On Mon, Feb 14, 2022 at 09:10:49AM -0600, "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> wrote: > I really like how cleanly this patch seems to be. Unfortunately it is > wrong. It seems [1] so: setuid() // RLIMIT_NPROC is fine at this moment ... fork() ... ... fork() execve() // eh, oh This "punishes" the exec'ing task although the cause is elsewhere. Michal [1] The decoupled setuid()+execve() check can be interpretted both ways. I understood historically the excess at the setuid() moment is relevant.
