[PATCH] rlimit_nproc

From: Rik van Riel (riel@conectiva.com.br)
Date: Thu Dec 27 2001 - 15:18:08 EST


(not yet automated, scripts need to be written ... but the patch
below would be a typical candidate ... are you happy with the way
the description and patch are combined ?)

When a user has a low RLIMIT_NPROC set in limits.conf, the user fails
to log in. This is because the programs using pam basically do the
  1) apply rlimits, setting RLIMIT_NPROC to eg. 10
  2) fork() to spawn the shell, which fails if root has
     more processes running than the per-user limit
  3) change to the user's UID
  4) exec() the shell

This patch ignores the limit for root so it's possible to use limit
on the amount of processes per user again. This is also a good thing
because the processes it ignores change UID again. Server processes
running as root need to do their own limiting anyway, otherwise they'd
just starve out the proverbial root shell.

--- linux/kernel/fork.c.orig Fri Jun 22 20:27:27 2001
+++ linux/kernel/fork.c Fri Jun 22 20:52:41 2001
@@ -576,7 +576,14 @@
         *p = *current;

         retval = -EAGAIN;
- if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur)
+ /*
+ * Check if we are over our maximum process limit, but be sure to
+ * exclude root. This is needed to make it possible for login and
+ * friends to set the per-user process limit to something lower
+ * than the amount of processes root is running. -- Rik
+ */
+ if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur
+ && !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
                 goto bad_fork_free;

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Mon Dec 31 2001 - 21:00:15 EST