[sudo-users] Sudo and ulimits

Todd C. Miller Todd.Miller at courtesan.com
Sun Jan 27 15:06:56 EST 2008


This should work around Linux's unusual setuid() semantics.  If PAM
is not in use or the PAM session doesn't include pam_limits.so the
nproc resource limit will remain unlimited but I don't see a way
around that without adding code to parse /etc/security/limits.conf
directly.

 - todd

Index: sudo.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/sudo.c,v
retrieving revision 1.369.2.34
diff -u -r1.369.2.34 sudo.c
--- sudo.c	13 Dec 2007 14:12:49 -0000	1.369.2.34
+++ sudo.c	27 Jan 2008 20:01:05 -0000
@@ -992,9 +992,25 @@
 initial_setup()
 {
     int miss[3], devnull = -1;
-#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
+#if defined(__linux__) || (defined(RLIMIT_CORE) && !defined(SUDO_DEVEL))
     struct rlimit rl;
+#endif
 
+#if defined(__linux__)
+    /*
+     * Unlimit the number of processes since Linux's setuid() will
+     * apply resource limits when changing uid and return EAGAIN if
+     * nproc would be violated by the uid switch.
+     */
+    rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
+    if (setrlimit(RLIMIT_NPROC, &rl)) {
+	if (getrlimit(RLIMIT_NPROC, &rl) == 0) {
+	    rl.rlim_cur = rl.rlim_max;
+	    (void)setrlimit(RLIMIT_NPROC, &rl);
+	}
+    }
+#endif /* __linux__ */
+#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
     /*
      * Turn off core dumps.
      */



More information about the sudo-users mailing list