From owner-freebsd-security  Wed Sep  1 18:12:57 1999
Delivered-To: freebsd-security@freebsd.org
Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1])
	by hub.freebsd.org (Postfix) with ESMTP id 93BBB1563C
	for <freebsd-security@FreeBSD.ORG>; Wed,  1 Sep 1999 18:12:54 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id VAA18894; Wed, 1 Sep 1999 21:12:04 -0400 (EDT)
Message-Id: <4.1.19990901211618.04e87740@granite.sentex.ca>
X-Sender: mdtancsa@granite.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Wed, 01 Sep 1999 21:24:35 -0400
To: Systems Administrator <geniusj@ods.org>
From: Mike Tancsa <mike@sentex.net>
Subject: Re: FW: Local DoS in FreeBSD
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.10.9909011511300.48475-100000@ods.org>
References: <Pine.LNX.4.10.9909011706500.13732-100000@thetis.deor.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 03:12 PM 9/1/99 , Systems Administrator wrote:
>If you have it set so that it does SUID for cgi and runs it as the user or
>uses the users accounting limits, it won't work.. and yes, you should set
>some sensible apache limits per user on that stuff, I know its possible.

Ok, are you talking about enabling accouting i.e. in /etc/rc.conf
accounting_enable="NO"  # Turn on process accounting (or NO).
or are you talking about settings in /etc/login.conf ?

If login.conf, and internal apache limits, what are you actually setting,
and what values ? I found that descriptors had to be VERY restrictive in
order to prevent the user from crashing the system.  If you have actually
implemented protection against this DOS, by all means, please post to the
list what you did.  However, if you are only theorizing, please state so.

	---Mike
**********************************************************************
Mike Tancsa, Network Admin        *  mike@sentex.net
Sentex Communications Corp,       *  http://www.sentex.net/mike
Cambridge, Ontario                *  01.519.651.3400
Canada                            *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message