Re: [PATCH] RLIMIT_NPROC enforcement during execve() calls

From: Lorenzo Hernández García-Hierro
Date: Mon Apr 18 2005 - 13:13:16 EST

Next message: Steve French: "dbench performance on cifs to Samba"
Previous message: intertotal2005: "Internet total"
In reply to: Christoph Hellwig: "Re: [PATCH] RLIMIT_NPROC enforcement during execve() calls"
Next in thread: Valdis . Kletnieks: "Re: [PATCH] RLIMIT_NPROC enforcement during execve() calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

El lun, 18-04-2005 a las 18:43 +0100, Christoph Hellwig escribió:
> On Mon, Apr 18, 2005 at 07:38:57PM +0200, Lorenzo Hern?ndez Garc?a-Hierro wrote:
> > Enforces the RLIMIT_NPROC limit by adding an additional check for
> > execve(), as
> > such limit is checked only during fork() calls.
>
> What's the point? exec doesn't create new process and exec() shouldn't
> start to fail just because someone lowered the rlimit a short while ago.

The limit is only checked when process is created on a fork() call, but
during execution it's uid can change, thus, the limit for the new uid
could be exceed.

It comes from the Openwall kernel patch, as well implemented in
grSecurity and vSecurity.

Cheers,
--
Lorenzo Hernández García-Hierro <lorenzo@xxxxxxx>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

Attachment: signature.asc
Description: This is a digitally signed message part

Next message: Steve French: "dbench performance on cifs to Samba"
Previous message: intertotal2005: "Internet total"
In reply to: Christoph Hellwig: "Re: [PATCH] RLIMIT_NPROC enforcement during execve() calls"
Next in thread: Valdis . Kletnieks: "Re: [PATCH] RLIMIT_NPROC enforcement during execve() calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]