[sudo-users] Sudo and ulimits
Johan Marcusson
independence at blinkenlights.se
Sun Jan 27 15:29:50 EST 2008
Wow, it really works! I thought I'd never would be able to get this
working. Thanks a bunch todd! :D
Me and the users of my little shell service are very grateful!
/ Johan
sön 2008-01-27 klockan 15:06 -0500 skrev Todd C. Miller:
> This should work around Linux's unusual setuid() semantics. If PAM
> is not in use or the PAM session doesn't include pam_limits.so the
> nproc resource limit will remain unlimited but I don't see a way
> around that without adding code to parse /etc/security/limits.conf
> directly.
>
> - todd
>
> Index: sudo.c
> ===================================================================
> RCS file: /home/cvs/courtesan/sudo/sudo.c,v
> retrieving revision 1.369.2.34
> diff -u -r1.369.2.34 sudo.c
> --- sudo.c 13 Dec 2007 14:12:49 -0000 1.369.2.34
> +++ sudo.c 27 Jan 2008 20:01:05 -0000
> @@ -992,9 +992,25 @@
> initial_setup()
> {
> int miss[3], devnull = -1;
> -#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
> +#if defined(__linux__) || (defined(RLIMIT_CORE) && !defined(SUDO_DEVEL))
> struct rlimit rl;
> +#endif
>
> +#if defined(__linux__)
> + /*
> + * Unlimit the number of processes since Linux's setuid() will
> + * apply resource limits when changing uid and return EAGAIN if
> + * nproc would be violated by the uid switch.
> + */
> + rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
> + if (setrlimit(RLIMIT_NPROC, &rl)) {
> + if (getrlimit(RLIMIT_NPROC, &rl) == 0) {
> + rl.rlim_cur = rl.rlim_max;
> + (void)setrlimit(RLIMIT_NPROC, &rl);
> + }
> + }
> +#endif /* __linux__ */
> +#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
> /*
> * Turn off core dumps.
> */
More information about the sudo-users
mailing list