Discussion:
What should be a typical/normal ulimit nproc value?
(too old to reply)
Bit Twister
2012-11-28 17:18:37 UTC
Permalink
What value should be a typical/normal ulimit nproc be for the typical
home system?

Ignore memory and cpu and normal load for the discussion.

Why? you ask.

The command pegged the system. I love VirtualBox for experiments. :-8
http://cyberarms.wordpress.com/2012/11/26/an-eleven-character-linux-denial-of-service-attack-how-to-defend-against-it/

What would be the directive in /etc/security/limits.conf?

System is currently loafing at
$ ps aux | wc -l
240

Seems like the following would restrict root. :-(

#* soft core 0
#------------------------------------------------

* hard nproc 500


All my users are in their own group.

Would adding them to a "user" group allow me to use
@user hard nproc 50

?
David W. Hodgins
2012-11-28 18:58:35 UTC
Permalink
Post by Bit Twister
What value should be a typical/normal ulimit nproc be for the typical
home system?
Ignore memory and cpu and normal load for the discussion.
Why? you ask.
The command pegged the system. I love VirtualBox for experiments. :-8
http://cyberarms.wordpress.com/2012/11/26/an-eleven-character-linux-denial-of-service-attack-how-to-defend-against-it/
What would be the directive in /etc/security/limits.conf?
System is currently loafing at
$ ps aux | wc -l
240
Seems like the following would restrict root. :-(
#* soft core 0
#------------------------------------------------
* hard nproc 500
All my users are in their own group.
Would adding them to a "user" group allow me to use
@user hard nproc 50
I see no reason not to restrict root too. On my Mageia 2 x86-64 system,
with a quad core, and 16GB of ram, the Mageia default for nproc is 127910.
(No idea where that number comes from).

The forkbomb did kill my system, including killing htop in a root session
on tty2 before I could see what the impact was.

I've added the line to /etc/security/limits.conf ...
* hard nproc 10000

When I first added it, I'd copied a prior line, and forgot to remove the
leading #. After a reboot, the forkbomb did not crash the system, so
the 127910 is ok, when first starting, but not once the system has been
used for a while.

With the 10000 limit in affect, the forkbomb does not kill the system,
or have any response time impact, but a reboot is still needed to end
the constant creation of new bash processes. Could probably of just
used a killall bash, as the user, but didn't try that.

I think 10000 is high enough, that even having root restricted is ok.

Want to open a bug report?

Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Bit Twister
2012-11-29 08:01:38 UTC
Permalink
Post by David W. Hodgins
Post by Bit Twister
What value should be a typical/normal ulimit nproc be for the typical
home system?
I've added the line to /etc/security/limits.conf ...
* hard nproc 10000
Heheh, I picked the example facility values, logged out/in and kde
launch just showed the busy indicator. Logged out and into root and used
vi to bump it to 220 and 250. Worked much better.
Current contents snippet:

500:1600 soft nproc 220
500:1600 hard nproc 250

On install I create junk and normal accounts, then append all
my 15?? id users to passwd and group files.

My ~/.kde4/Autostartup/startup script launches two tail -f xterms,
two normal xterms, slrn and thunderbird. Process count is
$ ps aux | grep -c $(id -g)
57
Post by David W. Hodgins
When I first added it, I'd copied a prior line, and forgot to remove the
leading #. After a reboot, the forkbomb did not crash the system, so
the 127910 is ok, when first starting, but not once the system has been
used for a while.
Yes, I believe there is a memory leak somewhere. :(

David W. Hodgins
2012-11-28 19:29:20 UTC
Permalink
Post by Bit Twister
What value should be a typical/normal ulimit nproc be for the typical
home system?
Btw, the discussion is now in the developers mailing list too.

Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Loading...