Re: enforcing RLIMIT_NPROC in setuid() ?

To: Ed Ravin <eravin%panix.com@localhost>
Subject: Re: enforcing RLIMIT_NPROC in setuid() ?
From: Joerg Sonnenberger <joerg%britannica.bec.de@localhost>
Date: Fri, 11 Jan 2008 20:30:35 +0100

On Thu, Jan 10, 2008 at 01:43:57PM -0500, Ed Ravin wrote:
> Would it make sense to have setuid() check the process limit,
> and return an error if the user in question is over the limit?

Yes and no. The problem is that it changes the way the Unix security
model works. When Linux started to do that, they created a nice number
of root exploitable issues, because processes could not drop the setuid
and never checked for it. Isn't the check good enough if the limit gets
inherited and the process is still counted against the real uid?

Joerg

Follow-Ups:
- Re: enforcing RLIMIT_NPROC in setuid() ?
  - From: Perry E. Metzger

References:
- enforcing RLIMIT_NPROC in setuid() ?
  - From: Ed Ravin

Prev by Date: Re: enforcing RLIMIT_NPROC in setuid() ?
Next by Date: Re: enforcing RLIMIT_NPROC in setuid() ?
Previous by Thread: Re: enforcing RLIMIT_NPROC in setuid() ?
Next by Thread: Re: enforcing RLIMIT_NPROC in setuid() ?
Indexes:

Home | Main Index | Thread Index | Old Index