16

To prevent fork bomb I followed this http://www.linuxhowtos.org/Tips%20and%20Tricks/ulimit.htm

ulimit -a reflects the new settings but when I run (as root in bash) :(){ :|:&};: the VM still goes on max CPU+RAM and system will freeze.

How to ensure users will not be bring down the system by using fork bombs or running a buggy application?

OS: RHEL 6.4

Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
user44441
  • 291
  • 1
  • 2
  • 7
  • I can't reproduce it here. Are you trying that as `root` by any chance? Which shell are you trying it from? (the missing space after `{` suggests `zsh` but I can't reproduce it there either). – Stéphane Chazelas Aug 03 '13 at 14:29
  • Stephane Chazelas: 1] I was running as root, I tried it with normal user it works. 2] The missing space is typo, I'm using bash.Sorry. 3] Is it that ulimit cannot moderate the 'root' user? – user44441 Aug 03 '13 at 16:54
  • @stephane-chazelas 1] I was running as root, I tried it with normal user it works. 2] The missing space is typo, I'm using bash.Sorry. 3] Is it that ulimit cannot moderate the 'root' user? – user44441 Aug 03 '13 at 18:15

2 Answers2

15

To make this change pervasive you'll need to add these limits to the entire environment. Changes using the ulimit command are only to the current environment.

NOTE: This will have no effect on the root user!

Example

Edit this file: vi /etc/security/limits.conf and add entries to the file limiting the number of processes (nproc) that a specific user or group of users' is allowed to have.

vivek hard nproc 300
@student hard nproc 50
@faculty soft nproc 100
@pusers hard nproc 200

NOTE: There are more examples in that file. Be careful with using the "all" (aka. *) this will limit system accounts too.

References

slm
  • 363,520
  • 117
  • 767
  • 871
  • While "all" will limit system accounts, most services that are ran by those system accounts do not pass through `pam_limits`. – jordanm Aug 03 '13 at 17:34
  • Is it that ulimit cannot moderate the 'root' user? – user44441 Aug 03 '13 at 18:00
  • Just as a general idea for adding more to the post, you might want to add something about [pam_cgroup](http://serverfault.com/questions/262296/how-is-the-cgroup-pam-module-configured) to the post since the OP's platform supports it and `pam_limits` will eventually be replaced by that once cgroups gain wider adoption. – Bratchley Aug 03 '13 at 22:08
  • Plus, since it sounds like the OP is playing around with resource usage policies, `cgroups` would give them better knobs for network and CPU utilization. – Bratchley Aug 03 '13 at 22:11
9

The superuser or any process with the CAP_SYS_ADMIN or CAP_SYS_RESOURCE capabilities are not affected by that limitation, that's not something that can be changed. root can always fork processes.

If some software is not trusted, it should not run as root anyway.

Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
  • 3
    Unless it does something special, pretty much nothing should run as root anyways. root is the account you use when you're tired of trying to figure out what privileges/rights you need to figure it out or some fundamental system service. – Bratchley Aug 03 '13 at 22:04