Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python Interpreter

[Olivier Sessink]

Gregory Piñero wrote:
> I've set up a jailed Python interpreter.  Now I'm wondering how to
> prevent someone from running:
> 
> while 1:
>     os.fork()
> 
> and freezing up my system.  (A so called fork bomb.)  Do you guys have
> any advice?

the standard thing that works against fork bombs: limit the number of
processes.

But you're never going to stop somebody who can install their own
executables who wants to bring your server to a grinding halt. There are
much heavier attacks than fork bombs.

For example fork bombs that also use a lot of memory and open a lot of
file descriptors. These are much heaver for your system per process, so
a small number of processes can stop your system from functioning.

So if you expect your users to do these kind of things, you'll have to
prevent user executables: mount both /tmp and /home (in the jail) with
noexec (these should be the only places where users have write access)

regards,
        Olivier