Re: RLIMIT_NPROC check in set_user()
| From: | Linus Torvalds <torvalds-AT-linux-foundation.org> | |
| To: | Vasiliy Kulikov <segoon-AT-openwall.com> | |
| Subject: | Re: RLIMIT_NPROC check in set_user() | |
| Date: | Wed, 6 Jul 2011 11:01:47 -0700 | |
| Message-ID: | <CA+55aFyfjG1h2zkkGai_VPM8p5bhWhvNXs1HvuWMgxv4RSywYw@mail.gmail.com> | |
| Cc: | linux-kernel-AT-vger.kernel.org, Greg Kroah-Hartman <gregkh-AT-suse.de>, Andrew Morton <akpm-AT-linux-foundation.org>, "David S. Miller" <davem-AT-davemloft.net>, Jiri Slaby <jslaby-AT-suse.cz>, James Morris <jmorris-AT-namei.org>, Neil Brown <neilb-AT-suse.de>, kernel-hardening-AT-lists.openwall.com | |
| Archive‑link: | Article |
On Wed, Jul 6, 2011 at 10:36 AM, Vasiliy Kulikov <segoon@openwall.com> wrote:
> On Sun, Jun 12, 2011 at 17:09 +0400, Vasiliy Kulikov wrote:
>> I'd be happy to hear opinions about improving the fixes above or
>> alternative fixes.
>
> No comments? Even "Sigh, what a nasty problem. But we cannot really
> fix it without significantly breaking the stuff. Go and drink something." ?
Thanks for reminding me.
My reaction is: "let's just remote the crazy check from set_user()
entirely". If somebody has credentials to change users, they damn well
have credentials to override the RLIMIT_NPROC too, and as you say,
failure is likely a bigger security threat than success.
The whole point of RLIMIT_NPROC is to avoid fork-bombs. If we go over
the limit for some other reason that is controlled by the super-user,
who cares?
So let's keep it in kernel/fork.c where we actually create a *new*
process (and where everybody knows exactly what the limit means, and
people who don't check for error cases are just broken). And remove it
from everywhere else.
Hmm?
Linus