Bug 401 – sudo will not work for a script on Suse 10 x86_64

Bug 401 - sudo will not work for a script on Suse 10 x86_64


Summary:	sudo will not work for a script on Suse 10 x86_64

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.2
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2010-03-26 02:11 MDT by Richard Lou
Modified:	2010-08-02 15:01 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Lou 2010-03-26 02:11:38 MDT

Environment: Suse 10 x86_64
sudo version: 1.7.1 or later
Reproduce Steps:
1. login as root
2. run "ulimit -a"
3. run "sudo -u sinobot -i
4. run "ulimit -a"

In step#2, the "max user processes" is 4096, but in step#4, the "max user processes" becomes "unlimited".

On suse, SC_MAX_CHILD (the sysconfig that bash uses) is the same as the rlimit NPROC. If you set your rlimit of NPROC you changed MAX_CHILD.   Since sudo 1.6.8 did not do the setrlimit NPROC, it does not have the problem.  
Redhat system behaves differently.  MAX_CHILD is not the same as NPROC. 

Considering the following script:
-------------------------------
#!/bin/bash
#set this to a 10  bigger than maxchild

MAX=100
echo "MAX = $MAX"

i=0
cd /tmp
rm -f /tmp/output.txt
while [ $i -lt $MAX ]
do
    touch foo &
    echo "i = $i, $!"
    pid[$i]=$!
    let "i = i + 1";
done

echo "done spawning"

touch foo
wait ${pid[0]}
echo ${pid[0]}

exit
--------------------------

We will get an error like "./maxchild.sh: line 25: wait: pid 3468 is not a child of this shell" when run it.

Comment 1 Richard Lou 2010-03-26 02:16:32 MDT

In bash source code, if the MAX_CHILD value is -1(unlimited), DEFAULT_CHILD_MAX(32) will be used.

So it will make the maxchild.sh run error.

-----------------
The code to change "max user processes" is in initial_setup() of
sudo.c:

...
1259 #if defined(__linux__)
1260     /*
1261      * Unlimit the number of processes since Linux's setuid() will
1262      * apply resource limits when changing uid and return EAGAIN if
1263      * nproc would be violated by the uid switch.
1264      */
1265     rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
1266     if (setrlimit(RLIMIT_NPROC, &rl)) {
1267     if (getrlimit(RLIMIT_NPROC, &rl) == 0) {
1268         rl.rlim_cur = rl.rlim_max;
1269         (void)setrlimit(RLIMIT_NPROC, &rl);
1270     }
1271     }
1272 #endif /* __linux__ */
...

Comment 2 Todd C. Miller 2010-07-16 14:05:42 MDT

This will be fixed in sudo 1.7.4

Comment 3 Todd C. Miller 2010-07-16 14:33:08 MDT

You should also file this as a SuSE bug if you have not already done so since it is not limited to sudo.  The SuSE sysconf(3) man page does mention that it may return -1 for unlimited but that is non-standard behavior that most code will interpret as an error return.

Comment 4 Todd C. Miller 2010-08-02 15:01:53 MDT

Closing, sudo 1.7.4 is out now.