On Tue, 27 Jun 2017, Oleg Nesterov wrote: > Perhaps it makes sense to reset RLIMITs on suid exec (say, if > bprm->per_clear is not zero) ? Yes, it is not clear how should we define > SANE_RLIMITS_FOR_SUID, and this should probably depend on sysctl, etc.
Hmm, this should be an userspace-defined policy. On a 'standard' (PAM-based) system, I think a sane expectation would be to get the same limits as the ones enforced by pam_limits configuration, but syncing those with kernel feels awkward. Thanks, -- Jiri Kosina SUSE Labs
