Hi, I've noticed that uid 0 ignores RLIMIT_NPROC even if it doesn't have neither CAP_SYS_ADMIN nor CAP_SYS_RESOURCE. The corresponding kernel code is in kernel/fork.c line 2100, https://elixir.bootlin.com/linux/latest/source/kernel/fork.c#L2100 if (is_ucounts_overlimit(task_ucounts(p), UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC))) { if (p->real_cred->user != INIT_USER && !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) goto bad_fork_cleanup_count; } I don't understand _why_ uid 0 is excluded in such a way, and I'm not sure if p->real_cread->user != INIT_USER really checks the ruid. Anyway, here's a patch for the man page of getrlimit that would have helped me save some trouble :) diff --git a/man2/getrlimit.2 b/man2/getrlimit.2 index 648fd3c85..7268556e6 100644 --- a/man2/getrlimit.2 +++ b/man2/getrlimit.2 @@ -359,7 +359,8 @@ limit is not enforced for processes that have either the .B CAP_SYS_ADMIN or the .B CAP_SYS_RESOURCE -capability. +capability, +or run with real user ID 0. .TP .B RLIMIT_RSS This is a limit (in bytes) on the process's resident set Robert
