PR#13: upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148) - rpms/sudo

rpms / sudo

#13 upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148)

Merged 3 years ago by rsroka. Opened 3 years ago by petersen.

rpms/ petersen/sudo master into master

upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148)

Jens Petersen • 3 years ago

72a5571

remove trailing whitespaces

Jens Petersen • 3 years ago

5d1ef1f

sudo-1.9-RLIMIT_CORE.patch

file added

+149

		`@@ -0,0 +1,149 @@`
		`+ changeset 12288:1064b906ca68`
		`+`
		`+ Ignore a failure to restore the RLIMIT_CORE resource limit.`
		`+ Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY`
		`+ if we set the limit to zero, even for root. This is not a problem`
		`+ outside the container.`
		`+ author Todd C. Miller <Todd.Miller@sudo.ws>`
		`+ date Sat, 14 Mar 2020 11:13:55 -0600`
		`+ parents 72ca06a294b4`
		`+ children 40629e6fd692`
		`+ files src/limits.c`
		`+ diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+]`
		`+ line wrap: on`
		`+ line diff`
		`+`
		`+ --- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600`
		`+ +++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600`
		`+ @@ -114,13 +114,21 @@`
		`+`
		`+ if (getrlimit(RLIMIT_CORE, &corelimit) == -1)`
		`+ sudo_warn("getrlimit(RLIMIT_CORE)");`
		`+ + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",`
		`+ + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);`
		`+ if (setrlimit(RLIMIT_CORE, &rl) == -1)`
		`+ sudo_warn("setrlimit(RLIMIT_CORE)");`
		`+ #ifdef __linux__`
		`+ /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */`
		`+ - if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)`
		`+ + if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");`
		`+ dumpflag = 0;`
		`+ - (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);`
		`+ + }`
		`+ + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);`
		`+ + }`
		`+ #endif /* __linux__ */`
		`+ coredump_disabled = true;`
		`+`
		`+ @@ -136,10 +144,20 @@`
		`+ debug_decl(restore_coredump, SUDO_DEBUG_UTIL);`
		`+`
		`+ if (coredump_disabled) {`
		`+ - if (setrlimit(RLIMIT_CORE, &corelimit) == -1)`
		`+ - sudo_warn("setrlimit(RLIMIT_CORE)");`
		`+ + /*`
		`+ + * Linux containers don't allow RLIMIT_CORE to be set back to`
		`+ + * RLIM_INFINITY if we set the limit to zero, even for root.`
		`+ + */`
		`+ + if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "setrlimit(RLIMIT_CORE, [%lld, %lld])",`
		`+ + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);`
		`+ + }`
		`+ #ifdef __linux__`
		`+ - (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);`
		`+ + if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);`
		`+ + }`
		`+ #endif /* __linux__ */`
		`+ }`
		`+ debug_return;`
		`+ @@ -162,8 +180,14 @@`
		`+`
		`+ if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)`
		`+ sudo_warn("getrlimit(RLIMIT_NPROC)");`
		`+ + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",`
		`+ + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);`
		`+ if (setrlimit(RLIMIT_NPROC, &rl) == -1) {`
		`+ rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;`
		`+ + sudo_debug_printf(SUDO_DEBUG_INFO,`
		`+ + "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",`
		`+ + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,`
		`+ + (long long)rl.rlim_cur, (long long)rl.rlim_max);`
		`+ if (setrlimit(RLIMIT_NPROC, &rl) != 0)`
		`+ sudo_warn("setrlimit(RLIMIT_NPROC)");`
		`+ }`
		`+ @@ -180,8 +204,11 @@`
		`+ #ifdef __linux__`
		`+ debug_decl(restore_nproc, SUDO_DEBUG_UTIL);`
		`+`
		`+ - if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)`
		`+ - sudo_warn("setrlimit(RLIMIT_NPROC)");`
		`+ + if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "setrlimit(RLIMIT_NPROC, [%lld, %lld])",`
		`+ + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);`
		`+ + }`
		`+`
		`+ debug_return;`
		`+ #endif /* __linux__ */`
		`+ @@ -203,6 +230,11 @@`
		`+ struct saved_limit *lim = &saved_limits[idx];`
		`+ if (getrlimit(lim->resource, &lim->oldlimit) == -1)`
		`+ continue;`
		`+ + sudo_debug_printf(SUDO_DEBUG_INFO,`
		`+ + "getrlimit(lim->name) -> [%lld, %lld]",`
		`+ + (long long)lim->oldlimit.rlim_cur,`
		`+ + (long long)lim->oldlimit.rlim_max);`
		`+ +`
		`+ lim->saved = true;`
		`+ if (lim->newlimit.rlim_cur != RLIM_INFINITY) {`
		`+ /* Don't reduce the soft resource limit. */`
		`+ @@ -217,13 +249,28 @@`
		`+ lim->newlimit.rlim_max = lim->oldlimit.rlim_max;`
		`+ }`
		`+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {`
		`+ - if (lim->fallback != NULL)`
		`+ - rc = setrlimit(lim->resource, lim->fallback);`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "setrlimit(%s, [%lld, %lld])", lim->name,`
		`+ + (long long)lim->newlimit.rlim_cur,`
		`+ + (long long)lim->newlimit.rlim_max);`
		`+ + if (lim->fallback != NULL) {`
		`+ + if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "setrlimit(%s, [%lld, %lld])", lim->name,`
		`+ + (long long)lim->fallback->rlim_cur,`
		`+ + (long long)lim->fallback->rlim_max);`
		`+ + }`
		`+ + }`
		`+ if (rc == -1) {`
		`+ /* Try setting new rlim_cur to old rlim_max. */`
		`+ lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;`
		`+ lim->newlimit.rlim_max = lim->oldlimit.rlim_max;`
		`+ - rc = setrlimit(lim->resource, &lim->newlimit);`
		`+ + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "setrlimit(%s, [%lld, %lld])", lim->name,`
		`+ + (long long)lim->newlimit.rlim_cur,`
		`+ + (long long)lim->newlimit.rlim_max);`
		`+ + }`
		`+ }`
		`+ if (rc == -1)`
		`+ sudo_warn("setrlimit(%s)", lim->name);`
		`+ @@ -254,6 +301,10 @@`
		`+ if (rc != -1 \|\| errno != EINVAL)`
		`+ break;`
		`+`
		`+ + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`+ + "setrlimit(%s, [%lld, %lld])", lim->name,`
		`+ + (long long)rl.rlim_cur, (long long)rl.rlim_max);`
		`+ +`
		`+ /*`
		`+ * Soft limit could be lower than current resource usage.`
		`+ * This can be an issue on NetBSD with RLIMIT_STACK and ASLR.`

sudo.spec

file modified

+21 -19

		`@@ -27,6 +27,8 @@`

		`# don't strip`
		`Patch1: sudo-1.6.7p5-strip.patch`
		`+ # https://www.sudo.ws/repos/sudo/rev/1064b906ca68`
		`+ Patch2: sudo-1.9-RLIMIT_CORE.patch`

		`%description`
		`Sudo (superuser do) allows a system administrator to give certain`
		`@@ -51,6 +53,7 @@`
		`%setup -q -n %{name}-%{upstream_version}`

		`%patch1 -p1 -b .strip`
		`+ %patch2 -p1 -b .orig`

		`%build`
		`# Remove bundled copy of zlib`
		`@@ -95,7 +98,7 @@`
		`rm -rf $RPM_BUILD_ROOT`
		make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

		`- chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*`
		`+ chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*`
		`install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo`
		`install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured`
		`install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d`
		`@@ -205,6 +208,8 @@`
		`* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4`
		`- update to latest development version 1.9.0b4`
		`Resolves: rhbz#1816593`
		`+ - setrlimit(RLIMIT_CORE): Operation not permitted warning message fix`
		`+ Resolves: rhbz#1773148`

		`* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1`
		`- update to latest development version 1.9.0b1`
		`@@ -212,15 +217,13 @@`
		`Resolves: rhbz#1787823`
		`- Stack based buffer overflow in when pwfeedback is enabled`
		`Resolves: rhbz#1796945`
		`- - fixes: CVE-2019-18634`
		`+ - fixes: CVE-2019-18634`
		`- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account`
		`Resolves: rhbz#1786709`
		`- fixes CVE-2019-19234`
		`- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user`
		`Resolves: rhbz#1786705`
		`- fixes CVE-2019-19232`
		`- - setrlimit(RLIMIT_CORE): Operation not permitted warning message fix`
		`- Resolves: rhbz#1773148`

		`* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild`
		`@@ -248,7 +251,7 @@`

		`* Sun Mar 31 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.27-2`
		`- resolves rhbz#1676925`
		`- - Removed PS1, PS2 from sudoers`
		`+ - Removed PS1, PS2 from sudoers`

		`* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> 1.8.27-1`
		`- rebase sudo to 1.8.27`
		`@@ -284,7 +287,7 @@`

		`* Thu Sep 21 2017 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.21p2-1`
		`- update to 1.8.21p2`
		`- - Moved libsudo_util.so from the -devel sub-package to main package (1481225)`
		`+ - Moved libsudo_util.so from the -devel sub-package to main package (1481225)`

		`* Wed Sep 06 2017 Matthew Miller <mattdm@fedoraproject.org> - 1.8.20p2-4`
		`- replace file-based requirements with package-level ones:`
		`@@ -373,7 +376,7 @@`

		`* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-2`
		`- add patch that resolves initialization problem before sudo_strsplit call`
		`- - add patch that resolves deadcode in visudo.c`
		`+ - add patch that resolves deadcode in visudo.c`
		`- add patch that removes extra while in visudo.c and sudoers.c`

		`* Mon Jul 27 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-1`
		`@@ -409,9 +412,9 @@`
		`- major changes & fixes:`
		`- when running a command in the background, sudo will now forward`
		`SIGINFO to the command`
		`- - the passwords in ldap.conf and ldap.secret may now be encoded in base64.`
		`+ - the passwords in ldap.conf and ldap.secret may now be encoded in base64.`
		`- SELinux role changes are now audited. For sudoedit, we now audit`
		`- the actual editor being run, instead of just the sudoedit command.`
		`+ the actual editor being run, instead of just the sudoedit command.`
		`- it is now possible to match an environment variable's value as well as`
		`its name using env_keep and env_check`
		`- new files created via sudoedit as a non-root user now have the proper group id`
		`@@ -511,7 +514,7 @@`
		`* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1`
		`- update to 1.8.5`
		`- fixed CVE-2012-2337`
		`- - temporarily disabled SSSD support`
		`+ - temporarily disabled SSSD support`

		`* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6`
		`- fixed problems with undefined symbols (rhbz#798517)`
		`@@ -530,7 +533,7 @@`

		`* Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1`
		`- update to 1.8.3p1`
		`- - disable output word wrapping if the output is piped`
		`+ - disable output word wrapping if the output is piped`

		`* Wed Sep 7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2`
		`- Remove execute bit from sample script in docs so we don't pull in perl`
		`@@ -665,7 +668,7 @@`
		`- sparc64 needs to be in the -fPIE list with s390`

		`* Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5`
		`- - fix complains about audit_log_user_command(): Connection`
		`+ - fix complains about audit_log_user_command(): Connection`
		`refused (#401201)`

		`* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-4`
		`@@ -767,7 +770,7 @@`
		`- rebuild`

		`* Mon Oct 4 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-30.1`
		`- - added missing BuildRequires for libselinux-devel (#132883)`
		`+ - added missing BuildRequires for libselinux-devel (#132883)`

		`* Wed Sep 29 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-30`
		`- Fix missing param error in sesh`
		`@@ -794,7 +797,7 @@`
		`exec of child with SELinux patch`

		`* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-23`
		`- - change to default to sysadm_r`
		`+ - change to default to sysadm_r`
		`- Fix tty handling`

		`* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-22`
		`@@ -802,7 +805,7 @@`
		`- replace /bin/bash -c with /bin/sesh`

		`* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-21`
		`- - Hard code to use "/bin/bash -c" for selinux`
		`+ - Hard code to use "/bin/bash -c" for selinux`

		`* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-20`
		`- Eliminate closing and reopening of terminals, to match su.`
		`@@ -827,7 +830,7 @@`
		`- Fix is_selinux_enabled call`

		`* Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-13`
		`- - Clean up patch on failure`
		`+ - Clean up patch on failure`

		`* Tue Jan 6 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-12`
		`- Remove sudo.te for now.`
		`@@ -950,7 +953,7 @@`
		`- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)`

		`* Thu Oct 08 1998 Michael Maher <mike@redhat.com>`
		`- - built package for 5.2`
		`+ - built package for 5.2`

		`* Mon May 18 1998 Michael Maher <mike@redhat.com>`
		`- updated SPEC file`
		`@@ -962,10 +965,9 @@`
		`- built for glibc, no problems`

		`* Fri Apr 25 1997 Michael Fulbright <msf@redhat.com>`
		`- - Fixed for 4.2 PowerTools`
		`+ - Fixed for 4.2 PowerTools`
		`- Still need to be pamified`
		`- Still need to move stmp file to /var/log`

		`* Mon Feb 17 1997 Michael Fulbright <msf@redhat.com>`
		`- First version for PowerCD.`
		`-`