>the problem i see with it is that, for this to be useful, (ie, help >the people for which the capsys stuff is too much trouble), it has to >be in the kernel that comes with their distribution. but i really >don't see this getting into the mainline kernel...though perhaps media >friendly distros will put it in.
why do you see it this way? if someone has already cracked security such that they can write to (say) /proc/sys/kernel/rtuser, they already have the power to do more or less anything to the machine. they can *already* run SCHED_FIFO tasks, install trojans, shutdown the system, repartition and/or overwrite the hard drive. adding the capacity to let non-root users run SCHED_FIFO and call mlockall is already included in the set of things they can do - the /proc file just makes it simpler. in addition, if you add resource limits so that things can still be killed, having user tasks running like this actually isn't much of a problem - SCHED_FIFO and mlockall only represent a denial of service attack if you can't kill them (as is the case at the moment). --p
