18268Re: [redhat] Something fun to do, but not on a production system...
- May 1, 2008On Thu, May 1, 2008 at 11:31 AM, Daniel Hyatt <hyattdj@...> wrote:
>Yep... that is the case. The second link I provided tells how, but my
> Didnt figure out exactly how, but what I read is that a properly configured
> machine will not lock up with this.
> "The opinions expressed here are not necessarily my own"
problem is that I dont understand why. If the hang occurs because you
are simply opening too many processes by forking exponentially, then
it's my experience that the kernel will simply tell you it can't open
any new processes and error, or it will kill off existing processes to
free up PIDs and Resources.
It could be that this fills up any page tables though, now that I
think about it... so while it may not be necessarily chewing up the
processor and physical ram, it's using up all the available Linux page
tables causing some sort of overflow, but that's just an uneducated
guess at what's going on.
BUT, if you limit the amount of processes a user can start, this kind
of thing becomes avoidable because the the kernel will simply fork
until it runs out of user allowed processes. However, I've been doing
this as root, and limiting the number of things root can start "may"
be a bad thing...
Originally, it started off as an exercise demonstrating the need to
limit what users can do... now it's something that's become a puzzle
I want to figure out. heh...
One thing I wonder though, is why is this even possible in the first
place? Why does any Linux vendor allow regular users to open
unlimited processes? I can understand doing so for system users like
FTP or apache, but those system services generally limit the number of
spawned processes in their configs but it still could be possible to,
for instance, configure apache to be able to spawn enough web server
children to bring the system down under load (what I think is a
classic DOS attack).
But it seems kind of silly to me to allow a normal system user that an
admin would create to be able to do something like this by default...
but that's just me and things that make sense to me don't necessarily
make sense to anyone else.
- << Previous post in topic Next post in topic >>