su, sudo and resource limits

To: debian-devel@lists.debian.org
Subject: su, sudo and resource limits
From: Marek Habersack <grendel@vip.net.pl>
Date: Wed, 29 Dec 1999 15:57:25 +0100
Message-id: <[🔎] 19991229155725.B22425@vip.net.pl>
Reply-to: grendel@vip.net.pl

Hi *,

  I was just wondering - how one trying to avoid logging as root as much as
possible can do his tasks successfully if su and sudo don't reset resource
limits when the privileged command is executed? See the below figures:

COMMENT: limits of a privileged account (one allowed to su and sudo to root)
jester:~> limit
cputime         unlimited
filesize        unlimited
datasize        unlimited
stacksize       8192 kbytes
coredumpsize    0 kbytes
memoryuse       unlimited
descriptors     1024
memorylocked    unlimited
maxproc         256
openfiles       1024
jester:~>

COMMENT: the limits after 'sudo -s -H'
jester:~# limit
cputime         unlimited
filesize        unlimited
datasize        unlimited
stacksize       8192 kbytes
coredumpsize    0 kbytes
memoryuse       unlimited
descriptors     1024
memorylocked    unlimited
maxproc         256
openfiles       1024
jester:~#

COMMENT: after 'su -s -'
jester:~# ulimit -a
core file size (blocks)     0
data seg size (kbytes)      unlimited
file size (blocks)          unlimited
max locked memory (kbytes)  unlimited
max memory size (kbytes)    unlimited
open files                  1024
pipe size (512 bytes)       8
stack size (kbytes)         8192
cpu time (seconds)          unlimited
max user processes          256
virtual memory (kbytes)     unlimited
jester:~#

Now, let's assume I want to restart some daemon or, better, to run dselect
and install upgraded packages - it might result in restarting some daemons.
Let's further assume I do it using sudo. Everything's fine until I look in
the log files and see that e.g. postfix reports - couldn't allocate more
file handles... It took me a while before I noticed WHY in heavens did it
report that - it turned out that albeit it was started as root the resource
limits of the user who invoked sudo to restart the postfix session apply to
this particular postfix instance! Now, postfix is just an example and the
above limits aren't that restrictive, but what happens if one limits e.g.
number of open files to 45, max processes to 10 and then uses sudo or su to
restart some daemon? Hmm... looks like we might have a problem - if a
service is meant to run as root or as some other user then the resource
limits for THAT user or root should apply, unless I'm mistaken.

marek

Attachment: pgpMQjevJdnXF.pgp
Description: PGP signature

Reply to:

Prev by Date: Re: ITP: TIP
Next by Date: Re: postal
Previous by thread: ITP: libio-pty-perl
Next by thread: ITP: estic (ISTEC ISDN PABX admin program)
Index(es):
- Date
- Thread