Re: [9fans] protection against resource exhaustion

[erik quanstrom <quanstro@quanstro.net>]

On Tue Jan 27 16:06:49 PST 2015, arisawa@ar.aichi-u.ac.jp wrote:
> we don’t have perfect solution.
> nevertheless, we must protect system.

why does limiting forks "protect the system"? why must be "protect the system"?
and what does that phrase mean in this context?

> if we search ideal (or nearly ideal) solution, we should assign limited resource to each user.
> however this is a big job, I believe.
> 
> current plan9 system is running under shared resource model.
> under this model, it is very hard to protect system from evil-minded users.

plan 9 has no hope against malicious users.  they can fill up your disk, or
use all your memory, too.  i believe the quote attributed to presotto is
"we don't have quotas.  ken just yells at anyone who hogs the jukebox."

nonetheless, i have experience running multi-user plan 9 systems, and users
were not usually the issue.

> keeping this model, we can do something that is, of course, imperfect (but easy to implement, I believe).
> for example:
> (a) select processes that should keep running. (with resrcwait flag, for example)
> (b) kill processe that failed to be allocated resource if it doesn’t has resrcwait flag.
> 
> this strategy has following problems:
> (1) innocent processes may be killed.
> the probability is small if the origin is careless program, but can be large by evil-mined program.
> (2) error return from malloc() and fork() are disabled.

i think you've turned a problem with bounded recovery time into a
situation where the recovery code itself will inadvertently dos attack its
users.

- erik