Re: [PATCH] exec: Only allow a threaded init to exec from thethread_group_leader

[Andrew Morton]

Pavel Machek <pavel@xxxxxx> wrote:
>
> On Ne 29-01-06 02:48:31, Andrew Morton wrote:
> > ebiederm@xxxxxxxxxxxx (Eric W. Biederman) wrote:
> > >
> > >  If process id namespaces become a reality init stops being
> > >  terribly special, and becomes something you may have several
> > >  of running at any one time.  If one of those inits is compromised
> > >  by a hostile user I having the whole system go down so we can
> > >  avoid executing a cheap test sounds terribly wrong.  That is
> > >  why I really care.
> > 
> > Wouldn't it be better to do nothing until/unless there's some code in the
> > kernel or init which actually needs the change?
> 
> It is common to do init=/bin/bash, and I guess people are doing it
> with all kinds of wonderful apps....

err, good point.  And no reports of peculiar things happening with
threading.  Eric's check has the (slight) potential to cause some things to
stop working though.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/