From: Christos Zoulas (christosastron.com)
Date: Sat Jan 12 2008 - 12:15:19 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In article <20080112061745.GA13745netbsd.org>,
David Holland <dholland-securitynetbsd.org> wrote:
>On Thu, Jan 10, 2008 at 04:23:47PM -0500, Christos Zoulas wrote:
> > The biggest problem I see with the change is that
> > a process that did not exceed the quota can be penalized about it.
> > Consider the case where a root daemon forks, runs setuid and sleeps
> > bringing the user above the NPROC resource limit. Then if a different
> > shell process tries to exec, it will fail.
>
>One could mostly work around this by only checking at exec time in
>processes that have been previously marked PK_SUGID (that covers
>processes that shift down from root, right?) or are about to be.

That is a great idea!

christos

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]