diff -up sudo-1.8.6p3/src/exec.c.nprocfix sudo-1.8.6p3/src/exec.c
--- sudo-1.8.6p3/src/exec.c.nprocfix 2013-07-11 12:55:10.686308050 +0200
+++ sudo-1.8.6p3/src/exec.c 2013-07-11 12:54:21.159160553 +0200
@@ -132,6 +132,15 @@ static int fork_cmnd(struct command_deta
if (policy_init_session(details) != true)
errorx(1, _("policy plugin failed session initialization"));
+ /*
+ * See the comment in unlimit_nproc. It is important to call
+ * this function AFTER policy_init_session, because the PAM
+ * subsystem, if used, may change the RLIMIT_NPROC limit to
+ * unlimited (infinity) and we would not be able to distinguish
+ * between our temporary change and the change done by PAM.
+ */
+ unlimit_nproc();
+
cmnd_pid = sudo_debug_fork();
switch (cmnd_pid) {
case -1:
diff -up sudo-1.8.6p3/src/exec_pty.c.nprocfix sudo-1.8.6p3/src/exec_pty.c
--- sudo-1.8.6p3/src/exec_pty.c.nprocfix 2012-09-18 15:57:43.000000000 +0200
+++ sudo-1.8.6p3/src/exec_pty.c 2013-07-11 12:37:41.811202301 +0200
@@ -678,6 +678,15 @@ fork_pty(struct command_details *details
errorx(1, _("policy plugin failed session initialization"));
/*
+ * See the comment in unlimit_nproc. It is important to call
+ * this function AFTER policy_init_session, because the PAM
+ * subsystem, if used, may change the RLIMIT_NPROC limit to
+ * unlimited (infinity) and we would not be able to distinguish
+ * between our temporary change and the change done by PAM.
+ */
+ unlimit_nproc();
+
+ /*
* Block some signals until cmnd_pid is set in the parent to avoid a
* race between exec of the command and receipt of a fatal signal from it.
*/
diff -up sudo-1.8.6p3/src/sudo.c.nprocfix sudo-1.8.6p3/src/sudo.c
--- sudo-1.8.6p3/src/sudo.c.nprocfix 2013-07-11 12:37:41.767202170 +0200
+++ sudo-1.8.6p3/src/sudo.c 2013-07-11 12:37:41.811202301 +0200
@@ -808,25 +808,11 @@ sudo_check_suid(const char *path)
static void
disable_coredumps(void)
{
-#if defined(__linux__) || defined(RLIMIT_CORE)
- struct rlimit rl;
+#if defined(RLIMIT_CORE)
+ struct rlimit rl;
#endif
debug_decl(disable_coredumps, SUDO_DEBUG_UTIL)
-#if defined(__linux__)
- /*
- * Unlimit the number of processes since Linux's setuid() will
- * apply resource limits when changing uid and return EAGAIN if
- * nproc would be violated by the uid switch.
- */
- (void) getrlimit(RLIMIT_NPROC, &nproclimit);
- rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
- if (setrlimit(RLIMIT_NPROC, &rl)) {
- memcpy(&rl, &nproclimit, sizeof(struct rlimit));
- rl.rlim_cur = rl.rlim_max;
- (void)setrlimit(RLIMIT_NPROC, &rl);
- }
-#endif /* __linux__ */
#ifdef RLIMIT_CORE
/*
* Turn off core dumps?
@@ -841,6 +827,28 @@ disable_coredumps(void)
debug_return;
}
+void
+unlimit_nproc(void)
+{
+ debug_decl(unlimit_nproc, SUDO_DEBUG_UTIL)
+#if defined(__linux__)
+ struct rlimit rl;
+ /*
+ * Unlimit the number of processes since Linux's setuid() will
+ * apply resource limits when changing uid and return EAGAIN if
+ * nproc would be violated by the uid switch.
+ */
+ (void) getrlimit(RLIMIT_NPROC, &nproclimit);
+ rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
+ if (setrlimit(RLIMIT_NPROC, &rl)) {
+ memcpy(&rl, &nproclimit, sizeof(struct rlimit));
+ rl.rlim_cur = rl.rlim_max;
+ (void)setrlimit(RLIMIT_NPROC, &rl);
+ }
+#endif /* __linux__ */
+ debug_return;
+}
+
#ifdef HAVE_PROJECT_H
static void
set_project(struct passwd *pw)
@@ -1082,7 +1090,6 @@ exec_setup(struct command_details *detai
errno = 0;
l = sysconf(_SC_CHILD_MAX);
if (l == -1 && errno == 0 && getrlimit(RLIMIT_NPROC, &rl) == 0) {
- if (rl.rlim_cur == RLIM_INFINITY && rl.rlim_max == RLIM_INFINITY)
(void) setrlimit(RLIMIT_NPROC, &nproclimit);
}
}
diff -up sudo-1.8.6p3/src/sudo.h.nprocfix sudo-1.8.6p3/src/sudo.h
--- sudo-1.8.6p3/src/sudo.h.nprocfix 2013-07-11 12:37:41.768202173 +0200
+++ sudo-1.8.6p3/src/sudo.h 2013-07-11 12:37:41.811202301 +0200
@@ -219,6 +219,7 @@ int policy_init_session(struct command_d
int run_command(struct command_details *details);
extern const char *list_user, *runas_user, *runas_group;
extern struct user_details user_details;
+void unlimit_nproc(void);
/* sudo_edit.c */
int sudo_edit(struct command_details *details);