Package: sudo
Version: 1.8.9~rc1-1
Severity: normal
sudo doesn't use the correct user when setting limits - it uses
the limits for the first user with the given UID.
Please note that it works fine for _different_ users, so the
referenced bugs below are solved (?).
Rationale:
I want to restrict my user to relatively low ulimits (to
protect against misbehaving applications), but some things
should have more room.
ulimits are defined per-user, and one cannot set the hard
limit higher easily (without writing an own program for that);
so I would just use a second user.
To avoid having all kinds of right issues I'd like to use the
same UID; as /etc/security/limits.conf uses names and not
UIDs, this looks easy.
(And it does "just work" for su, see below.)
Steps to reproduce:
* choose a user in /etc/passwd
u1:x:1000:1000::/home/u1:/bin/bash
* copy it to a new name, keeping the same UID
u2:x:1000:1000::/home/u1:/bin/bash
* build a matching record in /etc/shadow
u2:*:15000:0:99999:7:::
* ensure that pam_limits is defined for sudo
# grep limits /etc/pam.d/sudo
session required pam_limits.so
* set different configurations in /etc/security/limits.conf
u1 hard stack 8192
u2 hard stack 262144
* verify (as root):
# su -c 'ulimit -Hs' u1
8192
# su -c 'ulimit -Hs' u2
262144
* test with "sudo":
# sudo -u u1 bash -c 'ulimit -Hs'
8192
# sudo -u u2 bash -c 'ulimit -Hs'
8192
Related(?):
Sudo ignores pam_limits: (2002)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=93845
sudo pam limits (2009)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518464
User limit 'open files' ... does not work properly with sudo
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641607
/etc/pam.d/sudo has no longer pam_limits.so:
https://answers.launchpad.net/ubuntu/+source/sudo/+question/241943
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages sudo depends on:
ii libc6 2.17-97
ii libpam-modules 1.1.3-9
ii libpam0g 1.1.3-9
ii libselinux1 2.2.1-1
sudo recommends no packages.
sudo suggests no packages.
-- Configuration Files:
/etc/pam.d/sudo changed:
session required pam_limits.so
@include common-auth
@include common-account
@include common-session-noninteractive
/etc/sudoers [Errno 13] Keine Berechtigung: u'/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Keine Berechtigung: u'/etc/sudoers.d/README'
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
