Bug 401

Summary: sudo will not work for a script on Suse 10 x86_64
Product: Sudo Reporter: Richard Lou <richard.lou>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.7.2   
Hardware: PC   
OS: Linux   

Description Richard Lou 2010-03-26 02:11:38 MDT 
Environment: Suse 10 x86_64
sudo version: 1.7.1 or later
Reproduce Steps:
1. login as root
2. run "ulimit -a"
3. run "sudo -u sinobot -i
4. run "ulimit -a"

In step#2, the "max user processes" is 4096, but in step#4, the "max user processes" becomes "unlimited".

On suse, SC_MAX_CHILD (the sysconfig that bash uses) is the same as the rlimit NPROC. If you set your rlimit of NPROC you changed MAX_CHILD.   Since sudo 1.6.8 did not do the setrlimit NPROC, it does not have the problem.  
Redhat system behaves differently.  MAX_CHILD is not the same as NPROC. 

Considering the following script:
-------------------------------
#!/bin/bash
#set this to a 10  bigger than maxchild

MAX=100
echo "MAX = $MAX"

i=0
cd /tmp
rm -f /tmp/output.txt
while [ $i -lt $MAX ]
do
    touch foo &
    echo "i = $i, $!"
    pid[$i]=$!
    let "i = i + 1";
done

echo "done spawning"

touch foo
wait ${pid[0]}
echo ${pid[0]}

exit
--------------------------

We will get an error like "./maxchild.sh: line 25: wait: pid 3468 is not a child of this shell" when run it.
Comment 1 Richard Lou 2010-03-26 02:16:32 MDT 
In bash source code, if the MAX_CHILD value is -1(unlimited), DEFAULT_CHILD_MAX(32) will be used.

So it will make the maxchild.sh run error.

-----------------
The code to change "max user processes" is in initial_setup() of
sudo.c:

...
1259 #if defined(__linux__)
1260     /*
1261      * Unlimit the number of processes since Linux's setuid() will
1262      * apply resource limits when changing uid and return EAGAIN if
1263      * nproc would be violated by the uid switch.
1264      */
1265     rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
1266     if (setrlimit(RLIMIT_NPROC, &rl)) {
1267     if (getrlimit(RLIMIT_NPROC, &rl) == 0) {
1268         rl.rlim_cur = rl.rlim_max;
1269         (void)setrlimit(RLIMIT_NPROC, &rl);
1270     }
1271     }
1272 #endif /* __linux__ */
...
Comment 2 Todd C. Miller 2010-07-16 14:05:42 MDT 
This will be fixed in sudo 1.7.4
Comment 3 Todd C. Miller 2010-07-16 14:33:08 MDT 
You should also file this as a SuSE bug if you have not already done so since it is not limited to sudo.  The SuSE sysconf(3) man page does mention that it may return -1 for unlimited but that is non-standard behavior that most code will interpret as an error return.
Comment 4 Todd C. Miller 2010-08-02 15:01:53 MDT 
Closing, sudo 1.7.4 is out now.