On Tue, Jul 12, 2011 at 6:27 AM, Vasiliy Kulikov <segoon@xxxxxxxxxxxx> wrote: > > The NPROC can still be enforced in the common code flow of daemons > spawning user processes. Most of daemons do fork()+setuid()+execve(). > The check introduced in execve() enforces the same limit as in setuid() > and doesn't create similar security issues. Ok, this looks fine by me. I'd like to get some kind of comment from the selinux etc people (James?) but I'd certainly be willing to take this. Failing when executing a suid application rather than when a suid application releases its heightened credentials seems to be the fundamentally saner approach. IOW, failing to raise privileges rather than failing to lower them. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html