Re: Solaris 10 Containers / Zones Security Flaw

[Darren Reed <avalon () caligula anu edu au>]

In some mail from jim allan, sie said:
> In-Reply-To: <424EC41F.2060901 () cox net>
>
> agreed Robert, there are many easy ways to limit this,
> my research was more about whether Sun had implemented sanity limits
> in virtual memory and cpu usage as a default. which they hadn't.

So what would you consider to be a "sane limit" ?

Is a "sane limit" RAM-128MB ?  Or some other magical number ?
Or some formula that involves using the number of zones ?

What about CPU?  No more than 90%?

> it's a sad state, but most admins wouldn't use ulimit or set maxuprc
> to limit this..

Right, so the criticism you're really getting at here is that by default,
Unix in general doesn't contain what a single user can do in terms of
chewing up system resources as a denial of service attack.

> as Jonathon Katz mentioned, it's a balence between 
> usability and security, but i would've thought there should have been 
> some sane level of limit on virtual memory or similar for the zone upon 
> initial creation..

Why?  So that when someone runs a serious job in one and discovers that
it is limited to 64MB and dies they need to reconfigure the zone?

Any arbitrary limit that could be chosen would be bad, by default, for
someone.

The current situation, with zones and resources, is no worse than today
for environments without zones, however, if you use resource pools with
zones, it can be much much better.

Darren