Bug 1711997

Summary: sudo is super slow when /etc/security/limits.conf contains many entries
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: sudoAssignee: Radovan Sroka <rsroka>
Status: CLOSED ERRATA QA Contact: Martin Zelený <mzeleny>
Severity: high Docs Contact:
Priority: medium    
Version: 7.6CC: dapospis, mzeleny
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:43:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2019-05-20 15:10:34 UTC 
Description of problem:

When /etc/security/limits.conf or /etc/security/limits.d/*.conf contain many entries, sudo is very slow, "sudo -i" even slower:

# time sudo -i true

real	0m4.645s
user	0m4.594s
sys	0m0.046s


# time sudo true

real	0m1.350s
user	0m1.276s
sys	0m0.075s


Version-Release number of selected component (if applicable):

sudo-1.8.23-3.el7.x86_64


How reproducible:

Always


Steps to Reproduce:
1. Create 40 "groups" entries containing 13 lines (hence 520 lines in total)

# cat > ~/template.per_group << EOF
ENTRY        -       fsize           unlimited
ENTRY        -       core            unlimited
ENTRY        -       data            unlimited
ENTRY        -       memlock         unlimited
ENTRY        -       nofile          100000
ENTRY        -       rss             unlimited
ENTRY        -       stack           unlimited
ENTRY        -       cpu             unlimited
ENTRY        -       nproc           unlimited
ENTRY        -       as              unlimited
ENTRY        -       maxlogins       unlimited
ENTRY        -       locks           unlimited
ENTRY        -       sigpending      unlimited
EOF

# for i in $(seq 1 40); do group="@mygroup$i"; sed "s/ENTRY/$group/g" ~/template.per_group > /etc/security/limits.d/group$i.conf; done

2. Run "sudo -i" or "sudo"

# time sudo -i true


Actual results:

real	0m4.826s
user	0m4.780s
sys	0m0.041s


Expected results:

real	0m0.340s
user	0m0.292s
sys	0m0.042s


Additional info:

This is due to sudo executing multiple times "pam_limits.so" (3 times for "sudo -i", 2 times for "sudo") due to having "pam_limits.so" defined in multiple places:
- /etc/pam.d/sudo-i

  session    required     pam_limits.so
  session    include      sudo

- /etc/pam.d/sudo

  session    required     pam_limits.so
  session    include      system-auth

- /etc/pam.d/system-auth

  session     required      pam_limits.so

Removing the "session    required     pam_limits.so" from /etc/pam.d/sudo-i and /etc/pam.d/sudo fixes the issue.
Comment 4 Marek Tamaskovic 2019-06-27 08:52:59 UTC 
Used fix:
 > Removing the "session    required     pam_limits.so" from /etc/pam.d/sudo-i and /etc/pam.d/sudo fixes the issue.
Comment 5 Marek Tamaskovic 2019-07-01 07:59:34 UTC 
I agree that we can remove that duplicit line from those files /etc/pam.d/sudo-i and /etc/pam.d/sudo.
Comment 11 errata-xmlrpc 2020-03-31 19:43:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1048