Hi Alex, sorry for the patch issue. I'm stuck here with Outlook for the time being, but let me give it another shot. I'll also attach it as a file. From db1e7060a5db45a6f8678ea001733518288fa518 Mon Sep 17 00:00:00 2001 From: Robert Schneider <robert.schneider03@xxxxxxx> Date: Thu, 28 Jul 2022 07:40:56 +0000 Subject: [PATCH] RLIMIT_NPROC also ignored for ruid 0 --- man2/getrlimit.2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/man2/getrlimit.2 b/man2/getrlimit.2 index 373622077..26ba7d68c 100644 --- a/man2/getrlimit.2 +++ b/man2/getrlimit.2 @@ -342,7 +342,8 @@ limit is not enforced for processes that have either the .B CAP_SYS_ADMIN or the .B CAP_SYS_RESOURCE -capability. +capability, +or run with real user ID 0. .TP .B RLIMIT_RSS This is a limit (in bytes) on the process's resident set -- 2.35.1 Robert -----Original Message----- From: Alejandro Colomar <alx.manpages@xxxxxxxxx> Sent: 26 July 2022 21:19 To: Schneider, Robert <robert.schneider03@xxxxxxx>; Eric Paris <eparis@xxxxxxxxxx>; Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>; David Howells <dhowells@xxxxxxxxxx> Cc: linux-man@xxxxxxxxxxxxxxx; mtk.manpages@xxxxxxxxx Subject: Re: [patch] RLIMIT_NPROC not enforced for root user, irrespective capabilities Hi Robert, On 7/11/22 14:33, Schneider, Robert wrote: > Hi everyone, > > I hope you don't mind me asking again :) I would really appreciate if > you could take some time to review my man-page fix: > >> I've noticed that uid 0 ignores RLIMIT_NPROC even if it doesn't have neither CAP_SYS_ADMIN nor CAP_SYS_RESOURCE. >> The corresponding kernel code is in kernel/fork.c line 2100, and I'm >> not sure if p->real_cread->user != INIT_USER really checks the ruid. > > > Thanks again, > Robert I tried to apply the patch, when I noticed that the format is not plain text. (And git refuses to apply it.) Could you please resend it making sure that it's plain text? git-format-patch(1) in combination with git-send-email(1) might help. Otherwise, I can try to apply it manually... Thanks, Alex > > > -----Original Message----- > From: Alejandro Colomar <alx.manpages@xxxxxxxxx> > Sent: 15 June 2022 18:27 > To: Eric Paris <eparis@xxxxxxxxxx>; Andrew Morton > <akpm@xxxxxxxxxxxxxxxxxxxx>; David Howells <dhowells@xxxxxxxxxx> > Cc: linux-man@xxxxxxxxxxxxxxx; mtk.manpages@xxxxxxxxx; Schneider, > Robert <robert.schneider03@xxxxxxx> > Subject: Re: [patch] RLIMIT_NPROC not enforced for root user, > irrespective capabilities > > Hi Eric, Andrew, and David, > > On 6/15/22 18:04, Schneider, Robert wrote: >> Hi, >> >> I've noticed that uid 0 ignores RLIMIT_NPROC even if it doesn't have neither CAP_SYS_ADMIN nor CAP_SYS_RESOURCE. >> The corresponding kernel code is in kernel/fork.c line 2100, >> https://elixir.bootlin.com/linux/latest/source/kernel/fork.c#L2100 >> >> if (is_ucounts_overlimit(task_ucounts(p), UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC))) { >> if (p->real_cred->user != INIT_USER && >> !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) >> goto bad_fork_cleanup_count; >> } > I don't understand _why_ uid 0 is excluded in such a >> way, and I'm not > sure if p->real_cread->user != INIT_USER really checks the ruid. >> Anyway, here's a patch for the man page of getrlimit that would have >> helped me save some trouble :) >> > > Could you please confirm that this manual page update is precise? > > Thanks, > > Alex > >> >> diff --git a/man2/getrlimit.2 b/man2/getrlimit.2 index >> 648fd3c85..7268556e6 100644 >> --- a/man2/getrlimit.2 >> +++ b/man2/getrlimit.2 >> @@ -359,7 +359,8 @@ limit is not enforced for processes that have either the >> .B CAP_SYS_ADMIN >> or the >> .B CAP_SYS_RESOURCE >> -capability. >> +capability, >> +or run with real user ID 0. >> .TP >> .B RLIMIT_RSS >> This is a limit (in bytes) on the process's resident set >> >> >> Robert > > -- > Alejandro Colomar > <http://www.alejandro-colomar.es/> -- Alejandro Colomar <http://www.alejandro-colomar.es/>
Attachment:
0001-RLIMIT_NPROC-also-ignored-for-ruid-0.patch
Description: 0001-RLIMIT_NPROC-also-ignored-for-ruid-0.patch
