Re: disable-cap-mlock

From: Andrew Morton
Date: Thu Apr 01 2004 - 20:30:59 EST


Chris Wright <chrisw@xxxxxxxx> wrote:
>
> * Andrea Arcangeli (andrea@xxxxxxx) wrote:
> > Oracle needs this sysctl, I designed it and Ken Chen implemented it. I
> > guess google also won't dislike it.
> >
> > This is a lot simpler than the mlock rlimit and this is people really
> > need (not the rlimit). The rlimit thing can still be applied on top of
> > this. This should be more efficient too (besides its simplicity).
> >
> > can you apply to mainline?
>
> This patch seems like the wrong hack to work around missing mlock rlimit
> functionality. Wouldn't it be better to fix the core problem, and leave
> this patch out of mainline? I agree with Rik, such a fix (mlock/rlimit)
> will make all the gpg users feel warm and fuzzy ;-)

Rumour has it that the more exhasperated among us are brewing up a patch to
login.c which will allow capabilities to be retained after the setuid. So
you do

echo "oracle CAP_IPC_LOCK" > /etc/logincap.conf

And that's it.

See any reason why this won't work?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/