Re: [patch] RLIMIT_NPROC not enforced for root user, irrespective capabilities

[Alejandro Colomar <alx.manpages@xxxxxxxxx>]

Hi Robert,

On 7/11/22 14:33, Schneider, Robert wrote:
> Hi everyone,
>
> I hope you don't mind me asking again :)
> I would really appreciate if you could take some time to review my man-page fix:
>
> > I've noticed that uid 0 ignores RLIMIT_NPROC even if it doesn't have neither CAP_SYS_ADMIN nor CAP_SYS_RESOURCE.
> > The corresponding kernel code is in kernel/fork.c line 2100,
> > and I'm not sure if p->real_cread->user != INIT_USER really checks the ruid.
>
>
> Thanks again,
> Robert


I tried to apply the patch, when I noticed that the format is not plain 
text.  (And git refuses to apply it.)

Could you please resend it making sure that it's plain text?
git-format-patch(1) in combination with git-send-email(1) might help.

Otherwise, I can try to apply it manually...

Thanks,

Alex
> -----Original Message-----
> From: Alejandro Colomar <alx.manpages@xxxxxxxxx>
> Sent: 15 June 2022 18:27
> To: Eric Paris <eparis@xxxxxxxxxx>; Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>; David Howells <dhowells@xxxxxxxxxx>
> Cc: linux-man@xxxxxxxxxxxxxxx; mtk.manpages@xxxxxxxxx; Schneider, Robert <robert.schneider03@xxxxxxx>
> Subject: Re: [patch] RLIMIT_NPROC not enforced for root user, irrespective capabilities
>
> Hi Eric, Andrew, and David,
>
> On 6/15/22 18:04, Schneider, Robert wrote:
> > Hi,
> >
> > I've noticed that uid 0 ignores RLIMIT_NPROC even if it doesn't have neither CAP_SYS_ADMIN nor CAP_SYS_RESOURCE.
> > The corresponding kernel code is in kernel/fork.c line 2100,
> > https://elixir.bootlin.com/linux/latest/source/kernel/fork.c#L2100
> >
> >           if (is_ucounts_overlimit(task_ucounts(p), UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC))) {
> >                   if (p->real_cred->user != INIT_USER &&
> >                       !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
> >                           goto bad_fork_cleanup_count;
> >           } > I don't understand _why_ uid 0 is excluded in such a way,
> > and I'm not
> sure if p->real_cread->user != INIT_USER really checks the ruid.
> > Anyway, here's a patch for the man page of getrlimit that would have
> > helped me save some trouble :)
>
> Could you please confirm that this manual page update is precise?
>
> Thanks,
>
> Alex
>
> > diff --git a/man2/getrlimit.2 b/man2/getrlimit.2 index
> > 648fd3c85..7268556e6 100644
> > --- a/man2/getrlimit.2
> > +++ b/man2/getrlimit.2
> > @@ -359,7 +359,8 @@ limit is not enforced for processes that have either the
> >    .B CAP_SYS_ADMIN
> >    or the
> >    .B CAP_SYS_RESOURCE
> > -capability.
> > +capability,
> > +or run with real user ID 0.
> >    .TP
> >    .B RLIMIT_RSS
> >    This is a limit (in bytes) on the process's resident set
> >
> >
> > Robert
>
> --
> Alejandro Colomar
> <http://www.alejandro-colomar.es/>

--
Alejandro Colomar
<http://www.alejandro-colomar.es/>

Attachment: OpenPGP_signature
Description: OpenPGP digital signature