Bugzilla – Bug 565
Cannot set RLIMIT_NPROC to unlimited via pam_limits
Last modified: 2013-09-30 09:34:13 MDT
With the current sudo code base, it is impossible to set the limit on maximum number of processes owned by a user to unlimited. This is a result of the fix incorporated for BZ #401: http://www.sudo.ws/bugs/show_bug.cgi?id=401 This is the change set: http://www.sudo.ws/repos/sudo/rev/bb14802d48b1 The code in exec_setup resets RLIMIT_NPROC to the value applicable to the parent process if both rl.rlim_cur && rl.rlim_max are == RLIM_INFINITY. For example: [root@rhel63-ipa1 ~]# cat /etc/pam.d/sudo #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so [root@rhel63-ipa1 ~]# cat /etc/security/limits.d/xman.conf xman soft nproc unlimited xman hard nproc unlimited [root@rhel63-ipa1 ~]# ulimit -Su; ulimit -Hu 1024 7819 [root@rhel63-ipa1 ~]# sudo -u xman /bin/bash [xman@rhel63-ipa1 root]$ ulimit -Su; ulimit -Hu 1024 7819 [xman@rhel63-ipa1 root]$ I have tested this by reverting the fix for #401 and the test case behaves as expected. After reading the comments in BZ #401, it seems that this patch is only useful for Suse Linux users. If this is the case, can this functionality be explicitly turned on with a switch during compile time? This will allow sudo to behave as expected for users of other distributions.
Created attachment 353 [details] Patch to only restorie RLIMIT_NPROC when _SC_CHILD_MAX returns -1 The following patch should fix this, please give it a try.
Fixed in sudo 1.8.6.
Hi, I think this bug is still present in the latest sources. If I set the nproc limit via pam_limits to unlimited on a RHEL system, it gets set to the values which sudo inherited from the parent process. I've came up with an other solution, I'll attach the patch to this BZ. The problem is that if you set unlimited & unlimited (soft & hard) in pam_limits, then these setting are indistinguishable from the temporary nproc limit reset done inside sudo. To overcome this problem, I've moved the part that stores the parent process limits just after the policy_init_session call where all the PAM magic happens. That way, if pam_limits changes anything, it gets restored before sudo executes the requested command.
Created attachment 374 [details] Patch to store RLIMIT_NPROC after the call to policy_init_session
With Dan's patch applied I think there is no longer any reason to check sysconf(_SC_CHILD_MAX) and the saved value of RLIMIT_NPROC should always be restored.
Actually, since it is only setuid() and not seteuid() that has the RLIMIT_NPROC check, this can be even simpler. I've just checked in the following: http://www.sudo.ws/repos/sudo/rev/1372f1909039
Fixed in sudo 1.8.8