Debian Bug report logs - #599916
please set limits so that users cant kill the system

Package: src:linux; Maintainer for src:linux is Debian Kernel Team <debian-kernel@lists.debian.org>;

Reported by: Holger Levsen <holger@layer-acht.org>

Date: Tue, 12 Oct 2010 11:27:01 UTC

Severity: wishlist

Tags: security

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#599916; Package libpam-modules. (Tue, 12 Oct 2010 11:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
New Bug report received and forwarded. Copy sent to Steve Langasek <vorlon@debian.org>. (Tue, 12 Oct 2010 11:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: submit@bugs.debian.org
Subject: please set limits so that users cant kill the system
Date: Tue, 12 Oct 2010 13:24:11 +0200
[Message part 1 (text/plain, inline)]
package: libpam-modules
severity: critical
tags: security

Hi,

as there are no process limits set, it's trivial for any user to use all 
resources:

Just run this in bash: :() { :I:& };:

(I obfuscated the exploit slightly. Mail me if you need to know how.)

And voila, the system is gone. (=there are ressources left to be used.)

I'm actually a bit lost how the default process limit is set, whether its 
31500 or 16025 user processes, or unlimited. In any case, I succeeded in 
blowing up a squeeze system as nobody when the process limit was 16025. And I 
also succeeded on sid, and saw someone else kill his lenny vm.

I'm not sure if my reaction ("critical bug" as it breaks the ability to hand 
out access to unbtrusted users basically) is too much, since maybe this works 
as designed ("rather enable people to use the system by default, if you want 
it more restricted do so...") but I could also not find anything in NEWS or 
README.Debian...


cheers,
	Holger
[signature.asc (application/pgp-signature, inline)]

Severity set to 'wishlist' from 'critical' Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Tue, 12 Oct 2010 11:36:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#599916; Package libpam-modules. (Tue, 12 Oct 2010 14:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. (Tue, 12 Oct 2010 14:57:03 GMT) Full text and rfc822 format available.

Message #12 received at 599916@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Holger Levsen <holger@layer-acht.org>, 599916@bugs.debian.org
Subject: Re: Bug#599916: please set limits so that users cant kill the system
Date: Tue, 12 Oct 2010 07:53:40 -0700
[Message part 1 (text/plain, inline)]
reassign 599916 linux-2.6
severity 599916 wishlist
thanks

On Tue, Oct 12, 2010 at 01:24:11PM +0200, Holger Levsen wrote:

> as there are no process limits set, it's trivial for any user to use all 
> resources:

> Just run this in bash: :() { :I:& };:

> (I obfuscated the exploit slightly. Mail me if you need to know how.)

> And voila, the system is gone. (=there are ressources left to be used.)

> I'm actually a bit lost how the default process limit is set, whether its
> 31500 or 16025 user processes, or unlimited.  In any case, I succeeded in
> blowing up a squeeze system as nobody when the process limit was 16025. 
> And I also succeeded on sid, and saw someone else kill his lenny vm.

pam_limits does not set policies for limits; these policies are set by the
kernel, and are merely shadowed by pam_limits for re-setting defaults.  If
you think the default limits are wrong, talk to the kernel team; otherwise,
you can use /etc/security/limits.conf to set the limits to your taste -
that's what the config file is there for.

> I'm not sure if my reaction ("critical bug" as it breaks the ability to
> hand out access to unbtrusted users basically) is too much, since maybe
> this works as designed ("rather enable people to use the system by
> default, if you want it more restricted do so...") but I could also not
> find anything in NEWS or README.Debian...

I don't see why you would expect PAM to document the use of limits in either
place.  This certainly isn't news.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package 'libpam-modules' to 'linux-2.6'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Tue, 12 Oct 2010 14:57:04 GMT) Full text and rfc822 format available.

Bug reassigned from package 'linux-2.6' to 'src:linux'. Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Wed, 10 Jul 2013 18:10:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:00:25 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.