• 1
As Dan points out, it works both ways. You can accidentally restrict root processes by rlimit inheritance across sudo, but you can also grant things unintentionally. For example, if root restarts apache (via sudo, if you want, but you need to start as root or 'su -' to root):

First, apache's UID:

[root@ayanami ~]# id apache
uid=48(apache) gid=48(apache) groups=48(apache)

So, here's our instance of apache started by 'service apache start':
crash> set 10076
    PID: 10076
COMMAND: "httpd"
   TASK: ffff88017b423540  [THREAD_INFO: ffff88012b75a000]
    CPU: 0
  STATE: TASK_INTERRUPTIBLE 
crash> task | grep real_cred
  real_cred = 0xffff880179f6ebc0, 
crash> p ((struct cred *)0xffff880179f6ebc0)->uid
$3 = 48
crash> task | grep signal
  exit_signal = 17, 
  pdeath_signal = 0, 
  signal = 0xffff880155efc1c0, 
    signal = {
crash> p ((struct signal_struct *)0xffff880155efc1c0)->rlim[6]
$4 = {
  rlim_cur = 38567, 
  rlim_max = 38567
}

In the above, httpd run as the apache UID has root's process limit. Now, if I exit and run as 'lon', 'sudo service httpd restart', we get the following:
crash> set 11025
    PID: 11025
COMMAND: "httpd"
   TASK: ffff88017c182aa0  [THREAD_INFO: ffff880179756000]
    CPU: 0
  STATE: TASK_INTERRUPTIBLE 
crash> task | grep real_cred
  real_cred = 0xffff88017a0dbb40, 
crash> p ((struct cred *)0xffff88017a0dbb40)->uid
$3 = 48
crash> task | grep signal
  exit_signal = 17, 
  pdeath_signal = 0, 
  signal = 0xffff880155f60900, 
    signal = {
crash> p ((struct signal_struct *)0xffff880155f60900)->rlim[6]
$4 = {
  rlim_cur = 1024, 
  rlim_max = 38567
}


Edited at 2013-03-14 08:26 pm (UTC)

  • 1
?

Log in