Debian Bug report logs - #872798
nslcd: can be killed by the OOM Killer, DoS

version graph

Package: nslcd; Maintainer for nslcd is Arthur de Jong <[email protected]>; Source for nslcd is src:nss-pam-ldapd (PTS, buildd, popcon).

Reported by: Vincent Lefevre <[email protected]>

Date: Mon, 21 Aug 2017 11:27:02 UTC

Severity: normal

Tags: jessie

Found in version nss-pam-ldapd/0.9.4-3+deb8u2

Full log

Message #10 received at [email protected] (full text, mbox, reply):

Received: (at 872798) by bugs.debian.org; 21 Aug 2017 19:54:17 +0000
From [email protected] Mon Aug 21 19:54:17 2017
X-Spam-Checker-Version: SpamAssassin 3.4.1-bugs.debian.org_2005_01_02
	(2015-04-28) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.8 required=4.0 tests=FROMDEVELOPER,HAS_BUG_NUMBER,
	MURPHY_DRUGS_REL8,PGPSIGNATURE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL autolearn=unavailable autolearn_force=no
	version=3.4.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.5  spammytokens: hammytokens:
Return-path: <[email protected]>
Received: from lb1-smtp-cloud9.xs4all.net ([194.109.24.22])
	by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <[email protected]>)
	id 1djsm9-0003nc-Lk
	for [email protected]; Mon, 21 Aug 2017 19:54:17 +0000
Received: from arthurenhella.demon.nl ([83.160.165.27])
	by smtp-cloud9.xs4all.net with ESMTP
	id jsfAdMiNbdRLjjsfBdlBGu; Mon, 21 Aug 2017 21:47:06 +0200
Received: from zoepie.thuis.net (zoepie.thuis.net [192.168.12.29])
	by arthurenhella.demon.nl (Postfix) with ESMTP id 4C7B1C047;
	Mon, 21 Aug 2017 21:47:04 +0200 (CEST)
Message-ID: <[email protected]>
Subject: Re: Bug#872798: nslcd: can be killed by the OOM Killer, DoS
From: Arthur de Jong <[email protected]>
Reply-To: [email protected]
To: Vincent Lefevre <[email protected]>, [email protected]
Date: Mon, 21 Aug 2017 21:47:04 +0200
In-Reply-To: <[email protected]>
References: <[email protected]>
Content-Type: multipart/signed; micalg="pgp-sha256";
	protocol="application/pgp-signature"; boundary="=-sfWc3OcovLitcf+OWxhc"
X-Mailer: Evolution 3.22.6-1 
Mime-Version: 1.0
X-Virus-Scanned: clamav-milter 0.99.2 at bobo
X-Virus-Status: Clean
X-CMAE-Envelope: MS4wfCaJU6rIkDLPeRbNAYSWhJ6Gb0aASMbNBXJoyDQaUSKbwkMJmxjSlpWpQVNaOmSSLFJa37Hgo3mBrTVzN54bx6I/I8jjLid18KZc4fKK5LKadNp6q0Oi
 Cvap4zA9B9lIkSQmBoRPn3qCCodD+PaS1l9gL3l95mvYMA0IzK/Iz3oH8r/ZMtaXaUUUvby/JtvYLxWGH/beHcXJDjt4riinYgw=
X-Greylist: delayed 428 seconds by postgrey-1.36 at buxtehude; Mon, 21 Aug 2017 19:54:17 UTC

[Message part 1 (text/plain, inline)]
Control: sevirity -1 normal

On Mon, 2017-08-21 at 13:17 +0200, Vincent Lefevre wrote:
> Severity: grave
> Justification: causes non-serious data loss and DoS from an end user.

The severity is a bit questionable and, at the very least not a flaw in
or unique to nslcd. Any local user that does not have resource limits
applied to them can DoS the whole system easily so I'm lowering the
severity to normal.

> It appears that nslcd can be killed by the OOM Killer when some user
> process takes all the memory. In such a case, it is no longer
> possible to connect to the machine by SSH. Thus this is DoS by an end
> user, with possible data loss concerning what is running on the
> machine.

The OOM is indeed a bit of Russian roulette on your system. You can
tune it a bit with vm.panic_on_oom and vm.overcommit_memory sysctls or
perform the following action that is equivalent to what newer nslcd
does:

echo -1000 > /proc/`cat /var/run/nslcd/nslcd.pid`/oom_score_adj

The patch should be pretty easy to backport though. I've put it on my
list but can't really guarantee a turn-around-time.

Thanks,

-- 
-- arthur - [email protected] - https://people.debian.org/~adejong --

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 17:37:29 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.