way to add some memory/cpu time/etc restrictions to
/sys/fs/cgroup/systemd/user/
control groups using systemd. systemd already isolates the user
processes in control groups, so adding the ability to add restrictions
is probably not a bad idea from my POV.
>
> b) Denial of Filesystem. There are several ways of doing this. Usually
> it can be done quickly by the following:
>
> dd if=/dev/zero of=<filename>
>
> is a standard, but easily fixed by deleting one file. Adding some
> flare you can great randomly created files in multiple places.
>
> Places of entry where a system can cause problems are the following:
>
> /tmp/
> /var/tmp/
> /dev/shmem/
> /run/file/
>
> c) Denial of Logs
> while true; do
> logger $( dd if=/dev/urandom count=1 bs=128 2> /dev/null |tr -dC
> '[:print:]' )
> done
>
> d) Denial of service via audits
> while true; do
> cat /etc/shadow
> done
>
>
> Doing a, b, c, and d at the same time is always fun for the family.
> There are many other ways you as a user can cause problems to your own
> system...
>
> --
> Stephen J Smoogen.
> "The core skill of innovators is error recovery, not failure avoidance."
> Randy Nelson, President of Pixar University.
> "Let us be kind, one to another, for most of us are fighting a hard
> battle." -- Ian MacLaren
> --
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
>
--
Best regards,
Michal
http://eventhorizon.pl/
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
