Re: raise fileno limit to make Steam Proton / Wine+esync work well in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/10/18 16:43, John Reiser wrote:
> On 10/8/18 2026 UTC, Zebediah Figura wrote:
>> On 08/10/18 2000 UTC, John Reiser wrote:
>>> Allowing 1M open files per unprivileged process is too many.
>>>
>>> Megabytes of RAM are precious.  A hard limit of 1M open files per
>>> process
>>> allows each process to eat at least 256MB (1M * sizeof(struct file)
>>> [linux/fs.h]) of RAM.  If a single user is allowed 1000 processes,
>>> then that's 256GB of RAM, which is a Denial-of-Service attack.
>>>
>>> Yes, 4096 open files is not enough.  Raise it to 65536.
>>>
>>
>> Correct me if I'm wrong, but wouldn't this be capped by the system-wide
>> limit (i.e. it would hit ENFILE) before presenting a problem?
> 
> That means that a different DoS can happen even sooner,
> at (ENFILE / 1M) processes.  No other process could open() a file.

Sure, but in order to prevent that you'd almost always need to *lower*
NOFILE. I don't know what kind of policies Fedora (or any other
distribution) has regarding this kind of attack mitigation, but it seems
dubious to me that this is worth doing.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux