Restrict shell loop

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Restrict shell loop

Postby -sanches- » Sun Mar 20, 2016 5:26 pm

How to restrict shell loop commands by RBAC?
A simplest DoS for example

Code: Select all
localhost ~ # while true;  do echo 1 > /dev/null  ; done &
[9] 3680
localhost ~ # while true;  do echo 1 > /dev/null  ; done &
[10] 3681
localhost ~ # while true;  do echo 1 > /dev/null  ; done &
[11] 3682
localhost ~ # while true;  do echo 1 > /dev/null  ; done &
[12] 3683

etc...


"RES_CPU 50 100" was set in "subject /bin/bash", but it not solved this issue.
-sanches-
 
Posts: 1
Joined: Sat Dec 28, 2013 6:05 am

Re: Restrict shell loop

Postby jacekalex » Fri Apr 01, 2016 2:51 pm

Code: Select all
ulimit -u  2

Code: Select all
while true;  do echo 1 > /dev/null  ; done &
bash: fork: retry: Brak procesów potomnych
bash: fork: retry: Brak procesów potomnych
bash: fork: retry: Brak procesów potomnych


Try standard ulimit or /etc/security/limits.conf to the maximum number of processes per / user.
To limiting RAM cgroup.memory, to limiting CPU cgroup.cpu, to filter access to the network cgroup.net_cls +
Code: Select all
 CONFIG_NETFILTER_XT_MATCH_CGROUP

in the kernel.
To limiting resource You does not need RBAC, standard tools give you full control. ;)

Cheers
8)
jacekalex
 
Posts: 39
Joined: Tue Jan 11, 2011 2:16 pm
Location: Poland


Return to RBAC policy development