RE: [patch] RLIMIT_NPROC not enforced for root user, irrespective capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi everyone,

I hope you don't mind me asking again :)
I would really appreciate if you could take some time to review my man-page fix:

> I've noticed that uid 0 ignores RLIMIT_NPROC even if it doesn't have neither CAP_SYS_ADMIN nor CAP_SYS_RESOURCE.
> The corresponding kernel code is in kernel/fork.c line 2100,
> and I'm not sure if p->real_cread->user != INIT_USER really checks the ruid.


Thanks again,
Robert


-----Original Message-----
From: Alejandro Colomar <alx.manpages@xxxxxxxxx> 
Sent: 15 June 2022 18:27
To: Eric Paris <eparis@xxxxxxxxxx>; Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>; David Howells <dhowells@xxxxxxxxxx>
Cc: linux-man@xxxxxxxxxxxxxxx; mtk.manpages@xxxxxxxxx; Schneider, Robert <robert.schneider03@xxxxxxx>
Subject: Re: [patch] RLIMIT_NPROC not enforced for root user, irrespective capabilities

Hi Eric, Andrew, and David,

On 6/15/22 18:04, Schneider, Robert wrote:
> Hi,
> 
> I've noticed that uid 0 ignores RLIMIT_NPROC even if it doesn't have neither CAP_SYS_ADMIN nor CAP_SYS_RESOURCE.
> The corresponding kernel code is in kernel/fork.c line 2100,
> https://elixir.bootlin.com/linux/latest/source/kernel/fork.c#L2100
> 
>          if (is_ucounts_overlimit(task_ucounts(p), UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC))) {
>                  if (p->real_cred->user != INIT_USER &&
>                      !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
>                          goto bad_fork_cleanup_count;
>          } > I don't understand _why_ uid 0 is excluded in such a way, 
> and I'm not
sure if p->real_cread->user != INIT_USER really checks the ruid.
> Anyway, here's a patch for the man page of getrlimit that would have 
> helped me save some trouble :)
> 

Could you please confirm that this manual page update is precise?

Thanks,

Alex

> 
> diff --git a/man2/getrlimit.2 b/man2/getrlimit.2 index 
> 648fd3c85..7268556e6 100644
> --- a/man2/getrlimit.2
> +++ b/man2/getrlimit.2
> @@ -359,7 +359,8 @@ limit is not enforced for processes that have either the
>   .B CAP_SYS_ADMIN
>   or the
>   .B CAP_SYS_RESOURCE
> -capability.
> +capability,
> +or run with real user ID 0.
>   .TP
>   .B RLIMIT_RSS
>   This is a limit (in bytes) on the process's resident set
> 
> 
> Robert

--
Alejandro Colomar
<http://www.alejandro-colomar.es/>
[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux