January 26, 2011

Security tip: Avoid fork bombing on popular distro (check your system)

Few days ago I've talked with another Linux technician, a very smart guy with great experience and competence, in a skill test I've seen an expression like this:

:(){ :|:& };:

I didn't realized it was a shell fork bomb, maybe because it was 9.00pm and I was dealing with tech problems from 8.00am, I was thinking about some voodoo regular expression and I've realized what it was after a while (when I finally decided to connect my brain). I've tested it on a console shell in an Ubuntu Laptop machine and after few seconds I've had a frozen Linux system. A quite common system (Core 2 duo, 2 Gb RAM) may saturate the environment with dumb processes in just 10-20 secs so be carefully about it if you want to make a short test.

This happens because on certain Linux distro, mostly popular ones, there are no limits set for maximum number of processes a user may have. For example if you run:

ulimits -u

you can discover maximum number of processes a user may run on a system (run ulimits -a to discover all current limits in your system).

To avoid this little and annoying problem you need to manually set user maximum number of processes in your kernel if you compile it, or you may edit this file (/etc/security/limits.conf) and add a line like this:

*    hard    nproc    1000

to limit for example the number of processes to 1000 for an user, Please note "1000" is just an example, limit it to whatever you need.

I've checked other Linux systems around me in these days but I didn't seen this alarming output reported from my Ubuntu 10.10 “stock” distro

~$ ulimits -u

The desktop I'm using for my every day work has Gentoo running on it, no troubles are reported for this, the same for Debian (Lenny) machines, Slackware (13.1) and few LFS I've around; so I'm pretty comfortable with what I'm using now (except for that laptop where I've now set the ulimit).

You may need to set maximum number of processes accordingly with your computer usage but at least you need to set to something different than “unlimited”.

I hope someone working on “major or popular distros” will read this simple post and will add these basic settings to their all purposes kernels to avoid these things, it could be embarrassing if you want to promote your system instead of other closed source windows operating systems.

I'm glad to read your comments here, please report your current ulimits configurations (ulimit -a) so we may publish some sort of open document related to standard kernels on major distros. Please put:

  • Distro name and version (if applicable)

  • Kernel name and version (uname -a) if you're not using a ready made one

  • Ulimits output (ulimits -a)

  • If you've manually set something on /etc/security/limits.conf please report even this setting



Hope it helps someone


Andrea (Ben) Benini


Click Here!