Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1075093pxm; Wed, 23 Feb 2022 17:28:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJyRaZ7y6tG3BAPUI6KV2BwNbtluVxieXeKJhn9lutqKRtNJ9eTzX+CR/Mrwb782qCkqeTcy X-Received: by 2002:a17:902:b401:b0:14f:3f88:1509 with SMTP id x1-20020a170902b40100b0014f3f881509mr411903plr.2.1645666092980; Wed, 23 Feb 2022 17:28:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645666092; cv=none; d=google.com; s=arc-20160816; b=Z/f5zSgE1w5OMg/4zCsBdiRVY/2q16b2QjcVCIWKqIFuhxwK+WUmdqixy746/6oHSu wiR4y+rxAon/gGVGts5Mr6UG8yDwTYjRBJE2PKOiGetKcG2Kz/XvDVgGlG2WBZDrXuGP EzwZkXS1MBEH9n790F3FRBGzm4ZyKa5YaoEkdPmOTNO+lCMQMUrOrwMBSurIXyodwdDu SRrjxGYtHba6KFkgbM9WTxQeIEiIQvtmkM6ZWq9NQTLvg3ATzFQmMItEh6a5T2JIm00Y gfkX+7Jj2oBDeDDkHHtTZwuDOMx0J+G/4qixqXSlej9eFbfSSUes2SOjo3Z1w5WReZ/W tqTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=YFggV9/BvO3ZZn2hGn8WIhttPSKHg/5zNlQfzdi9Xrg=; b=Sw2nhxduQu1EOn2YkPWHbLhDJNiCP6OQk8uTW8A+85ExxUfHkuC/EdFKa2tTzDl60A EmwoNt6ykmI6xd3M5YnZxZJ8iUrzb216++XAIGO/nVPeup1CRP0W4ptDiFX8DBPTBPRV BhtKD0i10Of9AeFZdhEFO46UWmR8+tEhf7YZy85lsWuo/ASuDG8YZOyV4kZg6zYWWyOn IG5wKrEpJ3pXGTcKb6TQOdSbe8MmbSRsOfc8CQ0DOd0NrLFcvEjasvqGBaE6z51nqYSd q+KVEnvB/MSnSWTSl+kSYjQ79CmKgesQEOpKawAGrE4Y8sbubqf0rLr+fXDG1MZcw1jX VHEQ== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id x66si1237116pgx.114.2022.02.23.17.28.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 17:28:12 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 349DB22C6CF; Wed, 23 Feb 2022 17:09:12 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242435AbiBWVaC (ORCPT + 99 others); Wed, 23 Feb 2022 16:30:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234865AbiBWVaA (ORCPT ); Wed, 23 Feb 2022 16:30:00 -0500 Received: from 1wt.eu (wtarreau.pck.nerim.net [62.212.114.60]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7CD094EF74 for ; Wed, 23 Feb 2022 13:29:31 -0800 (PST) Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 21NLSdVM012144; Wed, 23 Feb 2022 22:28:39 +0100 Date: Wed, 23 Feb 2022 22:28:39 +0100 From: Willy Tarreau To: Andy Lutomirski Cc: "Eric W. Biederman" , linux-api@vger.kernel.org, Etienne Dechamps , Alexey Gladkov , Kees Cook , Shuah Khan , Christian Brauner , Solar Designer , Ran Xiaokai , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Linux Containers , Michal =?iso-8859-1?Q?Koutn=FD?= , security@kernel.org, Neil Brown , NeilBrown , "Serge E. Hallyn" , Jann Horn Subject: Re: How should rlimits, suid exec, and capabilities interact? Message-ID: <20220223212839.GA12121@1wt.eu> References: <20220207121800.5079-1-mkoutny@suse.com> <20220215101150.GD21589@blackbody.suse.cz> <87zgmi5rhm.fsf@email.froward.int.ebiederm.org> <87fso91n0v.fsf_-_@email.froward.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Andy, On Wed, Feb 23, 2022 at 11:44:51AM -0800, Andy Lutomirski wrote: > On Wed, Feb 23, 2022 at 10:00 AM Eric W. Biederman > wrote: > > > > > > [CC'd the security list because I really don't know who the right people > > are to drag into this discussion] > > > > While looking at some issues that have cropped up with making it so > > that RLIMIT_NPROC cannot be escaped by creating a user namespace I have > > stumbled upon a very old issue of how rlimits and suid exec interact > > poorly. > > Once upon a time, these resource limits were effectively the only way > to control memory consumption and consumption of historically limited > resources like processes. (The scheduler used to have serious issues > with too many processes -- this is not so true any more. And without > cgroups, too many processes could use too much CPU collectively.) > This all worked pretty poorly. Now we have cgroups, fancy memory > accounting, etc. So I'm wondering if NPROC is even useful anymore. I > don't have a brilliant idea of how to deprecate it, but I think it > wouldn't be entirely nuts to take it much less seriously and maybe > even eventually get rid of it. > > I doubt there is much existing userspace that would break if a > previously failing fork() started succeeding. I strongly disagree. I've been using it for a long time as a security measure. Setting NPROC to 0 after daemonizing remains a particularly effective and portable method to mitigate the possible consequences of an in-process intrusion. While I wouldn't care about approximate non-zero values, for me it would be a significant security regression to drop the inability to fork() when the limit is zero. Thus at least I do want to keep that feature when NPROC is zero. Willy