Date: Thu, 11 Aug 2011 21:18:12 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: NeilBrown <neilb@...e.de>, linux-kernel@...r.kernel.org, Greg Kroah-Hartman <gregkh@...e.de>, Andrew Morton <akpm@...ux-foundation.org>, "David S. Miller" <davem@...emloft.net>, Jiri Slaby <jslaby@...e.cz>, James Morris <jmorris@...ei.org>, kernel-hardening@...ts.openwall.com Subject: Re: Re: [PATCH v3 -resend] move RLIMIT_NPROC check from set_user() to do_execve_common() Hi Linus, On Tue, Aug 09, 2011 at 12:16 +1000, NeilBrown wrote: > On Mon, 8 Aug 2011 19:02:04 +0400 Vasiliy Kulikov <segoon@...nwall.com> wrote: > > > The patch http://lkml.org/lkml/2003/7/13/226 introduced an RLIMIT_NPROC > > check in set_user() to check for NPROC exceeding via setuid() and > > similar functions. Before the check there was a possibility to greatly > > exceed the allowed number of processes by an unprivileged user if the > > program relied on rlimit only. But the check created new security > > threat: many poorly written programs simply don't check setuid() return > > code and believe it cannot fail if executed with root privileges. So, > > the check is removed in this patch because of too often privilege > > escalations related to buggy programs. ... > > Reviewed-by: James Morris <jmorris@...ei.org> > Acked-by: NeilBrown <neilb@...e.de> It got 2 positive feedbacks and seems nobody has better solution. Is it possible to see it in 3.1? Thanks! -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.