Bug 42704

Summary: execve may return EAGAIN on v3.1 or later
Product: Documentation Reporter: KOSAKI Motohiro (kosaki.motohiro)
Component: man-pagesAssignee: documentation_man-pages (documentation_man-pages)
Status: RESOLVED CODE_FIX    
Severity: normal CC: mtk.manpages
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:

Description KOSAKI Motohiro 2012-01-31 18:00:15 UTC
Following commit changed RLIMIT_NPROC rule. now set*uid() never return EAGAIN. And instead,
execve() may return EAGAIN.

If man pages respect this change, it would be better.



commit 72fa59970f8698023045ab0713d66f3f4f96945c
Author: Vasiliy Kulikov 
Date:   Mon Aug 8 19:02:04 2011 +0400

    move RLIMIT_NPROC check from set_user() to do_execve_common()
Comment 1 Michael Kerrisk 2012-04-17 19:03:47 UTC
Vasiliy,

Thanks for raising this bug. I think the best approach would be to leave the existing EAGAIN text in the set*uid pages (possibly with a note about v3.1 changes), and add some text to the execve.2 page.

However, I have a question: I can understand adding the check to execve(), but why was it removed from set*uid()? Surely it was still useful to applications that actually do check the return status from set*uid()?
Comment 2 KOSAKI Motohiro 2012-04-18 00:23:10 UTC
Hmm..

I'm not Vasiliy and I couldn't add him to cc list (I don't know why).
But maybe I can answer this.

Now, many many applications don't check the return code and this ignorance may make critical security issue. set*id() is usually used for dropping root privilege 
 and then a failure mean application run untrusted code w/ root privilege. that's dangerous. then, set*id() should ignore rlimit and always can drop a privilege.

In the other hand, execve() is used for getting a privilege. then a failure is not security threat.

Next, applications still should check set*uid() return value because it may run on older kernel.

thank you.
Comment 3 Michael Kerrisk 2014-05-28 15:14:12 UTC
Patch (ebd381ba7b73) sitting in Git. Will be released with man-pages-3.69.