ericonr
/
util-linux
mirror of https://github.com/ericonr/util-linux.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

su: reset RLIMIT_{NICE,RTPRIO} to zero 

Addresses: https://github.com/linux-pam/linux-pam/issues/85
Reported-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
This commit is contained in:
Karel Zak 2021-10-01 14:59:50 +02:00
parent 3d6a3d6d2a
commit e549619122
3 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
login-utils/runuser.1.adoc
View File

@ -28,6 +28,8 @@ For backward compatibility, *runuser* defaults to not changing the current direc
Note that *runuser* in all cases use PAM (pam_getenvlist()) to do the final environment modification. Command-line options such as *--login* and *--preserve-environment* affect the environment before it is modified by PAM.
Since version 2.38 *runuser* resets process resource limits RLIMIT_NICE and RLIMIT_RTPRIO to zero.
== OPTIONS
*-c*, *--command*=_command_::

17
login-utils/su-common.c
View File

@ -36,6 +36,11 @@
#include <sys/wait.h>
#include <syslog.h>
#include <utmpx.h>
#include <sys/time.h>
#ifdef HAVE_SYS_RESOURCE_H
# include <sys/resource.h>
#endif
#ifdef HAVE_PTY
# include <pty.h>
@ -954,6 +959,16 @@ static int is_not_root(void)
return (uid_t) 0 == ruid && ruid == euid ? 0 : 1;
}
static void sanitize_prlimits(void)
{
#ifdef HAVE_SYS_RESOURCE_H
struct rlimit lm = { .rlim_cur = 0, .rlim_max = 0 };
setrlimit(RLIMIT_NICE, &lm);
setrlimit(RLIMIT_RTPRIO, &lm);
#endif
}
static gid_t add_supp_group(const char *name, gid_t **groups, size_t *ngroups)
{
struct group *gr;
@ -1195,6 +1210,8 @@ int su_main(int argc, char **argv, int mode)
if (!su->simulate_login || command)
su->suppress_pam_info = 1; /* don't print PAM info messages */
sanitize_prlimits();
supam_open_session(su);
#ifdef USE_PTY

2
login-utils/su.1.adoc
View File

@ -29,6 +29,8 @@ This version of *su* uses PAM for authentication, account and session management
Note that *su* in all cases uses PAM (*pam_getenvlist*(3)) to do the final environment modification. Command-line options such as *--login* and *--preserve-environment* affect the environment before it is modified by PAM.
Since version 2.38 *su* resets process resource limits RLIMIT_NICE and RLIMIT_RTPRIO to zero.
== OPTIONS
*-c*, **--command**=__command__::