Re: File table exhaustion patch

From: Mike Silbersack (silby@silby.com)
Date: 11/21/02


Date: Thu, 21 Nov 2002 15:29:04 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: "David G. Andersen" <danderse@cs.utah.edu>


On Thu, 21 Nov 2002, David G. Andersen wrote:

> In PR 45353, I've submitted a patch to reserve a handfull of
> file table entries for root-only use, to mitigate the effects
> of user processes that leak file descriptors:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=45353
>
> Even with per-process file descriptor limits, it's pretty
> easy for a buggy program that does any kind of forking to
> run the system out of file table entries (or for a malicious
> user to do so). The patch above is trivial, and at least
> enables root to login and fix things up a bit. I've been
> running it locally for about a week, and it's happy.
>
> Is the form of the solution acceptable? (And if so, anyone
> interested in committing it to -current for a while? ;-)
>
> -Dave

Your patch looks good, I think it could probably go in without any
modifications.

HOWEVER, we're in a code freeze leading up to 5.0-release, and local DoSes
aren't a critical bug. Hence, I'm going to wait until after 5.0-release
is out the door before I go ahead with committing your patch.

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • File table exhaustion patch
    ... file table entries for root-only use, ... of user processes that leak file descriptors: ... The patch above is trivial, ...
    (FreeBSD-Security)
  • [RFC] last(1) with security.bsd.see_other_uids support
    ... similar patch on my own shared-hosting systems for a few years. ... Users in the wheel or utmp group can see all entries ... Allow reading the entries, but disallow directly opening ... the utx files. ...
    (freebsd-hackers)
  • Re: [PATCH] dm: check max_sectors in dm_merge_bvec (was: Re: dm: max_segments=1 if merge_bvec_fn is
    ... entries, the first maps the last sector contained in some page and the ... My asumption that "single segment" was ... and the patch by Mikulas: ... finally dropped the newly introduced function again, ...
    (Linux-Kernel)
  • Re: kern/165863
    ... If this patch fixes panics observed by kern/165863 and passes stress ... Please review attached patch. ... including static ARP entries. ... if (flags & LLE_DELETE) ...
    (freebsd-net)
  • Re: File table exhaustion patch
    ... I've submitted a patch to reserve a handfull of ... > file table entries for root-only use, ... > of user processes that leak file descriptors: ... The patch above is trivial, ...
    (FreeBSD-Security)