[11070] in bugtraq
Re: Shared memory DoS's (Redhat retraction)
daemon@ATHENA.MIT.EDU (Jim Dennis)
Mon Jul 19 15:48:31 1999
Message-Id: <199907191103.EAA05701@canopus.starshine.org>
Date: Mon, 19 Jul 1999 04:03:29 -0700
Reply-To: Jim Dennis <jimd@STARSHINE.ORG>
From: Jim Dennis <jimd@STARSHINE.ORG>
X-To: Mike Perry <mikepery@MIKEPERY.LINUXOS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990715173639.A20578@mikepery.linuxos.org> Message Apparently
From Mike Perry <mikepery@MIKEPERY.LINUXOS.ORG> Dated Thu, 15 Jul
1999 17:36:39 CDT.
> I've been waiting all day for my post to be approved so I could
> post a retraction for Redhat Linux and its derivatives. :)
> It seems I forgot all about pam. Thanks to Mike Johnson of Redhat
> for bringing pam_limits.so to my attention. Any distribution that
> uses pam can set limits to prevent this.
> However, other distributions like Slackware and the default debian
> install still need some method to set the RLIMIT_AS limit. You
> need to patch login.c and other methods of authentication (ssh &
> rlogin, etc), or replace the appropriate functions in the lshell
> distribution (ftp://metalab.unc.edu/pub/Linux/system/admin/login),
> and wrap your shells accordingly. I still don't know what to do
> about dgb in that case. The alternative is to patch all your
> system shells and set the rlimits via the worldwide rc scrips.
Actually any Linux using the Shadow password suite
(from Julianne Haugh?) should be fine. You should be
able to create a file named /etc/login.defs and use
that to set ULIMIT and other limitations (which
that version of login should read). You could
easily run your version of login under strace
to confirm that it does read the /etc/login.defs
file. Better distributions using this suite will
also have a man page for it. (the PAM suite is largely
based on the Shadow suite so it seems to support
/etc/login.defs by default).
--
Jim Dennis jdennis@linuxcare.com
Linuxcare: Linux Corporate Support Team: http://www.linuxcare.com
