Bugzilla – Bug 526
"Defaults use_loginclass" doesn't change login class
Last modified: 2012-02-21 06:13:28 MST
$ uname -sr FreeBSD 8.2-STABLE $ sudo -V Sudo version 1.8.1p2 Sudoers policy plugin version 1.8.1p2 Sudoers file grammar version 40 Sudoers I/O plugin version 1.8.1p2 According to "man sudoers": use_loginclass If set, sudo will apply the defaults specified for the target user's login class if one exists. But the test shows that the login class isn't changed after sudo: $ grep use_loginclass /usr/local/etc/sudoers Defaults use_loginclass $ cat /tmp/showclass.sh #! /bin/sh pw usershow $(whoami) -P | sed -n "s|.*\(Class: .*\)|\1|p" $ /tmp/showclass.sh Class: $ limits -Sn Resource limits (current): openfiles-cur 2048 $ sudo -u user2 /tmp/showclass.sh Class: $ sudo -u user2 limits -Sn Resource limits (current): openfiles 2048 However, after "su -" the login class is applied: $ su - user2 $ /tmp/showclass.sh Class: user2class $ limits -Sn Resource limits (current): openfiles 10000 I looked at the sudo source code and found out that the "def_use_loginclass" variable isn't used at all. Instead, login class of SUDO_USER is always used. The attached patch fixes it. After the patch, sudo will honor the "use_loginclass" option and use target user's login class: $ sudo -u user2 /tmp/showclass.sh Class: user2class $ sudo -u user2 limits -Sn Resource limits (current): openfiles 10000
Created attachment 322 [details] use_loginclass fix
Created attachment 323 [details] Backport of fix to sudo 1.8.1 I've checked in a more involved fix. Attached is a backport of that fix to sudo 1.8.1
Sudo 1.8.4 will include a fix for this.
Fixed in sudo 1.8.4