Blame SOURCES/sudo-1.8.6p3-nprocfix.patch

1b092f
diff -up sudo-1.8.6p3/src/exec.c.nprocfix sudo-1.8.6p3/src/exec.c
1b092f
--- sudo-1.8.6p3/src/exec.c.nprocfix	2013-07-11 12:55:10.686308050 +0200
1b092f
+++ sudo-1.8.6p3/src/exec.c	2013-07-11 12:54:21.159160553 +0200
1b092f
@@ -132,6 +132,15 @@ static int fork_cmnd(struct command_deta
1b092f
     if (policy_init_session(details) != true)
1b092f
 	errorx(1, _("policy plugin failed session initialization"));
1b092f
 
1b092f
+    /*
1b092f
+     * See the comment in unlimit_nproc. It is important to call
1b092f
+     * this function AFTER policy_init_session, because the PAM
1b092f
+     * subsystem, if used, may change the RLIMIT_NPROC limit to
1b092f
+     * unlimited (infinity) and we would not be able to distinguish
1b092f
+     * between our temporary change and the change done by PAM.
1b092f
+     */
1b092f
+    unlimit_nproc();
1b092f
+
1b092f
     cmnd_pid = sudo_debug_fork();
1b092f
     switch (cmnd_pid) {
1b092f
     case -1:
1b092f
diff -up sudo-1.8.6p3/src/exec_pty.c.nprocfix sudo-1.8.6p3/src/exec_pty.c
1b092f
--- sudo-1.8.6p3/src/exec_pty.c.nprocfix	2012-09-18 15:57:43.000000000 +0200
1b092f
+++ sudo-1.8.6p3/src/exec_pty.c	2013-07-11 12:37:41.811202301 +0200
1b092f
@@ -678,6 +678,15 @@ fork_pty(struct command_details *details
1b092f
 	errorx(1, _("policy plugin failed session initialization"));
1b092f
 
1b092f
     /*
1b092f
+     * See the comment in unlimit_nproc. It is important to call
1b092f
+     * this function AFTER policy_init_session, because the PAM
1b092f
+     * subsystem, if used, may change the RLIMIT_NPROC limit to
1b092f
+     * unlimited (infinity) and we would not be able to distinguish
1b092f
+     * between our temporary change and the change done by PAM.
1b092f
+     */
1b092f
+    unlimit_nproc();
1b092f
+
1b092f
+    /*
1b092f
      * Block some signals until cmnd_pid is set in the parent to avoid a
1b092f
      * race between exec of the command and receipt of a fatal signal from it.
1b092f
      */
1b092f
diff -up sudo-1.8.6p3/src/sudo.c.nprocfix sudo-1.8.6p3/src/sudo.c
1b092f
--- sudo-1.8.6p3/src/sudo.c.nprocfix	2013-07-11 12:37:41.767202170 +0200
1b092f
+++ sudo-1.8.6p3/src/sudo.c	2013-07-11 12:37:41.811202301 +0200
1b092f
@@ -808,25 +808,11 @@ sudo_check_suid(const char *path)
1b092f
 static void
1b092f
 disable_coredumps(void)
1b092f
 {
1b092f
-#if defined(__linux__) || defined(RLIMIT_CORE)
1b092f
-    struct rlimit rl;
1b092f
+#if defined(RLIMIT_CORE)
1b092f
+		struct rlimit rl;
1b092f
 #endif
1b092f
     debug_decl(disable_coredumps, SUDO_DEBUG_UTIL)
1b092f
 
1b092f
-#if defined(__linux__)
1b092f
-    /*
1b092f
-     * Unlimit the number of processes since Linux's setuid() will
1b092f
-     * apply resource limits when changing uid and return EAGAIN if
1b092f
-     * nproc would be violated by the uid switch.
1b092f
-     */
1b092f
-    (void) getrlimit(RLIMIT_NPROC, &nproclimit);
1b092f
-    rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
1b092f
-    if (setrlimit(RLIMIT_NPROC, &rl)) {
1b092f
-	memcpy(&rl, &nproclimit, sizeof(struct rlimit));
1b092f
-	rl.rlim_cur = rl.rlim_max;
1b092f
-	(void)setrlimit(RLIMIT_NPROC, &rl);
1b092f
-    }
1b092f
-#endif /* __linux__ */
1b092f
 #ifdef RLIMIT_CORE
1b092f
     /*
1b092f
      * Turn off core dumps?
1b092f
@@ -841,6 +827,28 @@ disable_coredumps(void)
1b092f
     debug_return;
1b092f
 }
1b092f
 
1b092f
+void
1b092f
+unlimit_nproc(void)
1b092f
+{
1b092f
+	debug_decl(unlimit_nproc, SUDO_DEBUG_UTIL)
1b092f
+#if defined(__linux__)
1b092f
+		struct rlimit rl;
1b092f
+	/*
1b092f
+    * Unlimit the number of processes since Linux's setuid() will
1b092f
+    * apply resource limits when changing uid and return EAGAIN if
1b092f
+    * nproc would be violated by the uid switch.
1b092f
+    */
1b092f
+	(void) getrlimit(RLIMIT_NPROC, &nproclimit);
1b092f
+	rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
1b092f
+	if (setrlimit(RLIMIT_NPROC, &rl)) {
1b092f
+		memcpy(&rl, &nproclimit, sizeof(struct rlimit));
1b092f
+		rl.rlim_cur = rl.rlim_max;
1b092f
+		(void)setrlimit(RLIMIT_NPROC, &rl);
1b092f
+	}
1b092f
+#endif /* __linux__ */
1b092f
+	debug_return;
1b092f
+}
1b092f
+
1b092f
 #ifdef HAVE_PROJECT_H
1b092f
 static void
1b092f
 set_project(struct passwd *pw)
1b092f
@@ -1082,7 +1090,6 @@ exec_setup(struct command_details *detai
1b092f
 	errno = 0;
1b092f
 	l = sysconf(_SC_CHILD_MAX);
1b092f
 	if (l == -1 && errno == 0 && getrlimit(RLIMIT_NPROC, &rl) == 0) {
1b092f
-	    if (rl.rlim_cur == RLIM_INFINITY && rl.rlim_max == RLIM_INFINITY)
1b092f
 		(void) setrlimit(RLIMIT_NPROC, &nproclimit);
1b092f
 	}
1b092f
     }
1b092f
diff -up sudo-1.8.6p3/src/sudo.h.nprocfix sudo-1.8.6p3/src/sudo.h
1b092f
--- sudo-1.8.6p3/src/sudo.h.nprocfix	2013-07-11 12:37:41.768202173 +0200
1b092f
+++ sudo-1.8.6p3/src/sudo.h	2013-07-11 12:37:41.811202301 +0200
1b092f
@@ -219,6 +219,7 @@ int policy_init_session(struct command_d
1b092f
 int run_command(struct command_details *details);
1b092f
 extern const char *list_user, *runas_user, *runas_group;
1b092f
 extern struct user_details user_details;
1b092f
+void unlimit_nproc(void);
1b092f
 
1b092f
 /* sudo_edit.c */
1b092f
 int sudo_edit(struct command_details *details);