On 01/11/2018 07:44 AM, Willy Tarreau wrote: >> 4. Cleared on setuid() and friends > This one causes me a problem : some daemons already take care of dropping > privileges after the initial fork() for the sake of security. Haproxy > typically does this at boot : > > - parse config > - chroot to /var/empty > - setuid(dedicated_uid) > - fork()
This makes me a _bit_ nervous. I think Andy touched on this, but I'll say it another way: you want PTI turned off because you trust an app to be good, but you also drop permissions because it is exposed to an environment where you do *not* fully trust it. I'm not sure how you reconcile that. If your proxy gets compromised, and pti is turned off, you are entirely exposed to meltdown from that process. I don't know exactly what you are doing, but isn't this proxy sitting there shuffling untrusted user data around all day?
