Re: [PATCH 1/6] oom: use euid instead of CAP_SYS_ADMIN for protectionroot process

From: David Rientjes
Date: Wed Jun 22 2011 - 18:57:50 EST

On Wed, 22 Jun 2011, KOSAKI Motohiro wrote:

> Recently, many userland daemon prefer to use libcap-ng and drop
> all privilege just after startup. Because of (1) Almost privilege
> are necessary only when special file open, and aren't necessary
> read and write. (2) In general, privilege dropping brings better
> protection from exploit when bugs are found in the daemon.

You could also say that dropping the capability drops the bonus it is
given in the oom killer. We've never promised any benefit in the oom
killer badness scoring without the capability.

> But, it makes suboptimal oom-killer behavior. CAI Qian reported
> oom killer killed some important daemon at first on his fedora
> like distro. Because they've lost CAP_SYS_ADMIN.

I disagree that we should be identifying "important daemons" by tying it
the effective uid of the process and thus making some sort of inference
because a thread was forked by root. I think it is more clear to tie that
to an actual capability that is present, such as CAP_SYS_ADMIN, or suggest
that the user give the "important daemon" it's own bonus by tuning

We already know that the kernel will not be able to identify critical
processes perfectly, that's an assumption that we can live with. We must
rely on userspace to influence that decision by using the tunable.

If this patch were merged, I could easily imagine an argument in the
reverse that would just simply revert it: it would be very easy to say
that CAP_SYS_ADMIN has always given this bonus in recent memory so
changing it would be a regression over the previous behavior and/or that
giving the capability to a thread as it runs implies that it should have
the bonus when the euid may not be 0.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at