On Wed, 2014-10-15 at 10:06 +0200, Samuel Thibault wrote:
> Svante Signell, le Wed 15 Oct 2014 09:57:21 +0200, a écrit :
> > See also https://lists.debian.org/debian-devel/2014/10/msg00201.html for
> > a discussion on the topic.
>
> I can't understand why you proposed to use setuid in order to keep
> secrets, but oh well.
I did not seriously propose to use setuid, it was mostly a way to get
answers about security issues of setuid programs, and I got plenty of
them.
> To get mlock available to user should be a matter of making gnumach
> accept vm_wire calls with hostpriv == 0. The amount of such locked
> memory shall however be accounted and limited. The default on my Linux
> system is 64KB.
Isn't it dangerous to remove/special case on
if (host == HOST_NULL)
return KERN_INVALID_HOST;
in vm_wire.c?
And where to place the defaults and ulimit checks, vm_wire.c or
mlock.c/munlock.c?
BTW: ulimit() is obsolete, one should use getrlimit() and setrlimit()
nowadays, according to the manpage.
