Mike, I know if someone has root access to my server I'm dead!, but in this case a non-root user can take down your server if he just run just :(){ :|:& };:
Ulimit -u get this:
[israel@node1 ~]$ ulimit -u 3072
So, I change /etc/securitty/limit.conf and add this lines to limit to 100 process to users
* soft nproc 100 * hard nproc 100
Now: [israel@node1 ~]$ ulimit -u 100
And a non-root user CAN NOT take down your server..
My last question is?
Why is not CentOS configured by default to aboid this known thigs?
Regards; Israel
I quicker way to take down a machine is this:
# dd if=/dev/random of=/dev/port bs=1M count=2
Should take a little less than a second to kernel panic your machine.
As Jim mentioned, have a look at limits.conf to help fix your fork bomb problem...just don't set it too low!!
(if someone has root access, they have *several* ways to take down your machine, including 'reboot', and 'shutdown'...)
Cheers, Mike
-----Original Message----- From: centos-bounces at centos.org
http://lists.centos.org/mailman/listinfo/centos
[mailto:HYPERLINK
"http://lists.centos.org/mailman/listinfo/centos%22centos-bounces at centos.org mailto:HYPERLINK ] On Behalf Of
israel.garcia at cimex.com.cu
http://lists.centos.org/mailman/listinfo/centos
Sent: April 24, 2007 3:26 PM To: centos at centos.org
http://lists.centos.org/mailman/listinfo/centos
Subject: [CentOS] Regarding fork bomb in a CentOS 4.4 Server!
Hi again, I was reading from the net http://www.kriptopolis.org/node/4067 about a forkbomb and ran it from a root console in a non-critical machine running CentOS4.4 and the serevr goes down... the command I ran was :(){ :|:& };:
Please, does anyone knows how to aboid this on CentOS?
On 4/24/07, israel.garcia@cimex.com.cu israel.garcia@cimex.com.cu wrote:
My last question is?
Why is not CentOS configured by default to aboid this known thigs?
Because there are 1000's of different uses for linux systems. What works for a file server might not work for a DNS server or a webserver, so how do you pick a default value which works for all of them?
It's far easier to let the admin set up the box the way they want without putting arbitrary process limitations into the mix.
All this aside, the easy answer is: Because that's the way Upstream ships their distro, and we aim to be as similar to that as possible.
So there you have 3 separate answers to that question. Pick whichever one suits you best.