Re: enforcing RLIMIT_NPROC in setuid() ?

To: Ed Ravin <eravin%panix.com@localhost>
Subject: Re: enforcing RLIMIT_NPROC in setuid() ?
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Date: Thu, 10 Jan 2008 13:02:49 -0600 (CST)

On Thu, 10 Jan 2008, Ed Ravin wrote:

> Would it make sense to have setuid() check the process limit,
> and return an error if the user in question is over the limit?
> That way, programs that check the return value of setuid() would
> fail and prevent new processes from being created by login loops
> like the one described above.

I think so.

I have found that login, su, and cron could easily be used to bypass these 
limits. I believe it is a security issue.

Have a look at 

http://mail-index.netbsd.org/tech-security/2006/06/13/0001.html

http://archive.netbsd.se/?ml=netbsd-tech-userlevel&a=2006-06&t=2076384

http://archive.netbsd.se/?ml=netbsd-tech-security&a=2006-06&t=2102044

> It would probably be a good idea for setuid() to still carry out
> the UID change, just in case there's a poorly written program
> somewhere that doesn't check the return value.

I am not sure about that.

  Jeremy C. Reed

References:
- enforcing RLIMIT_NPROC in setuid() ?
  - From: Ed Ravin

Prev by Date: enforcing RLIMIT_NPROC in setuid() ?
Next by Date: Re: enforcing RLIMIT_NPROC in setuid() ?
Previous by Thread: enforcing RLIMIT_NPROC in setuid() ?
Next by Thread: Re: enforcing RLIMIT_NPROC in setuid() ?
Indexes:

Home | Main Index | Thread Index | Old Index