su: reset RLIMIT_{NICE,RTPRIO} to zero
Addresses: https://github.com/linux-pam/linux-pam/issues/85 Reported-by: Lennart Poettering <lennart@poettering.net> Signed-off-by: Karel Zak <kzak@redhat.com>
This commit is contained in:
parent
3d6a3d6d2a
commit
e549619122
|
@ -28,6 +28,8 @@ For backward compatibility, *runuser* defaults to not changing the current direc
|
|||
|
||||
Note that *runuser* in all cases use PAM (pam_getenvlist()) to do the final environment modification. Command-line options such as *--login* and *--preserve-environment* affect the environment before it is modified by PAM.
|
||||
|
||||
Since version 2.38 *runuser* resets process resource limits RLIMIT_NICE and RLIMIT_RTPRIO to zero.
|
||||
|
||||
== OPTIONS
|
||||
|
||||
*-c*, *--command*=_command_::
|
||||
|
|
|
@ -36,6 +36,11 @@
|
|||
#include <sys/wait.h>
|
||||
#include <syslog.h>
|
||||
#include <utmpx.h>
|
||||
#include <sys/time.h>
|
||||
|
||||
#ifdef HAVE_SYS_RESOURCE_H
|
||||
# include <sys/resource.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_PTY
|
||||
# include <pty.h>
|
||||
|
@ -954,6 +959,16 @@ static int is_not_root(void)
|
|||
return (uid_t) 0 == ruid && ruid == euid ? 0 : 1;
|
||||
}
|
||||
|
||||
static void sanitize_prlimits(void)
|
||||
{
|
||||
#ifdef HAVE_SYS_RESOURCE_H
|
||||
struct rlimit lm = { .rlim_cur = 0, .rlim_max = 0 };
|
||||
|
||||
setrlimit(RLIMIT_NICE, &lm);
|
||||
setrlimit(RLIMIT_RTPRIO, &lm);
|
||||
#endif
|
||||
}
|
||||
|
||||
static gid_t add_supp_group(const char *name, gid_t **groups, size_t *ngroups)
|
||||
{
|
||||
struct group *gr;
|
||||
|
@ -1195,6 +1210,8 @@ int su_main(int argc, char **argv, int mode)
|
|||
if (!su->simulate_login || command)
|
||||
su->suppress_pam_info = 1; /* don't print PAM info messages */
|
||||
|
||||
sanitize_prlimits();
|
||||
|
||||
supam_open_session(su);
|
||||
|
||||
#ifdef USE_PTY
|
||||
|
|
|
@ -29,6 +29,8 @@ This version of *su* uses PAM for authentication, account and session management
|
|||
|
||||
Note that *su* in all cases uses PAM (*pam_getenvlist*(3)) to do the final environment modification. Command-line options such as *--login* and *--preserve-environment* affect the environment before it is modified by PAM.
|
||||
|
||||
Since version 2.38 *su* resets process resource limits RLIMIT_NICE and RLIMIT_RTPRIO to zero.
|
||||
|
||||
== OPTIONS
|
||||
|
||||
*-c*, **--command**=__command__::
|
||||
|
|
Loading…
Reference in New Issue