From mboxrd@z Thu Jan 1 00:00:00 1970 From: Willy Tarreau Subject: Re: [PATCH] move RLIMIT_NPROC check from set_user() to do_execve_common() Date: Fri, 15 Jul 2011 07:35:05 +0200 Message-ID: <20110715053505.GA24870@1wt.eu> References: <20110712132723.GA3193@albatros> <20110713091408.0d456352@notabene.brown> <20110713063142.GA19976@openwall.com> <20110713170657.59dae548@notabene.brown> <20110714112751.1bfd998f@notabene.brown> <20110714150602.GA30019@openwall.com> <20110715133013.4fa38d19@notabene.brown> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Solar Designer , James Morris , Linus Torvalds , Vasiliy Kulikov , linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Andrew Morton , "David S. Miller" , kernel-hardening@lists.openwall.com, Jiri Slaby , Alexander Viro , linux-fsdevel@vger.kernel.org, KOSAKI Motohiro , Eric Paris , Stephen Smalley , Sebastian Krahmer To: NeilBrown Return-path: Content-Disposition: inline In-Reply-To: <20110715133013.4fa38d19@notabene.brown> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Hi Neil, On Fri, Jul 15, 2011 at 01:30:13PM +1000, NeilBrown wrote: (...) > But what do you think of this. It sure that only the process which ignored > the return value from setuid is inconvenienced. (...) I think this is a smart idea. But will the flag be inherited by children over a fork() ? If not, we might as well block fork(), because we can expect a lot of fork+exec situations which are as dangerous as the simple execve(). Regards, Willy