lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <48B4301A.5010600@sun.com>
Date:	Tue, 26 Aug 2008 12:32:26 -0400
From:	David Collier-Brown <davecb@....com>
To:	Vivek Goyal <vgoyal@...hat.com>
Cc:	balbir@...ux.vnet.ibm.com, Paul Menage <menage@...gle.com>,
	righi.andrea@...il.com,
	KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>,
	linux kernel mailing list <linux-kernel@...r.kernel.org>,
	Dhaval Giani <dhaval@...ux.vnet.ibm.com>,
	Kazunaga Ikeno <k-ikeno@...jp.nec.com>,
	Morton Andrew Morton <akpm@...ux-foundation.org>,
	Thomas Graf <tgraf@...hat.com>,
	Ulrich Drepper <drepper@...hat.com>,
	Steve Olivieri <solivier@...hat.com>
Subject: Re: [RFC] [PATCH -mm] cgroup: uid-based rules to add processes
	efficiently in the right cgroup



Vivek Goyal wrote:
> Who executes default rules? IOW, how do you make sure tasks of user.davecb
> end up in project 101 only and not outside?

A classifier at login/connect starts each new process off in the correct group.
New processes inherit their parent's group unless you use newtask or su.

> So by default all the tasks of user.davecb will run into project 101 until
> user davecb decides to launch some background jobs in project 100 using
> newtask?

That's right, the and cgexec-like "newtask" is what I use
to script things: for example, my background script says

       case "$1" in
        [0-9]*) # It's a pid
                newtask -p bg -c $1
                ;;
        *) # It's a command-line
                newtask -p bg "$@" &
                ;;
        esac

There's also an -F option to put a process into a cgroup
and never let it newtask itself or it's children to another one,
so that software from Dr Evil, Inc. can't do privilege 
escalation (;-))

--dave
-- 
David Collier-Brown            | Always do right. This will gratify
Sun Microsystems, Toronto      | some people and astonish the rest
davecb@....com                 |                      -- Mark Twain
cell: (647) 833-9377, bridge: (877) 385-4099 code: 506 9191#
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ