• 1
As Dan points out, it works both ways. You can accidentally restrict root processes by rlimit inheritance across sudo, but you can also grant things unintentionally. For example, if root restarts apache (via sudo, if you want, but you need to start as root or 'su -' to root):

First, apache's UID:

[root@ayanami ~]# id apache
uid=48(apache) gid=48(apache) groups=48(apache)

So, here's our instance of apache started by 'service apache start':
crash> set 10076
    PID: 10076
COMMAND: "httpd"
   TASK: ffff88017b423540  [THREAD_INFO: ffff88012b75a000]
    CPU: 0
  STATE: TASK_INTERRUPTIBLE 
crash> task | grep real_cred
  real_cred = 0xffff880179f6ebc0, 
crash> p ((struct cred *)0xffff880179f6ebc0)->uid
$3 = 48
crash> task | grep signal
  exit_signal = 17, 
  pdeath_signal = 0, 
  signal = 0xffff880155efc1c0, 
    signal = {
crash> p ((struct signal_struct *)0xffff880155efc1c0)->rlim[6]
$4 = {
  rlim_cur = 38567, 
  rlim_max = 38567
}

In the above, httpd run as the apache UID has root's process limit. Now, if I exit and run as 'lon', 'sudo service httpd restart', we get the following:
crash> set 11025
    PID: 11025
COMMAND: "httpd"
   TASK: ffff88017c182aa0  [THREAD_INFO: ffff880179756000]
    CPU: 0
  STATE: TASK_INTERRUPTIBLE 
crash> task | grep real_cred
  real_cred = 0xffff88017a0dbb40, 
crash> p ((struct cred *)0xffff88017a0dbb40)->uid
$3 = 48
crash> task | grep signal
  exit_signal = 17, 
  pdeath_signal = 0, 
  signal = 0xffff880155f60900, 
    signal = {
crash> p ((struct signal_struct *)0xffff880155f60900)->rlim[6]
$4 = {
  rlim_cur = 1024, 
  rlim_max = 38567
}


Edited at 2013-03-14 08:26 pm (UTC)

I'd argue that Bug #2 isn't a bug so much as design. ulimits are applied when you login to the system and by default while sudo lets you act like root, it doesn't log you in as root (or any other user for that matter). In order to get ulimits set properly you need to use "sudo -i". This sort of issue comes up regularly when you start dealing with products like cassandra or riak that like to open a lot of handles and the work around is to start them using "sudo -i -u cassandra service cassandra restart "for example.

Well I guess we can agree to disaggree. You might be techically right but from a usability point of view, This is poor.

If a user user can blow up an application from doing
sudo service APP restart

Not because of a process he started but because of other root processes running, then this could be seen as unexpected and confusing.

  • 1
?

Log in