rpms/sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148)

Browse Source
This commit is contained in:
Jens Petersen 2020-03-26 18:53:44 +08:00
parent 5d1ef1f39f
commit 72a557140c
2 changed files with 154 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

149
sudo-1.9-RLIMIT_CORE.patch Normal file
View File

@ -0,0 +1,149 @@
changeset 12288:1064b906ca68
Ignore a failure to restore the RLIMIT_CORE resource limit.
Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
if we set the limit to zero, even for root. This is not a problem
outside the container.
author Todd C. Miller <Todd.Miller@sudo.ws>
date Sat, 14 Mar 2020 11:13:55 -0600
parents 72ca06a294b4
children 40629e6fd692
files src/limits.c
diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600
+++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600
@@ -114,13 +114,21 @@
if (getrlimit(RLIMIT_CORE, &corelimit) == -1)
sudo_warn("getrlimit(RLIMIT_CORE)");
+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",
+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
if (setrlimit(RLIMIT_CORE, &rl) == -1)
sudo_warn("setrlimit(RLIMIT_CORE)");
#ifdef __linux__
/* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */
- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)
+ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");
dumpflag = 0;
- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
+ }
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
+ }
#endif /* __linux__ */
coredump_disabled = true;
@@ -136,10 +144,20 @@
debug_decl(restore_coredump, SUDO_DEBUG_UTIL);
if (coredump_disabled) {
- if (setrlimit(RLIMIT_CORE, &corelimit) == -1)
- sudo_warn("setrlimit(RLIMIT_CORE)");
+ /*
+ * Linux containers don't allow RLIMIT_CORE to be set back to
+ * RLIM_INFINITY if we set the limit to zero, even for root.
+ */
+ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(RLIMIT_CORE, [%lld, %lld])",
+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
+ }
#ifdef __linux__
- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);
+ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
+ }
#endif /* __linux__ */
}
debug_return;
@@ -162,8 +180,14 @@
if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
sudo_warn("getrlimit(RLIMIT_NPROC)");
+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
if (setrlimit(RLIMIT_NPROC, &rl) == -1) {
rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,
+ (long long)rl.rlim_cur, (long long)rl.rlim_max);
if (setrlimit(RLIMIT_NPROC, &rl) != 0)
sudo_warn("setrlimit(RLIMIT_NPROC)");
}
@@ -180,8 +204,11 @@
#ifdef __linux__
debug_decl(restore_nproc, SUDO_DEBUG_UTIL);
- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
- sudo_warn("setrlimit(RLIMIT_NPROC)");
+ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(RLIMIT_NPROC, [%lld, %lld])",
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
+ }
debug_return;
#endif /* __linux__ */
@@ -203,6 +230,11 @@
struct saved_limit *lim = &saved_limits[idx];
if (getrlimit(lim->resource, &lim->oldlimit) == -1)
continue;
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "getrlimit(lim->name) -> [%lld, %lld]",
+ (long long)lim->oldlimit.rlim_cur,
+ (long long)lim->oldlimit.rlim_max);
+
lim->saved = true;
if (lim->newlimit.rlim_cur != RLIM_INFINITY) {
/* Don't reduce the soft resource limit. */
@@ -217,13 +249,28 @@
lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
}
if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
- if (lim->fallback != NULL)
- rc = setrlimit(lim->resource, lim->fallback);
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(%s, [%lld, %lld])", lim->name,
+ (long long)lim->newlimit.rlim_cur,
+ (long long)lim->newlimit.rlim_max);
+ if (lim->fallback != NULL) {
+ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(%s, [%lld, %lld])", lim->name,
+ (long long)lim->fallback->rlim_cur,
+ (long long)lim->fallback->rlim_max);
+ }
+ }
if (rc == -1) {
/* Try setting new rlim_cur to old rlim_max. */
lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;
lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
- rc = setrlimit(lim->resource, &lim->newlimit);
+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(%s, [%lld, %lld])", lim->name,
+ (long long)lim->newlimit.rlim_cur,
+ (long long)lim->newlimit.rlim_max);
+ }
}
if (rc == -1)
sudo_warn("setrlimit(%s)", lim->name);
@@ -254,6 +301,10 @@
if (rc != -1 || errno != EINVAL)
break;
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(%s, [%lld, %lld])", lim->name,
+ (long long)rl.rlim_cur, (long long)rl.rlim_max);
+
/*
* Soft limit could be lower than current resource usage.
* This can be an issue on NetBSD with RLIMIT_STACK and ASLR.

7
sudo.spec
View File

@ -27,6 +27,8 @@ BuildRequires: zlib-devel
# don't strip # don't strip
Patch1: sudo-1.6.7p5-strip.patch Patch1: sudo-1.6.7p5-strip.patch
# https://www.sudo.ws/repos/sudo/rev/1064b906ca68
Patch2: sudo-1.9-RLIMIT_CORE.patch
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
@ -51,6 +53,7 @@ plugins that use %{name}.
%setup -q -n %{name}-%{upstream_version} %setup -q -n %{name}-%{upstream_version}
%patch1 -p1 -b .strip %patch1 -p1 -b .strip
%patch2 -p1 -b .orig
%build %build
# Remove bundled copy of zlib # Remove bundled copy of zlib
@ -205,6 +208,8 @@ EOF
* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4 * Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
- update to latest development version 1.9.0b4 - update to latest development version 1.9.0b4
Resolves: rhbz#1816593 Resolves: rhbz#1816593
- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
Resolves: rhbz#1773148
* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1 * Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
- update to latest development version 1.9.0b1 - update to latest development version 1.9.0b1
@ -219,8 +224,6 @@ Resolves: rhbz#1786709
- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
Resolves: rhbz#1786705 Resolves: rhbz#1786705
- fixes CVE-2019-19232 - fixes CVE-2019-19232
- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
Resolves: rhbz#1773148
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild