[sudo-users] file ulimit not set correctly
Thomas Falkenberg
TFALKEN at de.ibm.com
Tue Jul 3 16:14:13 EDT 2012
Hello Todd,
in the actual sudo version sudo-1.8.5p2-1 I have the same problem as I
reported before in February 2010 with version 1.7.2p2.
If I switch to another user using "sudo -u", the user has a file ulimit of
zero.
Seems to occur, if the default user has a file size limit more than 2 GB
and not unlimited file size limit.
In our previous version sudo-1.8.4p4-1, I haven't detected this error.
Here an example there the root user has unlimited file size limit and
every other users have a specific value:
[0:root at ta607:]/home/root # ulimit -a
time(seconds) unlimited
file(blocks) unlimited
data(kbytes) 131072
stack(kbytes) 32768
memory(kbytes) 32768
coredump(blocks) unlimited
nofiles(descriptors) unlimited
threads(per process) unlimited
processes(per user) unlimited
[0:root at ta607:]/home/root # sudo -u falkenbe sh
[0:root at ta607:]/home/root # ulimit -a
sh: A file cannot be larger than the value set by ulimit.
time(seconds) unlimited
file(blocks) 0
data(kbytes) 131072
stack(kbytes) 32768
memory(kbytes) 32768
coredump(blocks) 2097151
nofiles(descriptors) unlimited
threads(per process) unlimited
processes(per user) unlimited
[0:root at ta607:]/home/root # exit
sh: A file cannot be larger than the value set by ulimit.
[0:root at ta607:]/home/root # grep -p fsize /etc/security/limits |grep -v
"^*"
default:
fsize = 4194304000
core = 2097151
cpu = -1
data = 262144
rss = 65536
stack = 65536
nofiles = -1
root:
fsize = -1
core = -1
[0:root at ta607:]/home/root # oslevel -s
6100-07-04-1216
[0:root at ta607:]/home/root # rpm -qi sudo
Name : sudo Relocations: (not relocateable)
Version : 1.8.5p2 Vendor: (none)
Release : 1 Build Date: Fri Jun 1
11:08:36 MSZ 2012
Install date: Fri Jun 29 09:44:13 MSZ 2012 Build Host: aix51
Group : Applications/System Source RPM:
sudo-1.8.5p2-1.src.rpm
Size : 1455469 License: BSD
URL : http://www.courtesan.com/sudo/
Summary : Allows restricted root access for specified users
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis. It is not a replacement for the shell. Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.
Kind regards
Thomas Falkenberg
IT Center Mainz ECuRep AIX / IT Spezialist
------------------------------------------------------------------------------
IBM Deutschland
Hechtsheimer Str. 2
55131 Mainz
Phone: +49-6131-84-2348
Mobile: +49-175-2913561
E-Mail: tfalken at de.ibm.com
------------------------------------------------------------------------------
IBM Deutschland Infrastructure Technology Services GmbH /
Geschäftsführung: Ulrike Hetzel
Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart,
HRB 727973
Thomas Falkenberg TFALKEN at de.ibm.com
Tue Feb 2 06:36:16 EST 2010
Next message: [sudo-users] file ulimit not set correctly
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
I have a problem with the file ulimit setting after switching to another
user using sudo.
If a user has a defined file limit, it will be reset to zero after using
sudo to open a shell as another user.
Here two examples:
Switching from general user to root user:
[3]:falkenbe at itc-netv1:/home/falkenbe $ ulimit -a
time(seconds) unlimited
file(blocks) 209715200
data(kbytes) 131072
stack(kbytes) 32768
memory(kbytes) 32768
coredump(blocks) 2097151
nofiles(descriptors) unlimited
[3]:falkenbe at itc-netv1:/home/falkenbe $ sudo sh
[3]:falkenbe at itc-netv1:/home/falkenbe $ ulimit -a
sh: A file cannot be larger than the value set by ulimit.
time(seconds) unlimited
file(blocks) 0
data(kbytes) 131072
stack(kbytes) 32768
memory(kbytes) 32768
coredump(blocks) 2097151
nofiles(descriptors) unlimited
Switching from root user to another user:
[5:root at itc-netv1:]/home/root # ulimit -a
time(seconds) unlimited
file(blocks) 209715200
data(kbytes) 131072
stack(kbytes) 32768
memory(kbytes) 32768
coredump(blocks) 2097151
nofiles(descriptors) unlimited
[5:root at itc-netv1:]/home/root # sudo -u falkenbe sh
[5:root at itc-netv1:] # ulimit -a
sh: A file cannot be larger than the value set by ulimit.
time(seconds) unlimited
file(blocks) 0
data(kbytes) 131072
stack(kbytes) 32768
memory(kbytes) 32768
coredump(blocks) 2097151
nofiles(descriptors) unlimited
The file /etc/security/limits has a unique setting for all users and only
one entry for the default user:
default:
fsize = 209715200
core = 2097151
cpu = -1
data = 262144
rss = 65536
stack = 65536
nofiles = -1
I use the sudo version 1.7.2p2 on AIX 5.3:
[4]:falkenbe at itc-netv1:/home/falkenbe $ oslevel -s
5300-10-01-0921
[4]:falkenbe at itc-netv1:/home/falkenbe $ rpm -qi sudo
Name : sudo Relocations: (not relocateable)
Version : 1.7.2p2 Vendor: (none)
Release : 1 Build Date: Tue Dec 8
11:19:20 MEZ 2009
Install date: Tue Feb 2 11:18:16 MEZ 2010 Build Host:
aix51.perzl.org
Group : Applications/System Source RPM:
sudo-1.7.2p2-1.src.rpm
Size : 746434 License: BSD
URL : http://www.courtesan.com/sudo/
Summary : Allows restricted root access for specified users
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis. It is not a replacement for the shell. Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.
Kind regards
Thomas Falkenberg
E-Mail: tfalken at de.ibm.com
Todd C. Miller Todd.Miller at courtesan.com
Wed Feb 3 14:46:11 EST 2010
Previous message: [sudo-users] file ulimit not set correctly
Next message: [sudo-users] file ulimit not set correctly
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In message <OFB869D89B.BE1FC798-ONC12576BE.003CE270-C12576BE.003FBF69 at
de.ibm.co
m>
so spake Thomas Falkenberg (TFALKEN):
> I have a problem with the file ulimit setting after switching to another
> user using sudo.
> If a user has a defined file limit, it will be reset to zero after using
> sudo to open a shell as another user.
The problem is that the value for fsize in /etc/security/limits is
specified in blocks whereas the resource limit is specified in bytes.
When converting from blocks to bytes, 209715200 * 512 this overflows
the 32bit value in struct rlimit. The fix is for sudo to use
setrlimit64() instead of setrlimit() if available.
I don't have access to an AIX machine these days but the following
(untested) diff should fix it. Alternately, you could just set
fsize to a smaller value or -1 (unlimited) in /etc/security/limits.
- todd
Index: aix.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/aix.c,v
retrieving revision 1.7
diff -u -r1.7 aix.c
--- aix.c 6 Nov 2008 00:42:37 -0000 1.7
+++ aix.c 3 Feb 2010 19:45:27 -0000
@@ -39,7 +39,7 @@
#ifdef HAVE_GETUSERATTR
#ifndef RLIM_SAVED_MAX
-# define RLIM_SAVED_MAX RLIM_INFINITY
+# define RLIM_SAVED_MAX RLIM64_INFINITY
#endif
struct aix_limit {
@@ -74,12 +74,12 @@
aix_setlimits(user)
char *user;
{
- struct rlimit rlim;
+ struct rlimit64 rlim;
int i, n;
/*
* For each resource limit, get the soft/hard values for the user
- * and set those values via setrlimit(). Must be run as euid 0.
+ * and set those values via setrlimit64(). Must be run as euid 0.
*/
for (n = 0; n < sizeof(aix_limits) / sizeof(aix_limits[0]); n++) {
/*
@@ -87,15 +87,15 @@
* hard limit has been defined.
*/
if (aix_getlimit(user, aix_limits[n].hard, &i) == 0) {
- rlim.rlim_max = i == -1 ? RLIM_INFINITY : i *
aix_limits[n].factor;
+ rlim.rlim_max = i == -1 ? RLIM64_INFINITY :
(rlim64_t)i * aix_limits[n].factor;
if (aix_getlimit(user, aix_limits[n].soft, &i) == 0)
- rlim.rlim_cur = i == -1 ? RLIM_INFINITY :
i * aix_limits[n].factor;
+ rlim.rlim_cur = i == -1 ? RLIM64_INFINITY
: (rlim64_t)i * aix_limits[n].factor;
else
rlim.rlim_cur = rlim.rlim_max; /* soft
not specd, use hard */
} else {
/* No hard limit set, try soft limit. */
if (aix_getlimit(user, aix_limits[n].soft, &i) == 0)
- rlim.rlim_cur = i == -1 ? RLIM_INFINITY :
i * aix_limits[n].factor;
+ rlim.rlim_cur = i == -1 ? RLIM64_INFINITY
: (rlim64_t)i * aix_limits[n].factor;
/* Set hard limit per AIX /etc/security/limits
documentation. */
switch (aix_limits[n].resource) {
@@ -107,11 +107,11 @@
rlim.rlim_max = RLIM_SAVED_MAX;
break;
default:
- rlim.rlim_max = RLIM_INFINITY;
+ rlim.rlim_max = RLIM64_INFINITY;
break;
}
}
- (void)setrlimit(aix_limits[n].resource, &rlim);
+ (void)setrlimit64(aix_limits[n].resource, &rlim);
}
}
More information about the sudo-users
mailing list