Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Linux Distros Found Vulnerable By Default

Posted by Zonk on from the change-the-settings dept.

TuringTest writes "Security Focus carries an article about a security compromise found on several major distros due to bad default settings in the Linux kernel. 'It's a sad day when an ancient fork bomb attack can still take down most of the latest Linux distributions', says the writer. The attack was performed by spawning lots of processes from a normal user shell. Is interesting to note that Debian was not among the distros that fell to the attack. The writer also praises the OpenBSD policy of Secure by Default."

7 of 541 comments (clear)

  1. Not a vulnerability. by argent · · Score: 5, Insightful

    A forkbomb is just a relatively simplistic way to mount a resource exhaustion attack. I would be extremely wary of anyone who claims that their UNIX class operating system is immune to resource exhaustion from a local user. There's just too many resources that can be commandeered, and to lock them all down would leave you with a system that's so restricted as to be nearly useless as a general computing platform.

    It must be a slow day on /. if they're reporting this as news.

  2. Re:In other news... by oscartheduck · · Score: 5, Insightful

    No, I understand the article. I just couldn't resist the jab. The fact is that GNU/Linux ought to be the best it can be in and of itself. That some distributions are screwing that up and making very poor defaults is not to be forgiven. Not at all. Especially when it isn't difficult to do better.

    --
    How to use coral cache: http://slashdot.org.nyud.net:8090/~oscartheduck
  3. And of course, shell access is so easy to get by n0dalus · · Score: 5, Insightful

    On the 3 distros listed as vulnerable, the default settings would stop any remote person from having a chance of getting a shell open on the box to perform the fork attack in the first place.
    If a person has enough access to the machine to be able to "forkbomb" it, then there's plenty of other nasty things you could do to it.

  4. Wrong attitude. by Anonymous Coward · · Score: 5, Insightful

    All my servers have multiple users. Those users are system accounts to run different software, and I do not want any of them to be able to cause a problem to the entire server. Reasonable limits should be in place by default, and those of us who actually need higher limits for certain users, can raise those limits.

    Even on a single user desktop machine, its nice to have limits so shitty software can't take down my entire machine. With limits I can just log in on another terminal and kill the offending program, without limits you get to reboot, and lose any work you were doing.

  5. My God, the hypocracy! by drsmack1 · · Score: 5, Insightful

    Looks like everyone out there on slashdot think this is not really a problem. Remember when it was discovered that you could get into a xp installation locally with a win 2000 boot cd? Oh, the howling that was heard.

    Here is a issue that can be done remotely with only a user account.

    --

    Humor from a Genetically Molested Mind

  6. Isn't it friggin' ironic by aendeuryu · · Score: 5, Insightful

    It's funny, isn't it, that on the same day we have a story about Linux distros being insecure by default, EXCEPT Debian, we have another story where Debian is being criticized for not releasing updates more often.

    Maybe, and here's a thought, just maybe, it's wise to take a decent, stable distro and perfect it, instead of taking a distro and submerging it in a state of perpetual flux with constant updates.

    Just a thought. I might be biased because it's a Debian-based distro that finally put a working Linux on my laptop. But you know what? Every now and then the bias is there for a reason...

  7. No, you are treating it as a panacea. by Anonymous Coward · · Score: 5, Insightful

    We aren't saying that default limits will be perfect for everyone. We are saying that its better to have to raise your limits IF YOU NEED TO, then to have your machine vulnerable to being completely taken down trivially, very possibly by remote users with no accounts, just from making your services work harder than you expected.

    If you are running a server than needs hundreds of apache processes running, then you know that and can raise it. Someone who is new to linux won't need that, and won't know how to setup limits for themselves. So you make the machine secure by default, and allowed advanced users with advanced needs to tweak things as they need.

    The best thing I can think of to illustrate the point to you is your apache example. By default apache won't let you have more than 150 users connected. This is a sane default to protect from resource exhaustion. If you need more than that, you can set it yourself. People have some protection by default, but advanced users can customize the settings for their needs.

    I cannot believe in 2005 I am arguing with someone who thinks secure by default is a bad idea because it might invonvenience you.