Dear friends,
I asked why when you "su -" to root your limits (cputime, filesize...)
are NOT those of root but are the least among yours and root's.
The good answers are those given by Peter and Tom. Thanks to Lars
Kevin and Serguei, too.
I worked a bit to understand how C2 limits are defined (user values &
templates values) and I discovered that when user values are missing
they are taken from the user template. The default template is
(unbelievable!) named "default". If user values are set they override
the corresponding template values. After my signature I place a small
code which summarizes login limits of all C2 users.
Peter Chapin <pchapin_at_solstice.vtc.vsc.edu>
This is normal because process limits are inherited. If the shell from
which you do "su" is limited so will your root shell. The "-" option just
causes the new shell to execute login scripts and other similar things. It
does not change the fact that it is a child of your original shell and
thus still under the influence of that shell's process limits.
"Dr. Tom Blinn, 603-884-0646" <tpb_at_doctor.zk3.dec.com>
I have not done an in-depth investigation, but what you report doesn't really
surprise me. When you log in as a user other than root, the limits are set up
during the login process. When you fork/exec a new process from the logged in
environment, it INHERITS the limits of the parent; thus, when you "su" or run
login once you are already logged in other than as root, what you wind up with
for limits in the new process is what you had in the old process. This is not
a bug.
If you want to get full root limits, you have to log in as root, or log in as
a user who has full root limits by default (and in the typical implementation
of UNIX, if you want to relax the non-root limits, you do so for EVERY user
who is not root -- that is, there are two classes of user, the superuser and
every other user, and most limits apply to EVERY user that is not superuser).
The Digital UNIX implementation is a "typical UNIX implementation" with regard
to such limits. There are other operating systems (notably OpenVMS) that do
it differently, but a "typical UNIX implementation" does exactly what you see
in Digital UNIX.
Lars Bro <lbr_at_dksin.dk> sent a piece of code wich tries to set limits to
UNLIMITED.
The following program tries to set the limit to unlimited for all
categories. The systems available for me all run BASE security. Here,
the program runs OK for root, with SUID root and for su. Uou might try
it on your ENHANCED system.
ENHANCED security implements the audit-id getluid(2) setluid(2) that
can only be set once (by the login program) and never again. No matter
how much you su, the audit will show what you did!! One might suspect
that the system also sets the limits once.
include <sys/resource.h>
int lim[]={RLIMIT_CPU,RLIMIT_FSIZE,RLIMIT_DATA,
RLIMIT_STACK,RLIMIT_CORE,RLIMIT_RSS,RLIMIT_NOFILE,RLIMIT_AS,-1};
main()
{
int i;
struct rlimit rl;
for(i=0; lim[i]!=-1; i++) {
getrlimit (lim[i], &rl);
rl.rlim_cur = RLIM_INFINITY;
rl.rlim_max = RLIM_INFINITY;
if (setrlimit(RLIMIT_STACK, &rl) < 0)
perror("rlimit");
}
}
K.McManus_at_greenwich.ac.uk
Remember that with su you are a substitute user. Event logging
remembers who you really are, which is really useful when a
sysop blunders you can discover who messed things up. Try typing
'who am i' to discover who you really are. If you really
want to be root use rlogin with -l.
--
Emanuele Lombardi
mail: AMB-GEM-CLIM ENEA Casaccia
I-00060 S.M. di Galeria (RM) ITALY
mailto:lele_at_mantegna.casaccia.enea.it
tel +39 6 30483366 fax +39 6 30483591
This transmission was made possible by 100% recycled electrons.
/* Code which summarize login limits for all C2 users.
To be compiled with -lsecurity switch
Emanuele Lombardi lele_at_mantegna.casaccia.enea.it december 1998
*/
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/security.h>
#include <prot.h>
#include <stdio.h>
struct es_passwd *es ;
struct es_passwd *es_tmpl ;
long osflim[8],osflim_user[8],osflim_tmpl[8];
int osflag[8],osflag_user[8],osflag_tmpl[8];
char *limc[]={"CPU" ,"FILE SIZE","DATA SEGM",
"STACK SEGM" ,"CORE SIZE" ,"PROC SIZE",
"OPEN FILES","ADDR.SPACE"};
char *limc2[]={"cputime" ,"filesize","datasize",
"stacksize" ,"coredumpsz" ,"memoryuse",
"descriptrs","vmemoryuse"};
main () {
int i;
set_auth_parameters();
printf("%23s"," "); for (i = 0; i < 8; i++) printf("%10s ",limc[i]);printf("\n");
printf("%23s"," "); for (i = 0; i < 8; i++) printf("%10s ",limc2[i]);printf("\n");
while ( es = getespwent()) {
check(es);
}
}
check (struct es_passwd *es)
{
char *name[30];
int i,uid;
for (i = 0; i < 8; i++) osflag_user[i]=0;
strcpy(name,es->ufld->fd_name);
uid=es->ufld->fd_uid;
if (es->uflg->fg_template) {
/* the user belongs to a template which is not the DEFAULT */
printf("USR %-10s",name);
} else {
/* the user belongs to the DEFAULT template */
printf("USER %-10s",name);
}
printf(" %5d ",uid);
assign(osflag_user,osflim_user,es);
for (i = 0; i < 8; i++) print(i,osflag_user[i],osflim_user[i]);
if (es->uflg->fg_template) {
/* the user belongs to a template which is not the DEFAULT */
printf("TMPL %-18s",es->ufld->fd_template);
es_tmpl = getespwnam(es->ufld->fd_template);
assign(osflag_tmpl,osflim_tmpl,es_tmpl);
for (i = 0; i < 8; i++) print(i,osflag_tmpl[i],osflim_tmpl[i]);
for (i = 0; i < 8; i++) {
if (osflag_tmpl[i] == 0 && osflag_user[i] == 0) {
osflag[i]=0;
} else if (osflag_tmpl[i] == 1 && osflag_user[i] == 0) {
osflag[i]=1;
osflim[i]=osflim_tmpl[i];
} else if (osflag_tmpl[i] == 0 && osflag_user[i] == 1) {
osflag[i]=1;
osflim[i]=osflim_user[i];
} else if (osflag_tmpl[i] == 1 && osflag_user[i] == 1) {
osflag[i]=1;
osflim[i]=osflim_user[i];
}
es_tmpl = getespwnam(name); /* restore to the position of user in db*/
}
printf("USER %-10s",name);
printf(" %5d ",uid);
for (i = 0; i < 8; i++) print(i,osflag[i],osflim[i]);
}
}
assign (int flags[8], long limits[8], struct es_passwd *es) {
int i;
for (i = 0; i < 8; i++) flags[i]=0;
if (es->uflg->fg_rlim_cpu == 1)
{limits[0] = es->ufld->fd_rlim_cpu;flags[0]=1;}
if (es->uflg->fg_rlim_fsize == 1)
{limits[1] = es->ufld->fd_rlim_fsize;flags[1]=1;}
if (es->uflg->fg_rlim_data == 1)
{limits[2] = es->ufld->fd_rlim_data;flags[2]=1;}
if (es->uflg->fg_rlim_stack== 1)
{limits[3] = es->ufld->fd_rlim_stack;flags[3]=1;}
if (es->uflg->fg_rlim_core == 1)
{limits[4] = es->ufld->fd_rlim_core;flags[4]=1;}
if (es->uflg->fg_rlim_rss == 1)
{limits[5] = es->ufld->fd_rlim_rss;flags[5]=1;}
if (es->uflg->fg_rlim_nofile == 1)
{limits[6] = es->ufld->fd_rlim_nofile;flags[6]=1;}
if (es->uflg->fg_rlim_vmem == 1)
{limits[7] = es->ufld->fd_rlim_vmem;flags[7]=1;}
}
print (int i, long int flag, long int limit) {
if (flag == 1) {
if (limit != RLIM_INFINITY) {
if (i != 0 && i != 6) {
limit=limit/1024;
}
printf("%10d ",limit);
} else {
printf("%10s ","INFINITY");
}
} else {
printf("%10s ","undefined");
}
if (i == 7) printf("\n");
}
Received on Tue Dec 22 1998 - 10:00:55 NZDT