su, sudo and resource limits
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Hi *,
I was just wondering - how one trying to avoid logging as root as much as
possible can do his tasks successfully if su and sudo don't reset resource
limits when the privileged command is executed? See the below figures:
COMMENT: limits of a privileged account (one allowed to su and sudo to root)
jester:~> limit
cputime unlimited
filesize unlimited
datasize unlimited
stacksize 8192 kbytes
coredumpsize 0 kbytes
memoryuse unlimited
descriptors 1024
memorylocked unlimited
maxproc 256
openfiles 1024
jester:~>
COMMENT: the limits after 'sudo -s -H'
jester:~# limit
cputime unlimited
filesize unlimited
datasize unlimited
stacksize 8192 kbytes
coredumpsize 0 kbytes
memoryuse unlimited
descriptors 1024
memorylocked unlimited
maxproc 256
openfiles 1024
jester:~#
COMMENT: after 'su -s -'
jester:~# ulimit -a
core file size (blocks) 0
data seg size (kbytes) unlimited
file size (blocks) unlimited
max locked memory (kbytes) unlimited
max memory size (kbytes) unlimited
open files 1024
pipe size (512 bytes) 8
stack size (kbytes) 8192
cpu time (seconds) unlimited
max user processes 256
virtual memory (kbytes) unlimited
jester:~#
Now, let's assume I want to restart some daemon or, better, to run dselect
and install upgraded packages - it might result in restarting some daemons.
Let's further assume I do it using sudo. Everything's fine until I look in
the log files and see that e.g. postfix reports - couldn't allocate more
file handles... It took me a while before I noticed WHY in heavens did it
report that - it turned out that albeit it was started as root the resource
limits of the user who invoked sudo to restart the postfix session apply to
this particular postfix instance! Now, postfix is just an example and the
above limits aren't that restrictive, but what happens if one limits e.g.
number of open files to 45, max processes to 10 and then uses sudo or su to
restart some daemon? Hmm... looks like we might have a problem - if a
service is meant to run as root or as some other user then the resource
limits for THAT user or root should apply, unless I'm mistaken.
marek
--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEAREBAAYFAjhqIVUACgkQq3909GIf5urrrwCdGTOiFt6AHxPnQR0dSNd+YBaA
q04Anjyi+/WCF156wzy8vH6qn6JhzeVU
=P8Zl
-----END PGP SIGNATURE-----
--zYM0uCDKw75PZbzx--
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-------
Reply to: