-
标题
On Safeguard for Sudo (SFS) version 7.3 and up, user resource limits set in the /etc/security/limits.conf file and the /etc/security/limits.d directory are not reflected when using sudo to become the user in question. -
说明
Example of the issue:
The hard and soft core dump file size limits are set to unlimited for the oracle user by using the following entries in /etc/security/limits.d/oracle.conf:
oracle soft core unlimited
oracle hard core unlimitedHowever, when becoming the oracle user (e.g., “sudo -i -u oracle”), the ulimit command reports the core file size limit to be 0, not unlimited, as expected.
-
原因
The reason for this behaviour can be explained by the following note in the sudo 1.9.9 changelog:
https://www.sudo.ws/releases/stable/#1.9.9
"It is now possible to set resource limits in the sudoers file itself. The special values default and “user” refer to the default system limit and invoking user limit respectively. The core dump size limit is now set to 0 by default unless overridden by the sudoers file."
The important part is in the last sentence – “core dump size limit is now set to 0 by default unless overridden by the sudoers file”.
This applies to SFS version 7.3 and greater because 7.3 implements sudoers grammar post v1.9.9, while SFS 7.2 implements sudo grammar before sudo v1.9.9.
-
解决办法
The workaround:
Add a one-line Defaults specification to the sudoers policy to explicitly set rlimit_core, thus overriding the default of 0:Defaults>ALL rlimit_core=user
or possibly
Defaults>ALL rlimit_core=defaultBy explicitly overriding the core dump size limit for all users in the sudoers policy, the core dump size limit is no longer set to 0 by default.