Fun with forkbombs
I figured it was time I locked down a couple of my settings. Specifically, preventing runaway processes from crashing my PC by spawning an endless number of new processes - a forkbomb.
If you want to do this yourself, you can: Just enter the following text into a console & press enter
Unless you're protected from forkbombs by limits placed on the number of processes a user can run, this will lock up your PC. To check beforehand (a good idea if you don't like hard reboots!) run "ulimit -a" to get a list of your limits.
You'll see something like:
In this setting, I can run 4095 processes before I'll get error messages. That's rather high, although better than completely unlimited.
So I edited /etc/security/limits.conf with the following line:
100 processes should be plenty for anybody. Running the forkbomb now will generate lots of errors, but not actually lock up my machine.
I've also switched the Xterm that I always run in my desktop (See my screenshots post) to run with a higher nice level - by executing it with nice -n 20 xterm instead of just xterm. This means that if a normal process, with a default nice of zero, crashes in a using-up-all-resources way, the xterm will be unaffected and I'll be able to kill -9 it with much more speed.
Neither is likely to save me from a huge headache, to be honest - forkbombs are usually a problem caused by malicious users, but I don't allow remote logons, and if all a cracker can do is crash my PC, then frankly, Who Cares? And it's usually easier to end a gone-crazy process by Ctrl-Alt-Backspace-ing out of the X11 session. But it's better to have them than not to, so. . .
If you want to do this yourself, you can: Just enter the following text into a console & press enter
:(){ :|:& };:Unless you're protected from forkbombs by limits placed on the number of processes a user can run, this will lock up your PC. To check beforehand (a good idea if you don't like hard reboots!) run "ulimit -a" to get a list of your limits.
You'll see something like:
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
pending signals (-i) 4095
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 4095
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
In this setting, I can run 4095 processes before I'll get error messages. That's rather high, although better than completely unlimited.
So I edited /etc/security/limits.conf with the following line:
* hard nproc 100And the next time I check my limits:
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
pending signals (-i) 4095
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 100
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 100
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
100 processes should be plenty for anybody. Running the forkbomb now will generate lots of errors, but not actually lock up my machine.
I've also switched the Xterm that I always run in my desktop (See my screenshots post) to run with a higher nice level - by executing it with nice -n 20 xterm instead of just xterm. This means that if a normal process, with a default nice of zero, crashes in a using-up-all-resources way, the xterm will be unaffected and I'll be able to kill -9 it with much more speed.
Neither is likely to save me from a huge headache, to be honest - forkbombs are usually a problem caused by malicious users, but I don't allow remote logons, and if all a cracker can do is crash my PC, then frankly, Who Cares? And it's usually easier to end a gone-crazy process by Ctrl-Alt-Backspace-ing out of the X11 session. But it's better to have them than not to, so. . .
0 Comments:
Post a Comment
<< Home