Re: File table exhaustion patch

From: Mike Silbersack (silby@silby.com)
Date: 11/21/02


Date: Thu, 21 Nov 2002 15:29:04 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: "David G. Andersen" <danderse@cs.utah.edu>


On Thu, 21 Nov 2002, David G. Andersen wrote:

> In PR 45353, I've submitted a patch to reserve a handfull of
> file table entries for root-only use, to mitigate the effects
> of user processes that leak file descriptors:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=45353
>
> Even with per-process file descriptor limits, it's pretty
> easy for a buggy program that does any kind of forking to
> run the system out of file table entries (or for a malicious
> user to do so). The patch above is trivial, and at least
> enables root to login and fix things up a bit. I've been
> running it locally for about a week, and it's happy.
>
> Is the form of the solution acceptable? (And if so, anyone
> interested in committing it to -current for a while? ;-)
>
> -Dave

Your patch looks good, I think it could probably go in without any
modifications.

HOWEVER, we're in a code freeze leading up to 5.0-release, and local DoSes
aren't a critical bug. Hence, I'm going to wait until after 5.0-release
is out the door before I go ahead with committing your patch.

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message