isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

disable_coredump: only change the soft limit, leave the hard limit as-is

Browse Source 
This should avoid problems on Linux in cases where sudo does not
have CAP_SYS_RESOURCE which may be the case in an unprivileged container.
GitHub issue #42
This commit is contained in:
Todd C. Miller
2023-04-24 10:32:40 -06:00
parent e2243e3737
commit b1deffbe5b
1 changed files with 32 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/limits.c
View File

@@ -215,15 +215,24 @@ static int dumpflag;
void
disable_coredump(void)
{
struct rlimit rl = { 0, 0 };
debug_decl(disable_coredump, SUDO_DEBUG_UTIL);
if (getrlimit(RLIMIT_CORE, &corelimit) == -1)
sudo_warn("getrlimit(RLIMIT_CORE)");
sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",
(long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
if (setrlimit(RLIMIT_CORE, &rl) == -1)
if (getrlimit(RLIMIT_CORE, &corelimit) == 0) {
/*
* Set the soft limit to 0 but leave the existing hard limit.
* On Linux, we need CAP_SYS_RESOURCE to raise the hard limit
* which may not be the case in, e.g. an unprivileged container.
*/
struct rlimit rl = corelimit;
rl.rlim_cur = 0;
sudo_debug_printf(SUDO_DEBUG_INFO,
"RLIMIT_CORE [%lld, %lld] -> [%lld, %lld]",
(long long)corelimit.rlim_cur, (long long)corelimit.rlim_max,
(long long)rl.rlim_cur, (long long)rl.rlim_max);
if (setrlimit(RLIMIT_CORE, &rl) == -1) {
sudo_warn("setrlimit(RLIMIT_CORE)");
} else {
coredump_disabled = true;
#ifdef __linux__
/* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */
if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {
@@ -236,7 +245,10 @@ disable_coredump(void)
"prctl(PR_SET_DUMPABLE, 0, 0, 0, 0)");
}
#endif /* __linux__ */
coredump_disabled = true;
}
} else {
sudo_warn("getrlimit(RLIMIT_CORE)");
}
debug_return;
}
@@ -251,8 +263,8 @@ restore_coredump(void)
if (coredump_disabled) {
/*
* Linux containers don't allow RLIMIT_CORE to be set back to
* RLIM_INFINITY if we set the limit to zero, even for root.
* Do not warn about a failure to restore the core dump size limit.
* This is mostly harmless and should not happen in practice.
*/
if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,