Bug 467772 - sudo with -i inherits caller's ulimits
sudo with -i inherits caller's ulimits
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Kopeček
BaseOS QE
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-20 16:17 EDT by Matt Savona
Modified: 2011-08-24 10:19 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-08-24 10:19:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matt Savona 2008-10-20 16:17:29 EDT
Description of problem:

When using sudo -u [username] -i to simulate an initial login, sudo will inherit it's caller's ulimits. That is, if I set a ulimit as myself, and sudo as some other system/service account, the ulimits I set for myself are also set for the system/service account, rather than assuming default values. This is not the case, however, if there is an associated value set in limits.conf.

Version-Release number of selected component (if applicable):

RHEL5.2, sudo-1.6.8p12-12.el5.x86_64

How reproducible:

Always

Steps to Reproduce:

Without a value set in limits.conf:

[msavona@uxlabf:~]$ echo $USER; ulimit -v
msavona
unlimited
[msavona@uxlabf:~]$ sudo -u mysql -i
-bash-3.2$ echo $USER; ulimit -v
mysql
unlimited
-bash-3.2$ logout
[msavona@uxlabf:~]$ ulimit -v 1000007
[msavona@uxlabf:~]$ echo $USER; ulimit -v
msavona
1000007
[msavona@uxlabf:~]$ sudo -u mysql -i
-bash-3.2$ echo $USER; ulimit -v
mysql
1000007

With a value set in limits.conf (this works as expected):
("mysql            -       nofile          256")

[msavona@uxlabf:~]$ echo $USER; ulimit -n
msavona
1024
[msavona@uxlabf:~]$ sudo -u mysql -i
-bash-3.2$ echo $USER; ulimit -n
mysql
256
-bash-3.2$ logout
[msavona@uxlabf:~]$ ulimit -n 512
[msavona@uxlabf:~]$ echo $USER; ulimit -n
msavona
512
[msavona@uxlabf:~]$ sudo -u mysql -i
-bash-3.2$ echo $USER; ulimit -n
mysql
256

Actual results:

See above.

Expected results:

When executing sudo with the -i option to simulate initial login, no ulimit settings should be inherited from the account issuing the sudo command. The ulimits should be defined by:

1) limits.conf (works)
2) System defaults (doesn't work)

Additional info:
Comment 1 Matt Savona 2008-10-21 09:07:44 EDT
Also worth noting, if a user has limits configured in limits.conf, then proceeds to sudo -u [username] -i, the sudoed user also inherits the limits that were set for the parent user (similar to the first example above, where I explicitly set the limit with ulimit).
Comment 3 Steve Grubb 2010-01-06 14:24:50 EST
The man page for sudo details what it means when -i is passed. It does not claim to reset any rlimits. I also researched other sudo and su implementations and they usually detail what the expectations are for login shells but none seem to change rlimits. If we fix this, then we need to consult with the upstream developers to accept the widening of the definition of login. So, this is a feature request and not a bug fix.
Comment 4 Daniel Kopeček 2011-08-24 10:19:57 EDT
Closing as WONTFIX since this is an RFE and we are going to maintenance mode. We may backport this feature from upstream if they implement it. Please consider contacting upstream with this request.

Note You need to log in before you can comment on or make changes to this bug.