On Wed, Feb 23, 2022 at 10:00 AM Eric W. Biederman ebiederm@xmission.com wrote:
[CC'd the security list because I really don't know who the right people are to drag into this discussion]
While looking at some issues that have cropped up with making it so that RLIMIT_NPROC cannot be escaped by creating a user namespace I have stumbled upon a very old issue of how rlimits and suid exec interact poorly.
Once upon a time, these resource limits were effectively the only way to control memory consumption and consumption of historically limited resources like processes. (The scheduler used to have serious issues with too many processes -- this is not so true any more. And without cgroups, too many processes could use too much CPU collectively.) This all worked pretty poorly. Now we have cgroups, fancy memory accounting, etc. So I'm wondering if NPROC is even useful anymore. I don't have a brilliant idea of how to deprecate it, but I think it wouldn't be entirely nuts to take it much less seriously and maybe even eventually get rid of it.
I doubt there is much existing userspace that would break if a previously failing fork() started succeeding.
--Andy]