Bug 565

Summary: Cannot set RLIMIT_NPROC to unlimited via pam_limits
Product: Sudo Reporter: Jatin Nansi <jayml206>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: dkopecek
Priority: low    
Version: 1.8.7   
Hardware: PC   
OS: Linux   
Attachments: Patch to only restorie RLIMIT_NPROC when _SC_CHILD_MAX returns -1
Patch to store RLIMIT_NPROC after the call to policy_init_session

Description Jatin Nansi 2012-07-31 08:00:55 MDT 
With the current sudo code base, it is impossible to set the limit on maximum number of processes owned by a user to unlimited. 
This is a result of the fix incorporated for BZ #401:
http://www.sudo.ws/bugs/show_bug.cgi?id=401

This is the change set:
http://www.sudo.ws/repos/sudo/rev/bb14802d48b1

The code in exec_setup resets RLIMIT_NPROC to the value applicable to the parent process if both rl.rlim_cur && rl.rlim_max are == RLIM_INFINITY. 

For example:

[root@rhel63-ipa1 ~]# cat /etc/pam.d/sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

[root@rhel63-ipa1 ~]# cat /etc/security/limits.d/xman.conf 
xman          soft    nproc    unlimited
xman          hard    nproc    unlimited

[root@rhel63-ipa1 ~]# ulimit -Su; ulimit -Hu
1024
7819

[root@rhel63-ipa1 ~]# sudo -u xman /bin/bash
[xman@rhel63-ipa1 root]$ ulimit -Su; ulimit -Hu
1024
7819
[xman@rhel63-ipa1 root]$ 

I have tested this by reverting the fix for #401 and the test case behaves as expected. 

After reading the comments in BZ #401, it seems that this patch is only useful for Suse Linux users. If this is the case, can this functionality be explicitly turned on with a switch during compile time? This will allow sudo to behave as expected for users of other distributions.
Comment 1 Todd C. Miller 2012-07-31 09:49:30 MDT 
Created attachment 353 [details]
Patch to only restorie RLIMIT_NPROC when _SC_CHILD_MAX returns -1

The following patch should fix this, please give it a try.
Comment 2 Todd C. Miller 2012-09-12 14:55:40 MDT 
Fixed in sudo 1.8.6.
Comment 3 Daniel Kopeček 2013-07-19 02:49:07 MDT 
Hi,
 I think this bug is still present in the latest sources. If I set the nproc limit via pam_limits to unlimited on a RHEL system, it gets set to the values which sudo inherited from the parent process. I've came up with an other solution, I'll attach the patch to this BZ.

The problem is that if you set unlimited & unlimited (soft & hard) in pam_limits, then these setting are indistinguishable from the temporary nproc limit reset done inside sudo. To overcome this problem, I've moved the part that stores the parent process limits just after the policy_init_session call where all the PAM magic happens. That way, if pam_limits changes anything, it gets restored before sudo executes the requested command.
Comment 4 Daniel Kopeček 2013-07-19 02:51:03 MDT 
Created attachment 374 [details]
Patch to store RLIMIT_NPROC after the call to policy_init_session
Comment 5 Todd C. Miller 2013-07-29 14:03:36 MDT 
With Dan's patch applied I think there is no longer any reason to check sysconf(_SC_CHILD_MAX) and the saved value of RLIMIT_NPROC should always be restored.
Comment 6 Todd C. Miller 2013-07-29 15:35:31 MDT 
Actually, since it is only setuid() and not seteuid() that has the RLIMIT_NPROC check, this can be even simpler.  I've just checked in the following: http://www.sudo.ws/repos/sudo/rev/1372f1909039
Comment 7 Todd C. Miller 2013-09-30 09:34:13 MDT 
Fixed in sudo 1.8.8