Loading ...
Sorry, an error occurred while loading the content.

18268Re: [redhat] Something fun to do, but not on a production system...

Expand Messages
  • Jeff Lane
    May 1, 2008
      On Thu, May 1, 2008 at 11:31 AM, Daniel Hyatt <hyattdj@...> wrote:
      > Didnt figure out exactly how, but what I read is that a properly configured
      > machine will not lock up with this.
      > Dan
      > "The opinions expressed here are not necessarily my own"

      Yep... that is the case. The second link I provided tells how, but my
      problem is that I dont understand why. If the hang occurs because you
      are simply opening too many processes by forking exponentially, then
      it's my experience that the kernel will simply tell you it can't open
      any new processes and error, or it will kill off existing processes to
      free up PIDs and Resources.

      It could be that this fills up any page tables though, now that I
      think about it... so while it may not be necessarily chewing up the
      processor and physical ram, it's using up all the available Linux page
      tables causing some sort of overflow, but that's just an uneducated
      guess at what's going on.

      BUT, if you limit the amount of processes a user can start, this kind
      of thing becomes avoidable because the the kernel will simply fork
      until it runs out of user allowed processes. However, I've been doing
      this as root, and limiting the number of things root can start "may"
      be a bad thing...

      Originally, it started off as an exercise demonstrating the need to
      limit what users can do... now it's something that's become a puzzle
      I want to figure out. heh...

      One thing I wonder though, is why is this even possible in the first
      place? Why does any Linux vendor allow regular users to open
      unlimited processes? I can understand doing so for system users like
      FTP or apache, but those system services generally limit the number of
      spawned processes in their configs but it still could be possible to,
      for instance, configure apache to be able to spawn enough web server
      children to bring the system down under load (what I think is a
      classic DOS attack).

      But it seems kind of silly to me to allow a normal system user that an
      admin would create to be able to do something like this by default...
      but that's just me and things that make sense to me don't necessarily
      make sense to anyone else.
    • Show all 15 messages in this topic