Nick Piggin wrote:
> Al Boldi wrote:
> > Nick Piggin wrote:
> >>Al Boldi wrote:
> >>>Could do that by:
> >>>
> >>> # echo 1 > /proc/sys/kernel/su-pid
> >>>
> >>>which would imply nr-threads = 1
> >>>
> >>>So maybe introduce /proc/sys/kernel/nr-threads to allow that to be
> >>>variable, but this isn't really critical.
> >>
> >>Why not just have su-nr-threads?
> >
> > Unless I am misunderstanding you, even root/root-proc can be hit by a
> > runaway, so the threads-max limits this globally which is great, but
> > this may lock-you out of being able to control the situation based on
> > uid only.
> >
> > Thus this patch gives root the ability to allow a certain pid to exceed
> > the threads-max limit, while all other pids are still limited.
>
> But the point is that root is able to get their pids under control,
> and can't be DoSed by unpriv users. Right?
Or even by root.
> Nothing is going to be perfect, I mean the su-pid pid could get "hit
> bya runaway" and is arguably worse than nr-threads-su, because it has
> no upper limit and coult take down the whole system.
The su-pid is a temporary measure set by root after evaluating the current
situation, and additionally limiting this by su-nr(pid)-threads may probably
be a good idea. Maybe something like this:
if (nr_threads >= max_threads)
if ((p->pid != su_pid) || (nr_threads >= (max_threads + su_pid_threads)))
goto bad_fork_cleanup_count;
But I really don't think this is critical.
Thanks!
--
Al
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]