Linux – Why can’t I crash the system with a fork bomb

forklinuxprocessulimit

Recently I've been digging up information about processes in GNU/Linux and I met the infamous fork bomb :

:(){ : | :& }; :

Theoretically, it is supposed to duplicate itself infinitely until the system runs out of resources…

However, I've tried testing both on a CLI Debian and a GUI Mint distro, and it doesn't seem to impact much the system. Yes there are tons of processes that are created, and after a while I read in console messages like :

bash: fork: Resource temporarily unavailable

bash: fork: retry: No child processes

But after some time, all the processes just get killed and everything goes back to normal. I've read that the ulimit set a maximum amount of process per user, but I can't seem to be able to raise it really far.

What are the system protections against a fork-bomb? Why doesn't it replicate itself until everything freezes or at least lags a lot? Is there a way to really crash a system with a fork bomb?

Best Answer

You probably have a Linux distro that uses systemd.

Systemd creates a cgroup for each user, and all processes of a user belong to the same cgroup.

Cgroups is a Linux mechanism to set limits on system resources like max number of processes, CPU cycles, RAM usage, etc. This is a different, more modern, layer of resource limiting than ulimit (which uses the getrlimit() syscall).

If you run systemctl status user-<uid>.slice (which represents the user's cgroup), you can see the current and maximum number of tasks (processes and threads) that is allowed within that cgroup.

$ systemctl status user-$UID.slice
● user-22001.slice - User Slice of UID 22001
   Loaded: loaded
  Drop-In: /usr/lib/systemd/system/user-.slice.d
           └─10-defaults.conf
   Active: active since Mon 2018-09-10 17:36:35 EEST; 1 weeks 3 days ago
    Tasks: 17 (limit: 10267)
   Memory: 616.7M

By default, the maximum number of tasks that systemd will allow for each user is 33% of the "system-wide maximum" (sysctl kernel.threads-max); this usually amounts to ~10,000 tasks. If you want to change this limit:

In systemd v239 and later, the user default is set via TasksMax= in:
```
/usr/lib/systemd/system/user-.slice.d/10-defaults.conf
```
To adjust the limit for a specific user (which will be applied immediately as well as stored in /etc/systemd/system.control), run:
```
systemctl [--runtime] set-property user-<uid>.slice TasksMax=<value>
```
The usual mechanisms of overriding a unit's settings (such as systemctl edit) can be used here as well, but they will require a reboot. For example, if you want to change the limit for every user, you could create /etc/systemd/system/user-.slice.d/15-limits.conf.
In systemd v238 and earlier, the user default is set via UserTasksMax= in /etc/systemd/logind.conf. Changing the value generally requires a reboot.

More info about this:

man 5 systemd.resource-control
man 5 systemd.slice
man 5 logind.conf
http://0pointer.de/blog/projects/systemd.html (search this page for cgroups)
man 7 cgroups and https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt
https://en.wikipedia.org/wiki/Cgroups

Related Solutions

Fork bomb on a Mac

How a fork bomb works: in C (or C-like) code, a function named fork() gets called. This causes linux or Unix or Unix-a-likes to create an entirely new process. This process has an address space, a process ID, a signal mask, open file descriptors, all manner of things that take up space in the OS kernel's somewhat limited memory. The newly created process also gets a spot in the kernel's data structure for processes to run. To the process that called fork(), it looks like nothing happened. A fork-bomb process will try to call fork() as fast as it can, as many times as it can.

The trick is that the newly created process also comes back from fork() in the same code. After a fork, you have two processes running the same code. Each new fork-bomb process tries to call fork() as fast as it can, as many times as it can. The code you've given as an example is a Bash-script version of a fork bomb.

Soon, all the OS kernel's process-related resources get used up. The process table is full. The waiting-to-run list of processes is full. Real memory is full, so paging starts. If this goes on long enough, the swap partition fills up.

What this looks like to a user: everything runs super slowly. You get error messages like "could not create process" when you try simple things like ls. Trying a ps causes an interminable pause (if it runs at all) and gives back a very long list of processes. Sometimes this situation requires a reboot via the power cord.

Fork bombs used to be called "rabbits" back in the old days. Because they reproduced so rapidly.

Just for fun, I wrote a fork bomb program in C:

#include <stdio.h>
#include <unistd.h>
int
main(int ac, char **av)
{
        while (1)
                fork();

        return 0;
}

I compiled and ran that program under Arch Linux in one xterm. I another xterm I tried to get a process list:

1004 % ps -fu bediger
zsh: fork failed: resource temporarily unavailable

The Z shell in the 2nd xterm could not call fork() successfully as the fork bomb processes associated with the 1st xterm had used up all kernel resources related to process created and running.

How to Prevent a Fork Bomb

The superuser or any process with the CAP_SYS_ADMIN or CAP_SYS_RESOURCE capabilities are not affected by that limitation, that's not something that can be changed. root can always fork processes.

If some software is not trusted, it should not run as root anyway.

Best Answer

Related Solutions

Fork bomb on a Mac

How to Prevent a Fork Bomb

Related Question