[sudo-users] uid switching vs resource limits
Teodor Milkov
tm at del.bg
Fri Jun 12 01:47:49 MDT 2015
Hello,
I found that current version of sudo that's included in Debian 8 Jessie
(1.8.10p3-1+deb8u2) has different behavior compared to the one in Debian
7 Wheezy (1.8.5p2-1+nmu2) in regard to resource limits.
In 1.8.5 resource limits were not enforced during privilege switching:
$ sudo -V
Sudo version 1.8.5p2
Sudoers policy plugin version 1.8.5p2
Sudoers file grammar version 41
Sudoers I/O plugin version 1.8.5p2
$ ulimit -u 50
$ ulimit -u
50
$ sudo bash -c "ulimit -u"
50
$ sudo bash -c "sh -c ulimit -u"
unlimited
In 1.8.10 resource limits are retained:
$ sudo --version
Sudo version 1.8.10p3
Sudoers policy plugin version 1.8.10p3
Sudoers file grammar version 43
Sudoers I/O plugin version 1.8.10p3
$ ulimit -u 50
$ ulimit -u
50
$ sudo bash -c "ulimit -u"
sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes
What is the recommended way to get the old behavior?
I looked through the man pages, but didn't find the answer. Also glanced
quickly over the code and there's some relevand handling in src/sudo.c:
/*
* Unlimit the number of processes since Linux's setuid() will
* return EAGAIN if RLIMIT_NPROC would be exceeded by the uid switch.
*/
unlimit_nproc();
#ifdef HAVE_SETRESUID
if (setresuid(details->uid, details->euid, details->euid) != 0) {
warning(U_("unable to change to runas uid (%u, %u)"), details->uid,
details->euid);
goto done;
}
#elif defined(HAVE_SETREUID)
+--- 5 lines: if (setreuid(details->uid, details->euid) != 0)
{----------------
#else
+--- 5 lines: if (seteuid(details->euid) != 0 || setuid(details->euid)
!= 0) {-
#endif /* !HAVE_SETRESUID && !HAVE_SETREUID */
/* Restore previous value of RLIMIT_NPROC. */
restore_nproc();
But it seems uid switching is going via completely different code path
(plugins/sudoers/set_perms.c) in the newer sudo?
Best regards,
Teodor
More information about the sudo-users
mailing list