[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: enforcing RLIMIT_NPROC in setuid() ?
On Thu, Jan 10, 2008 at 04:23:47PM -0500, Christos Zoulas wrote:
> The biggest problem I see with the change is that
> a process that did not exceed the quota can be penalized about it.
> Consider the case where a root daemon forks, runs setuid and sleeps
> bringing the user above the NPROC resource limit. Then if a different
> shell process tries to exec, it will fail.
One could mostly work around this by only checking at exec time in
processes that have been previously marked PK_SUGID (that covers
processes that shift down from root, right?) or are about to be.
David A. Holland
Main Index |
Thread Index |