Bug 42704 - execve may return EAGAIN on v3.1 or later
Summary: execve may return EAGAIN on v3.1 or later
Status: RESOLVED CODE_FIX
Alias: None
Product: Documentation
Classification: Unclassified
Component: man-pages (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: documentation_man-pages@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-31 18:00 UTC by KOSAKI Motohiro
Modified: 2014-05-28 15:14 UTC (History)
1 user (show)

See Also:
Kernel Version:
Tree: Mainline
Regression: No


Attachments

Description KOSAKI Motohiro 2012-01-31 18:00:15 UTC
Following commit changed RLIMIT_NPROC rule. now set*uid() never return EAGAIN. And instead,
execve() may return EAGAIN.

If man pages respect this change, it would be better.



commit 72fa59970f8698023045ab0713d66f3f4f96945c
Author: Vasiliy Kulikov 
Date:   Mon Aug 8 19:02:04 2011 +0400

    move RLIMIT_NPROC check from set_user() to do_execve_common()
Comment 1 Michael Kerrisk 2012-04-17 19:03:47 UTC
Vasiliy,

Thanks for raising this bug. I think the best approach would be to leave the existing EAGAIN text in the set*uid pages (possibly with a note about v3.1 changes), and add some text to the execve.2 page.

However, I have a question: I can understand adding the check to execve(), but why was it removed from set*uid()? Surely it was still useful to applications that actually do check the return status from set*uid()?
Comment 2 KOSAKI Motohiro 2012-04-18 00:23:10 UTC
Hmm..

I'm not Vasiliy and I couldn't add him to cc list (I don't know why).
But maybe I can answer this.

Now, many many applications don't check the return code and this ignorance may make critical security issue. set*id() is usually used for dropping root privilege 
 and then a failure mean application run untrusted code w/ root privilege. that's dangerous. then, set*id() should ignore rlimit and always can drop a privilege.

In the other hand, execve() is used for getting a privilege. then a failure is not security threat.

Next, applications still should check set*uid() return value because it may run on older kernel.

thank you.
Comment 3 Michael Kerrisk 2014-05-28 15:14:12 UTC
Patch (ebd381ba7b73) sitting in Git. Will be released with man-pages-3.69.

Note You need to log in before you can comment on or make changes to this bug.