This is, to put it politely, incredibly old news. Let's face it, if you give a user a shell acount, with no restrictions on CPU time or memory usage, yes, they will be able to suck up as much resources as the computer can spare (this is, among other reasons why "nice" exists). I advise you place limitson the users, memory, cpu, stack size, file descriptors, etc, finding "good" limits can be tricky though, and you will also want to limit concurrent logins. I wrote an article on using PAM (pluggable Authenticaiton Modules) which covers these issues and a few others, available at: http://www.samag.com/documents/s=1161/sam0009a/0009a.htm Also you can view information on setting limits with various shells, and PAM as well at: http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.h tml goto "Limiting users overview". And the LASG, "Limiting and monitoring users" http://seifried.org/lasg/users/ Better to use PAM to limit users then the shell because the various shells do not all support the limiting the same items, or soft/hard limits, and if you miss a shell and the user "chsh"'s they can avoid it, they can't really avoid pam. As for the "/*/../........." problem in general it was "discovered" many many years ago (more then two). Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.iDefense.com/
This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 15:57:13 PST