isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

We need to unlimit RLIMIT_NPROC in sudoers as well as the sudo front

Browse Source 
end since set_perms() and restore_perms change the read uid and may
fail with EAGAIN on Linux kernels prior to 3.1.
This commit is contained in:
Todd C. Miller
2015-06-12 15:30:06 -06:00
parent db8aae12e8
commit 25917e435c
2 changed files with 56 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
plugins/sudoers/sudoers.c
View File

@@ -27,6 +27,7 @@
#include <config.h> #include <config.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/resource.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <stdio.h> #include <stdio.h>
@@ -110,10 +111,54 @@ static char *runas_user;
static char *runas_group; static char *runas_group;
static struct sudo_nss_list *snl; static struct sudo_nss_list *snl;
#ifdef __linux__
static struct rlimit nproclimit;
#endif
/* XXX - must be extern for audit bits of sudo_auth.c */ /* XXX - must be extern for audit bits of sudo_auth.c */
int NewArgc; int NewArgc;
char **NewArgv; char **NewArgv;
/*
* Unlimit the number of processes since Linux's setuid() will
* apply resource limits when changing uid and return EAGAIN if
* nproc would be exceeded by the uid switch.
*/
static void
unlimit_nproc(void)
{
#ifdef __linux__
struct rlimit rl;
debug_decl(unlimit_nproc, SUDO_DEBUG_UTIL)
if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
sudo_warn("getrlimit");
rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
if (setrlimit(RLIMIT_NPROC, &rl) != 0) {
rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
if (setrlimit(RLIMIT_NPROC, &rl) != 0)
sudo_warn("setrlimit");
}
debug_return;
#endif /* __linux__ */
}
/*
* Restore saved value of RLIMIT_NPROC.
*/
static void
restore_nproc(void)
{
#ifdef __linux__
debug_decl(restore_nproc, SUDO_DEBUG_UTIL)
if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
sudo_warn("setrlimit");
debug_return;
#endif /* __linux__ */
}
int int
sudoers_policy_init(void *info, char * const envp[]) sudoers_policy_init(void *info, char * const envp[])
{ {
@@ -232,6 +277,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
sudo_warn_set_locale_func(sudoers_warn_setlocale); sudo_warn_set_locale_func(sudoers_warn_setlocale);
unlimit_nproc();
/* Is root even allowed to run sudo? */ /* Is root even allowed to run sudo? */
if (user_uid == 0 && !def_root_sudo) { if (user_uid == 0 && !def_root_sudo) {
/* Not an audit event. */ /* Not an audit event. */
@@ -558,6 +605,8 @@ done:
if (!rewind_perms()) if (!rewind_perms())
rval = -1; rval = -1;
restore_nproc();
/* Close the password and group files and free up memory. */ /* Close the password and group files and free up memory. */
sudo_endpwent(); sudo_endpwent();
sudo_endgrent(); sudo_endgrent();

12
src/sudo.c
View File

@@ -829,12 +829,13 @@ unlimit_nproc(void)
struct rlimit rl; struct rlimit rl;
debug_decl(unlimit_nproc, SUDO_DEBUG_UTIL) debug_decl(unlimit_nproc, SUDO_DEBUG_UTIL)
(void) getrlimit(RLIMIT_NPROC, &nproclimit); if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
sudo_warn("getrlimit");
rl.rlim_cur = rl.rlim_max = RLIM_INFINITY; rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
if (setrlimit(RLIMIT_NPROC, &rl) != 0) { if (setrlimit(RLIMIT_NPROC, &rl) != 0) {
memcpy(&rl, &nproclimit, sizeof(struct rlimit)); rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
rl.rlim_cur = rl.rlim_max; if (setrlimit(RLIMIT_NPROC, &rl) != 0)
(void)setrlimit(RLIMIT_NPROC, &rl); sudo_warn("setrlimit");
} }
debug_return; debug_return;
#endif /* __linux__ */ #endif /* __linux__ */
@@ -849,7 +850,8 @@ restore_nproc(void)
#ifdef __linux__ #ifdef __linux__
debug_decl(restore_nproc, SUDO_DEBUG_UTIL) debug_decl(restore_nproc, SUDO_DEBUG_UTIL)
(void) setrlimit(RLIMIT_NPROC, &nproclimit); if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
sudo_warn("setrlimit");
debug_return; debug_return;
#endif /* __linux__ */ #endif /* __linux__ */