Bug 467772

Summary: sudo with -i inherits caller's ulimits
Product: Red Hat Enterprise Linux 5 Reporter: Matt Savona <matt.savona>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED WONTFIX QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2CC: juanino, matt.savona, mmalik, mrkfact, pvrabec, sgrubb
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-24 14:19:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Savona 2008-10-20 20:17:29 UTC
Description of problem:

When using sudo -u [username] -i to simulate an initial login, sudo will inherit it's caller's ulimits. That is, if I set a ulimit as myself, and sudo as some other system/service account, the ulimits I set for myself are also set for the system/service account, rather than assuming default values. This is not the case, however, if there is an associated value set in limits.conf.

Version-Release number of selected component (if applicable):

RHEL5.2, sudo-1.6.8p12-12.el5.x86_64

How reproducible:

Always

Steps to Reproduce:

Without a value set in limits.conf:

[msavona@uxlabf:~]$ echo $USER; ulimit -v
msavona
unlimited
[msavona@uxlabf:~]$ sudo -u mysql -i
-bash-3.2$ echo $USER; ulimit -v
mysql
unlimited
-bash-3.2$ logout
[msavona@uxlabf:~]$ ulimit -v 1000007
[msavona@uxlabf:~]$ echo $USER; ulimit -v
msavona
1000007
[msavona@uxlabf:~]$ sudo -u mysql -i
-bash-3.2$ echo $USER; ulimit -v
mysql
1000007

With a value set in limits.conf (this works as expected):
("mysql            -       nofile          256")

[msavona@uxlabf:~]$ echo $USER; ulimit -n
msavona
1024
[msavona@uxlabf:~]$ sudo -u mysql -i
-bash-3.2$ echo $USER; ulimit -n
mysql
256
-bash-3.2$ logout
[msavona@uxlabf:~]$ ulimit -n 512
[msavona@uxlabf:~]$ echo $USER; ulimit -n
msavona
512
[msavona@uxlabf:~]$ sudo -u mysql -i
-bash-3.2$ echo $USER; ulimit -n
mysql
256

Actual results:

See above.

Expected results:

When executing sudo with the -i option to simulate initial login, no ulimit settings should be inherited from the account issuing the sudo command. The ulimits should be defined by:

1) limits.conf (works)
2) System defaults (doesn't work)

Additional info:

Comment 1 Matt Savona 2008-10-21 13:07:44 UTC
Also worth noting, if a user has limits configured in limits.conf, then proceeds to sudo -u [username] -i, the sudoed user also inherits the limits that were set for the parent user (similar to the first example above, where I explicitly set the limit with ulimit).

Comment 3 Steve Grubb 2010-01-06 19:24:50 UTC
The man page for sudo details what it means when -i is passed. It does not claim to reset any rlimits. I also researched other sudo and su implementations and they usually detail what the expectations are for login shells but none seem to change rlimits. If we fix this, then we need to consult with the upstream developers to accept the widening of the definition of login. So, this is a feature request and not a bug fix.

Comment 4 Daniel Kopeček 2011-08-24 14:19:57 UTC
Closing as WONTFIX since this is an RFE and we are going to maintenance mode. We may backport this feature from upstream if they implement it. Please consider contacting upstream with this request.