rlimits can be used as a safety net, but I prefer that the program
itself remains in control of its resource usage. I just don't find
it very elegant to crash and die on illegal input...
For example, when all data objects have limited size, and when the
number of objects instances is limited, so is the amount of memory
required to hold those objects.
This just changes some programs into special-purpose cache managers.
In the days of 16-bit and smaller computers, real programmers had
to do real work to make their programs actually fit the machine.
Perhaps I am just showing my age.
Wietse
Taral:
> Actually, a secure box should run with RLIMIT_AS (Linux-ism?) set on all
> daemons... I started using it on apache httpd to prevent the header-spam
> DoS, but it seems like a good idea on all processes that shouldn't consume
> much memory.
>
> Taral
>
> > -----Original Message-----
> > Suggested fix: read a fixed-size read buffer from the network. No
> > reasonable ident query needs to be longer than a couple bytes for
> > the two port numbers. When used in the right place, fixed-size
> > buffers are beneficial to security.
> >
> > Wietse
> >
>
>
>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:31 PDT