lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 2 Feb 2009 17:20:00 +0100
From:	Adam Tkac <vonsch@...il.com>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Peter Palfrader <weasel@...ian.org>, linux-kernel@...r.kernel.org,
	debian-admin@...ts.debian.org, team@...urity.debian.org,
	libpam-modules@...kages.debian.org, stable@...nel.org
Subject: Re: 2.6.28, rlimits, performance and debian etch

On Thu, Jan 29, 2009 at 10:05:09AM -0800, Andrew Morton wrote:
> On Thu, 29 Jan 2009 13:19:00 +0100 Adam Tkac <vonsch@...il.com> wrote:
> 
> > 
> > Hi all,
> > 
> > I don't think the "rlim_infinity" patch should be reverted. Let me try
> > to explain why.
> > 
> > First, code which sets limits to RLIM_INFINITY is very bad idea and
> > that code is Debian specific. I downloaded original pam 0.79 (stripped):
> > 
> > for(i = 0; i < RLIM_NLIMITS; i++) {
> > 	...
> > 	int r = getrlimit(i, &pl->limits[i].limit);
> > 	...
> > 
> > as you can see original pam sets limits to inherited defaults. After
> > code written above Debian adds their patch:
> > 
> > if (limits_not_defined_in_limits_conf) {
> > 	...
> > 	case RLIMIT_NOFILE:
> > 	...
> > 		pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
> > 		pl->limits[i].limit.rlim_max = RLIM_INFINITY;
> > 	...
> > }
> > 
> > so as you can see inherited default limits are overriden to infinity.
> > In my opinion Debian should revert their patch which is, at least,
> > pretty incorrect and unsecure.
> > 
> > Next argument is POSIX compatibility (from setrlimit() specification):
> > 
> > "The value RLIM_INFINITY, defined in <sys/resource.h>, shall be
> > considered to be larger than any other limit value. If a call to
> > getrlimit() returns RLIM_INFINITY for a resource, it means the
> > implementation shall not enforce limits on that resource. Specifying
> > RLIM_INFINITY as any resource limit value on a successful call to
> > setrlimit() shall inhibit enforcement of that resource limit."
> > 
> > So kernel does what is expected. If you want "unlimited" number of
> > descriptors, you have it.
> > 
> > Please consider again where exactly problem is, if in Debian patch or
> > in kernel patch. From my point of view Debian patch should be
> > reverted, not the kernel one.
> > 
> 
> Sure, debian might well be wrong.  But the bottom line is that the
> kernel changed, and people's machines broke.
> 
> If the kernel change was really really important then we might just
> grit our teeth and live with the breakage.  But this change _wasn't_ a
> terribly important one.  So I think we should back it out while we find
> another way of implementing it which does not break currently deployed
> installations.

Well, if we should fix Debian's problem I think better would be to set
limit of files to reasonable number instead of sysctl_nr_open (for
example 4096 or 8192).

Adam
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ