[1457] in linux-security and linux-alert archive
[linux-security] Re: ssh and limits on resources
daemon@ATHENA.MIT.EDU (Jon Lewis)
Sun Feb 23 06:54:39 1997
Date: Sat, 22 Feb 1997 11:50:52 -0500 (EST)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: Trevor Johnson <trevor@blues.jpj.NET>
cc: ssh-bugs@cs.hut.fi, linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.95.970222001231.80A-100000@topside>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
On Sat, 22 Feb 1997, Trevor Johnson wrote:
> While logging in via ssh (versions 1.2.17 and 1.2.12) under Linux 2.0, I
> found that limits weren't being set (as shown by the output of "limit"
> (tcsh) or "ulimit -a" (bash). Since /etc/profile, /etc/csh.cshrc, and
> /etc/limits were ignored, I made /etc/sshrc and put "ulimit" statements in
> it. However, I was unable to limit the number of processes this way,
> leaving the system vulnerable to fork bombs. Installing lshell (available
> at http://sunsite.unc.edu/pub/Linux/system/admin/login/lshell-2.01.tar.gz)
> corrected the problem.
According to the man page, /etc/sshrc might not be an effective place to
put limits.
9. If $HOME/.ssh/rc exists, runs it (with the user's
shell); else if /etc/sshrc exists, runs it (with
/bin/sh); otherwise runs xauth. The "rc" files are
given the X11 authentication protocol and cookie in
standard input.
This sounds to me like if a user has a $HOME/.ssh/rc, it will be run
instead of /etc/sshrc. I have not tested this though.
[mod: Moreover, aren't the limits normally a maximum, where you can't
go above? If as a user you "impose" yourself with a limit, you can
always set it back. I just verified that on my system under ssh, the
limits are the same as when I login normally, but I normally don't use
limits, so I don't know if I have to turn something to make login set
some limits. -- REW]
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______