Re: enforcing RLIMIT_NPROC in setuid() ?

To: tech-security%netbsd.org@localhost
Subject: Re: enforcing RLIMIT_NPROC in setuid() ?
From: David Holland <dholland-security%netbsd.org@localhost>
Date: Sat, 12 Jan 2008 06:17:45 +0000

On Thu, Jan 10, 2008 at 04:23:47PM -0500, Christos Zoulas wrote:
 > The biggest problem I see with the change is that
 > a process that did not exceed the quota can be penalized about it.
 > Consider the case where a root daemon forks, runs setuid and sleeps
 > bringing the user above the NPROC resource limit. Then if a different
 > shell process tries to exec, it will fail.

One could mostly work around this by only checking at exec time in
processes that have been previously marked PK_SUGID (that covers
processes that shift down from root, right?) or are about to be.

-- 
David A. Holland
dholland%netbsd.org@localhost

Follow-Ups:
- Re: enforcing RLIMIT_NPROC in setuid() ?
  - From: Christos Zoulas

References:
- Re: enforcing RLIMIT_NPROC in setuid() ?
  - From: Ed Ravin
- Re: enforcing RLIMIT_NPROC in setuid() ?
  - From: Christos Zoulas

Prev by Date: Re: cgd and remote keys
Next by Date: Re: enforcing RLIMIT_NPROC in setuid() ?
Previous by Thread: Re: enforcing RLIMIT_NPROC in setuid() ?
Next by Thread: Re: enforcing RLIMIT_NPROC in setuid() ?
Indexes:

Home | Main Index | Thread Index | Old Index