On Wed, Jul 05, 2017 at 05:19:47PM -0700, Andy Lutomirski wrote: > I think it's ridiculous that you can change rlimits and then > exec a setuid thing. It's not so easy to fix, though. Maybe track, > per-task, inherited by clone and exec, what the rlimits were the last > time the process had privilege and reset to those limits when running > something setuid. But a better approach might be to have some sysctls > that say what the rlimits become when doing setuid.
*Some* rlimits are useful and needed for the user as you mentionned. RLIMIT_CORE definitely is one of them, especially for debugging, when combined with suid_dumpable. Some others like RLIMIT_STACK should probably never be configurable at all and cause trouble. Probably that simply having a sysctl to set this one for setuid programs and ignore the current limit would be enough. We could even imagine another one to set the stack guard gap for setuid programs (this would also limit the impacts of having a large gap for everyone). > We need per-user-ns sysctls for stuff like this, and we don't really > have them... I don't think we need to be this fine-grained. min_mmap_addr is global, is used to address very similar issues and nobody seems to complain. Willy
