|
|
1b092f |
diff -up sudo-1.8.6p3/src/exec.c.nprocfix sudo-1.8.6p3/src/exec.c
|
|
|
1b092f |
--- sudo-1.8.6p3/src/exec.c.nprocfix 2013-07-11 12:55:10.686308050 +0200
|
|
|
1b092f |
+++ sudo-1.8.6p3/src/exec.c 2013-07-11 12:54:21.159160553 +0200
|
|
|
1b092f |
@@ -132,6 +132,15 @@ static int fork_cmnd(struct command_deta
|
|
|
1b092f |
if (policy_init_session(details) != true)
|
|
|
1b092f |
errorx(1, _("policy plugin failed session initialization"));
|
|
|
1b092f |
|
|
|
1b092f |
+ /*
|
|
|
1b092f |
+ * See the comment in unlimit_nproc. It is important to call
|
|
|
1b092f |
+ * this function AFTER policy_init_session, because the PAM
|
|
|
1b092f |
+ * subsystem, if used, may change the RLIMIT_NPROC limit to
|
|
|
1b092f |
+ * unlimited (infinity) and we would not be able to distinguish
|
|
|
1b092f |
+ * between our temporary change and the change done by PAM.
|
|
|
1b092f |
+ */
|
|
|
1b092f |
+ unlimit_nproc();
|
|
|
1b092f |
+
|
|
|
1b092f |
cmnd_pid = sudo_debug_fork();
|
|
|
1b092f |
switch (cmnd_pid) {
|
|
|
1b092f |
case -1:
|
|
|
1b092f |
diff -up sudo-1.8.6p3/src/exec_pty.c.nprocfix sudo-1.8.6p3/src/exec_pty.c
|
|
|
1b092f |
--- sudo-1.8.6p3/src/exec_pty.c.nprocfix 2012-09-18 15:57:43.000000000 +0200
|
|
|
1b092f |
+++ sudo-1.8.6p3/src/exec_pty.c 2013-07-11 12:37:41.811202301 +0200
|
|
|
1b092f |
@@ -678,6 +678,15 @@ fork_pty(struct command_details *details
|
|
|
1b092f |
errorx(1, _("policy plugin failed session initialization"));
|
|
|
1b092f |
|
|
|
1b092f |
/*
|
|
|
1b092f |
+ * See the comment in unlimit_nproc. It is important to call
|
|
|
1b092f |
+ * this function AFTER policy_init_session, because the PAM
|
|
|
1b092f |
+ * subsystem, if used, may change the RLIMIT_NPROC limit to
|
|
|
1b092f |
+ * unlimited (infinity) and we would not be able to distinguish
|
|
|
1b092f |
+ * between our temporary change and the change done by PAM.
|
|
|
1b092f |
+ */
|
|
|
1b092f |
+ unlimit_nproc();
|
|
|
1b092f |
+
|
|
|
1b092f |
+ /*
|
|
|
1b092f |
* Block some signals until cmnd_pid is set in the parent to avoid a
|
|
|
1b092f |
* race between exec of the command and receipt of a fatal signal from it.
|
|
|
1b092f |
*/
|
|
|
1b092f |
diff -up sudo-1.8.6p3/src/sudo.c.nprocfix sudo-1.8.6p3/src/sudo.c
|
|
|
1b092f |
--- sudo-1.8.6p3/src/sudo.c.nprocfix 2013-07-11 12:37:41.767202170 +0200
|
|
|
1b092f |
+++ sudo-1.8.6p3/src/sudo.c 2013-07-11 12:37:41.811202301 +0200
|
|
|
1b092f |
@@ -808,25 +808,11 @@ sudo_check_suid(const char *path)
|
|
|
1b092f |
static void
|
|
|
1b092f |
disable_coredumps(void)
|
|
|
1b092f |
{
|
|
|
1b092f |
-#if defined(__linux__) || defined(RLIMIT_CORE)
|
|
|
1b092f |
- struct rlimit rl;
|
|
|
1b092f |
+#if defined(RLIMIT_CORE)
|
|
|
1b092f |
+ struct rlimit rl;
|
|
|
1b092f |
#endif
|
|
|
1b092f |
debug_decl(disable_coredumps, SUDO_DEBUG_UTIL)
|
|
|
1b092f |
|
|
|
1b092f |
-#if defined(__linux__)
|
|
|
1b092f |
- /*
|
|
|
1b092f |
- * Unlimit the number of processes since Linux's setuid() will
|
|
|
1b092f |
- * apply resource limits when changing uid and return EAGAIN if
|
|
|
1b092f |
- * nproc would be violated by the uid switch.
|
|
|
1b092f |
- */
|
|
|
1b092f |
- (void) getrlimit(RLIMIT_NPROC, &nproclimit);
|
|
|
1b092f |
- rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
|
|
|
1b092f |
- if (setrlimit(RLIMIT_NPROC, &rl)) {
|
|
|
1b092f |
- memcpy(&rl, &nproclimit, sizeof(struct rlimit));
|
|
|
1b092f |
- rl.rlim_cur = rl.rlim_max;
|
|
|
1b092f |
- (void)setrlimit(RLIMIT_NPROC, &rl);
|
|
|
1b092f |
- }
|
|
|
1b092f |
-#endif /* __linux__ */
|
|
|
1b092f |
#ifdef RLIMIT_CORE
|
|
|
1b092f |
/*
|
|
|
1b092f |
* Turn off core dumps?
|
|
|
1b092f |
@@ -841,6 +827,28 @@ disable_coredumps(void)
|
|
|
1b092f |
debug_return;
|
|
|
1b092f |
}
|
|
|
1b092f |
|
|
|
1b092f |
+void
|
|
|
1b092f |
+unlimit_nproc(void)
|
|
|
1b092f |
+{
|
|
|
1b092f |
+ debug_decl(unlimit_nproc, SUDO_DEBUG_UTIL)
|
|
|
1b092f |
+#if defined(__linux__)
|
|
|
1b092f |
+ struct rlimit rl;
|
|
|
1b092f |
+ /*
|
|
|
1b092f |
+ * Unlimit the number of processes since Linux's setuid() will
|
|
|
1b092f |
+ * apply resource limits when changing uid and return EAGAIN if
|
|
|
1b092f |
+ * nproc would be violated by the uid switch.
|
|
|
1b092f |
+ */
|
|
|
1b092f |
+ (void) getrlimit(RLIMIT_NPROC, &nproclimit);
|
|
|
1b092f |
+ rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
|
|
|
1b092f |
+ if (setrlimit(RLIMIT_NPROC, &rl)) {
|
|
|
1b092f |
+ memcpy(&rl, &nproclimit, sizeof(struct rlimit));
|
|
|
1b092f |
+ rl.rlim_cur = rl.rlim_max;
|
|
|
1b092f |
+ (void)setrlimit(RLIMIT_NPROC, &rl);
|
|
|
1b092f |
+ }
|
|
|
1b092f |
+#endif /* __linux__ */
|
|
|
1b092f |
+ debug_return;
|
|
|
1b092f |
+}
|
|
|
1b092f |
+
|
|
|
1b092f |
#ifdef HAVE_PROJECT_H
|
|
|
1b092f |
static void
|
|
|
1b092f |
set_project(struct passwd *pw)
|
|
|
1b092f |
@@ -1082,7 +1090,6 @@ exec_setup(struct command_details *detai
|
|
|
1b092f |
errno = 0;
|
|
|
1b092f |
l = sysconf(_SC_CHILD_MAX);
|
|
|
1b092f |
if (l == -1 && errno == 0 && getrlimit(RLIMIT_NPROC, &rl) == 0) {
|
|
|
1b092f |
- if (rl.rlim_cur == RLIM_INFINITY && rl.rlim_max == RLIM_INFINITY)
|
|
|
1b092f |
(void) setrlimit(RLIMIT_NPROC, &nproclimit);
|
|
|
1b092f |
}
|
|
|
1b092f |
}
|
|
|
1b092f |
diff -up sudo-1.8.6p3/src/sudo.h.nprocfix sudo-1.8.6p3/src/sudo.h
|
|
|
1b092f |
--- sudo-1.8.6p3/src/sudo.h.nprocfix 2013-07-11 12:37:41.768202173 +0200
|
|
|
1b092f |
+++ sudo-1.8.6p3/src/sudo.h 2013-07-11 12:37:41.811202301 +0200
|
|
|
1b092f |
@@ -219,6 +219,7 @@ int policy_init_session(struct command_d
|
|
|
1b092f |
int run_command(struct command_details *details);
|
|
|
1b092f |
extern const char *list_user, *runas_user, *runas_group;
|
|
|
1b092f |
extern struct user_details user_details;
|
|
|
1b092f |
+void unlimit_nproc(void);
|
|
|
1b092f |
|
|
|
1b092f |
/* sudo_edit.c */
|
|
|
1b092f |
int sudo_edit(struct command_details *details);
|