Hi *, I was just wondering - how one trying to avoid logging as root as much as possible can do his tasks successfully if su and sudo don't reset resource limits when the privileged command is executed? See the below figures: COMMENT: limits of a privileged account (one allowed to su and sudo to root) jester:~> limit cputime unlimited filesize unlimited datasize unlimited stacksize 8192 kbytes coredumpsize 0 kbytes memoryuse unlimited descriptors 1024 memorylocked unlimited maxproc 256 openfiles 1024 jester:~> COMMENT: the limits after 'sudo -s -H' jester:~# limit cputime unlimited filesize unlimited datasize unlimited stacksize 8192 kbytes coredumpsize 0 kbytes memoryuse unlimited descriptors 1024 memorylocked unlimited maxproc 256 openfiles 1024 jester:~# COMMENT: after 'su -s -' jester:~# ulimit -a core file size (blocks) 0 data seg size (kbytes) unlimited file size (blocks) unlimited max locked memory (kbytes) unlimited max memory size (kbytes) unlimited open files 1024 pipe size (512 bytes) 8 stack size (kbytes) 8192 cpu time (seconds) unlimited max user processes 256 virtual memory (kbytes) unlimited jester:~# Now, let's assume I want to restart some daemon or, better, to run dselect and install upgraded packages - it might result in restarting some daemons. Let's further assume I do it using sudo. Everything's fine until I look in the log files and see that e.g. postfix reports - couldn't allocate more file handles... It took me a while before I noticed WHY in heavens did it report that - it turned out that albeit it was started as root the resource limits of the user who invoked sudo to restart the postfix session apply to this particular postfix instance! Now, postfix is just an example and the above limits aren't that restrictive, but what happens if one limits e.g. number of open files to 45, max processes to 10 and then uses sudo or su to restart some daemon? Hmm... looks like we might have a problem - if a service is meant to run as root or as some other user then the resource limits for THAT user or root should apply, unless I'm mistaken. marek
Attachment:
pgpMQjevJdnXF.pgp
Description: PGP signature