From: "Ángel González" <ingenit@zoho.com>
To: Karel Zak <kzak@redhat.com>
Cc: "Pádraig Brady" <P@draigBrady.com>,
"Andy Lutomirski" <luto@amacapital.net>,
util-linux@vger.kernel.org
Subject: Re: [PATCH] Add no_new_privs
Date: Mon, 26 Nov 2012 13:45:10 +0100 [thread overview]
Message-ID: <50B36456.7080009@zoho.com> (raw)
In-Reply-To: <20121126100822.GA4224@x2.net.home>
On 26/11/12 11:08, Karel Zak wrote:
> I guess that there will be never one super util to set all the
> possible properties (prlimit, personality, scheduler stuff, ....) and
> I personally don't see problem to type
>
> setarch x86_64 --addr-no-randomize \
> taskset --cpu-list 1,2 \
> prlimit --nofile=1024:4095 \
> nice -20 \
> <myprog>
It may be a problem if the restrictions placed with one program are
incompatible with chaining another one.
For instance, I could want to run a static binary foo as:
prlimit --nofile 1:1 /usr/local/bin/foo
But I won't be able to do
prlimit --nofile 1:1 nice /usr/local/bin/foo
since nice wouldn't be able to open libc.
In this case nice can be called with prlimit as parameter, but you will
end up with some options provided by different binaries and which are
incompatible.
We probably can't avoid it, so go ahead with it. Make sure all these
tools have their man pages properly interlinked, though.
next prev parent reply other threads:[~2012-11-26 12:45 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-23 20:23 [PATCH] Add no_new_privs Andy Lutomirski
2012-11-23 21:14 ` Pádraig Brady
2012-11-26 10:08 ` Karel Zak
2012-11-26 12:45 ` Ángel González [this message]
2012-11-26 19:03 ` Andy Lutomirski
2012-11-27 1:39 ` Andy Lutomirski
2012-11-23 22:52 ` Ángel González
2012-12-08 8:19 ` [PATCH] Add setpriv, a tool to set privileges and such Andy Lutomirski
2012-12-08 16:23 ` Ángel González
2012-12-08 19:04 ` Andy Lutomirski
2012-12-09 22:24 ` Pádraig Brady
2012-12-09 23:12 ` Andy Lutomirski
2013-01-08 8:31 ` Karel Zak
2013-01-14 15:33 ` Andy Lutomirski
2013-01-14 15:58 ` [PATCH v2] " Andy Lutomirski
2013-01-26 14:29 ` [PATCH] setpriv: run a program with different Linux privilege settings Sami Kerola
2013-02-04 20:20 ` Andy Lutomirski
2013-02-05 9:05 ` Karel Zak
2013-02-05 10:51 ` Karel Zak
2013-02-06 1:07 ` [PATCH] setpriv: Fix an error message typo Andy Lutomirski
2013-02-06 11:32 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50B36456.7080009@zoho.com \
--to=ingenit@zoho.com \
--cc=P@draigBrady.com \
--cc=kzak@redhat.com \
--cc=luto@amacapital.net \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).