[sudo-users] uid switching vs resource limits

Teodor Milkov tm at del.bg
Wed Jun 17 06:33:24 MDT 2015

Thanks for your time and effort!

This might also be due to interaction with grsecurity kernel patch, 
which I use.

There's this part in it:

+ /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC
+    is changed to a lower value.  Since tasks can be created by the same
+    user in between this limit change and an execve by this task, force
+    a recheck only for this task by setting PF_NPROC_EXCEEDED
+ */
+ if (resource == RLIMIT_NPROC && tsk->real_cred->user != INIT_USER)
+     tsk->flags |= PF_NPROC_EXCEEDED;

I see similar reports popping here and there:


With people just disabling resource limits as a workaround.

On 12/06/15 18:56, Todd C. Miller wrote:
> On Fri, 12 Jun 2015 09:34:59 -0600, "Todd C. Miller" wrote:
>> I've been trying to reproduce this on Debian 8 using 1.8.10p3-1+deb8u2
>> but I get the same behavior you report for 1.8.5.  I've tried
>> reducing the nproc limit further but in each instance if I can run
>> a command via bash without hitting the limit I can run it via sudo
>> too.
> Apparently the behavior was removed in Linux 3.1, which explains
> why I couldn't reproduce it.
>     EAGAIN uid does not match the real user ID of the caller and
>            this  call would  bring  the number of processes belonging
>            to the real user ID uid over the caller's  RLIMIT_NPROC
>            resource limit.   Since Linux 3.1, this error case no
>            longer occurs (but robust applications should check for
>            this  error); see  the  description  of EAGAIN in execve(2).
> My test VM is Debian 8.1 with the following kernel:
> Linux deb8 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux
>   - todd

More information about the sudo-users mailing list