From 72a557140c58070edcc5a7382baa7758d98f3c94 Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Thu, 26 Mar 2020 18:53:44 +0800 Subject: [PATCH] upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148) --- sudo-1.9-RLIMIT_CORE.patch | 149 +++++++++++++++++++++++++++++++++++++ sudo.spec | 7 +- 2 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 sudo-1.9-RLIMIT_CORE.patch diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch new file mode 100644 index 0000000..28027c4 --- /dev/null +++ b/sudo-1.9-RLIMIT_CORE.patch @@ -0,0 +1,149 @@ + changeset 12288:1064b906ca68 + +Ignore a failure to restore the RLIMIT_CORE resource limit. +Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY +if we set the limit to zero, even for root. This is not a problem +outside the container. +author Todd C. Miller +date Sat, 14 Mar 2020 11:13:55 -0600 +parents 72ca06a294b4 +children 40629e6fd692 +files src/limits.c +diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] +line wrap: on + line diff + +--- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 ++++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 +@@ -114,13 +114,21 @@ + + if (getrlimit(RLIMIT_CORE, &corelimit) == -1) + sudo_warn("getrlimit(RLIMIT_CORE)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); + if (setrlimit(RLIMIT_CORE, &rl) == -1) + sudo_warn("setrlimit(RLIMIT_CORE)"); + #ifdef __linux__ + /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ +- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) ++ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); + dumpflag = 0; +- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); ++ } ++ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + coredump_disabled = true; + +@@ -136,10 +144,20 @@ + debug_decl(restore_coredump, SUDO_DEBUG_UTIL); + + if (coredump_disabled) { +- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) +- sudo_warn("setrlimit(RLIMIT_CORE)"); ++ /* ++ * Linux containers don't allow RLIMIT_CORE to be set back to ++ * RLIM_INFINITY if we set the limit to zero, even for root. ++ */ ++ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_CORE, [%lld, %lld])", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); ++ } + #ifdef __linux__ +- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); ++ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + } + debug_return; +@@ -162,8 +180,14 @@ + + if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) + sudo_warn("getrlimit(RLIMIT_NPROC)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) == -1) { + rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) != 0) + sudo_warn("setrlimit(RLIMIT_NPROC)"); + } +@@ -180,8 +204,11 @@ + #ifdef __linux__ + debug_decl(restore_nproc, SUDO_DEBUG_UTIL); + +- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) +- sudo_warn("setrlimit(RLIMIT_NPROC)"); ++ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); ++ } + + debug_return; + #endif /* __linux__ */ +@@ -203,6 +230,11 @@ + struct saved_limit *lim = &saved_limits[idx]; + if (getrlimit(lim->resource, &lim->oldlimit) == -1) + continue; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "getrlimit(lim->name) -> [%lld, %lld]", ++ (long long)lim->oldlimit.rlim_cur, ++ (long long)lim->oldlimit.rlim_max); ++ + lim->saved = true; + if (lim->newlimit.rlim_cur != RLIM_INFINITY) { + /* Don't reduce the soft resource limit. */ +@@ -217,13 +249,28 @@ + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; + } + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { +- if (lim->fallback != NULL) +- rc = setrlimit(lim->resource, lim->fallback); ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ if (lim->fallback != NULL) { ++ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->fallback->rlim_cur, ++ (long long)lim->fallback->rlim_max); ++ } ++ } + if (rc == -1) { + /* Try setting new rlim_cur to old rlim_max. */ + lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; +- rc = setrlimit(lim->resource, &lim->newlimit); ++ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ } + } + if (rc == -1) + sudo_warn("setrlimit(%s)", lim->name); +@@ -254,6 +301,10 @@ + if (rc != -1 || errno != EINVAL) + break; + ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); ++ + /* + * Soft limit could be lower than current resource usage. + * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.spec b/sudo.spec index 613bf89..bac08cd 100644 --- a/sudo.spec +++ b/sudo.spec @@ -27,6 +27,8 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch +# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 +Patch2: sudo-1.9-RLIMIT_CORE.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -51,6 +53,7 @@ plugins that use %{name}. %setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip +%patch2 -p1 -b .orig %build # Remove bundled copy of zlib @@ -205,6 +208,8 @@ EOF * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 @@ -219,8 +224,6 @@ Resolves: rhbz#1786709 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user Resolves: rhbz#1786705 - fixes CVE-2019-19232 -- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix -Resolves: rhbz#1773148 * Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild