[sudo-users] Sudo and ulimits
Todd C. Miller
Todd.Miller at courtesan.com
Sun Jan 27 15:06:56 EST 2008
This should work around Linux's unusual setuid() semantics. If PAM
is not in use or the PAM session doesn't include pam_limits.so the
nproc resource limit will remain unlimited but I don't see a way
around that without adding code to parse /etc/security/limits.conf
directly.
- todd
Index: sudo.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/sudo.c,v
retrieving revision 1.369.2.34
diff -u -r1.369.2.34 sudo.c
--- sudo.c 13 Dec 2007 14:12:49 -0000 1.369.2.34
+++ sudo.c 27 Jan 2008 20:01:05 -0000
@@ -992,9 +992,25 @@
initial_setup()
{
int miss[3], devnull = -1;
-#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
+#if defined(__linux__) || (defined(RLIMIT_CORE) && !defined(SUDO_DEVEL))
struct rlimit rl;
+#endif
+#if defined(__linux__)
+ /*
+ * Unlimit the number of processes since Linux's setuid() will
+ * apply resource limits when changing uid and return EAGAIN if
+ * nproc would be violated by the uid switch.
+ */
+ rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
+ if (setrlimit(RLIMIT_NPROC, &rl)) {
+ if (getrlimit(RLIMIT_NPROC, &rl) == 0) {
+ rl.rlim_cur = rl.rlim_max;
+ (void)setrlimit(RLIMIT_NPROC, &rl);
+ }
+ }
+#endif /* __linux__ */
+#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
/*
* Turn off core dumps.
*/
More information about the sudo-users
mailing list