[sudo-users] uid switching vs resource limits
Teodor Milkov
tm at del.bg
Wed Jun 17 06:33:24 MDT 2015
Thanks for your time and effort!
This might also be due to interaction with grsecurity kernel patch,
which I use.
There's this part in it:
+ /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC
+ is changed to a lower value. Since tasks can be created by the same
+ user in between this limit change and an execve by this task, force
+ a recheck only for this task by setting PF_NPROC_EXCEEDED
+ */
+ if (resource == RLIMIT_NPROC && tsk->real_cred->user != INIT_USER)
+ tsk->flags |= PF_NPROC_EXCEEDED;
I see similar reports popping here and there:
http://www.codehelper.org/2015/03/perm_root-setresuid0-1-1-too-many-processes-cpanel-fix/
http://forum.centos-webpanel.com/how-to/how-to-enable-sudo-command/
http://www.listekconsulting.com/articles/sudo-too-many-processes/
With people just disabling resource limits as a workaround.
On 12/06/15 18:56, Todd C. Miller wrote:
> On Fri, 12 Jun 2015 09:34:59 -0600, "Todd C. Miller" wrote:
>
>> I've been trying to reproduce this on Debian 8 using 1.8.10p3-1+deb8u2
>> but I get the same behavior you report for 1.8.5. I've tried
>> reducing the nproc limit further but in each instance if I can run
>> a command via bash without hitting the limit I can run it via sudo
>> too.
> Apparently the behavior was removed in Linux 3.1, which explains
> why I couldn't reproduce it.
>
> EAGAIN uid does not match the real user ID of the caller and
> this call would bring the number of processes belonging
> to the real user ID uid over the caller's RLIMIT_NPROC
> resource limit. Since Linux 3.1, this error case no
> longer occurs (but robust applications should check for
> this error); see the description of EAGAIN in execve(2).
>
> My test VM is Debian 8.1 with the following kernel:
> Linux deb8 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux
>
> - todd
More information about the sudo-users
mailing list