On Tue Jan 27 16:06:49 PST 2015, aris...@ar.aichi-u.ac.jp wrote: > we don’t have perfect solution. > nevertheless, we must protect system.
why does limiting forks "protect the system"? why must be "protect the system"? and what does that phrase mean in this context? > if we search ideal (or nearly ideal) solution, we should assign limited > resource to each user. > however this is a big job, I believe. > > current plan9 system is running under shared resource model. > under this model, it is very hard to protect system from evil-minded users. plan 9 has no hope against malicious users. they can fill up your disk, or use all your memory, too. i believe the quote attributed to presotto is "we don't have quotas. ken just yells at anyone who hogs the jukebox." nonetheless, i have experience running multi-user plan 9 systems, and users were not usually the issue. > keeping this model, we can do something that is, of course, imperfect (but > easy to implement, I believe). > for example: > (a) select processes that should keep running. (with resrcwait flag, for > example) > (b) kill processe that failed to be allocated resource if it doesn’t has > resrcwait flag. > > this strategy has following problems: > (1) innocent processes may be killed. > the probability is small if the origin is careless program, but can be large > by evil-mined program. > (2) error return from malloc() and fork() are disabled. i think you've turned a problem with bounded recovery time into a situation where the recovery code itself will inadvertently dos attack its users. - erik
