SUMMARY: why once you are root using "su -" do you still have your previous limits ?

From: lombardi emanuele <lele_at_mantegna.casaccia.enea.it>
Date: Tue, 22 Dec 1998 10:58:12 +0100 (MET)

Dear friends,

I asked why when you "su -" to root your limits (cputime, filesize...)
are NOT those of root but are the least among yours and root's.

The good answers are those given by Peter and Tom. Thanks to Lars
Kevin and Serguei, too.

I worked a bit to understand how C2 limits are defined (user values &
templates values) and I discovered that when user values are missing
they are taken from the user template. The default template is
(unbelievable!) named "default". If user values are set they override
the corresponding template values. After my signature I place a small
code which summarizes login limits of all C2 users.

Peter Chapin <pchapin_at_solstice.vtc.vsc.edu>
        This is normal because process limits are inherited. If the shell from
        which you do "su" is limited so will your root shell. The "-" option just
        causes the new shell to execute login scripts and other similar things. It
        does not change the fact that it is a child of your original shell and
        thus still under the influence of that shell's process limits.

"Dr. Tom Blinn, 603-884-0646" <tpb_at_doctor.zk3.dec.com>
        I have not done an in-depth investigation, but what you report doesn't really
        surprise me. When you log in as a user other than root, the limits are set up
        during the login process. When you fork/exec a new process from the logged in
        environment, it INHERITS the limits of the parent; thus, when you "su" or run
        login once you are already logged in other than as root, what you wind up with
        for limits in the new process is what you had in the old process. This is not
        a bug.

        If you want to get full root limits, you have to log in as root, or log in as
        a user who has full root limits by default (and in the typical implementation
        of UNIX, if you want to relax the non-root limits, you do so for EVERY user
        who is not root -- that is, there are two classes of user, the superuser and
        every other user, and most limits apply to EVERY user that is not superuser).

        The Digital UNIX implementation is a "typical UNIX implementation" with regard
        to such limits. There are other operating systems (notably OpenVMS) that do
        it differently, but a "typical UNIX implementation" does exactly what you see
        in Digital UNIX.

Lars Bro <lbr_at_dksin.dk> sent a piece of code wich tries to set limits to
UNLIMITED.

        The following program tries to set the limit to unlimited for all
        categories. The systems available for me all run BASE security. Here,
        the program runs OK for root, with SUID root and for su. Uou might try
        it on your ENHANCED system.
        ENHANCED security implements the audit-id getluid(2) setluid(2) that
        can only be set once (by the login program) and never again. No matter
        how much you su, the audit will show what you did!! One might suspect
        that the system also sets the limits once.

        include <sys/resource.h>
        int lim[]={RLIMIT_CPU,RLIMIT_FSIZE,RLIMIT_DATA,
        RLIMIT_STACK,RLIMIT_CORE,RLIMIT_RSS,RLIMIT_NOFILE,RLIMIT_AS,-1};
        main()
        {
              int i;
             struct rlimit rl;
                for(i=0; lim[i]!=-1; i++) {
                  getrlimit (lim[i], &rl);
                 rl.rlim_cur = RLIM_INFINITY;
               rl.rlim_max = RLIM_INFINITY;
                  if (setrlimit(RLIMIT_STACK, &rl) < 0)
                                perror("rlimit");
             }
        }

K.McManus_at_greenwich.ac.uk
        Remember that with su you are a substitute user. Event logging
        remembers who you really are, which is really useful when a
        sysop blunders you can discover who messed things up. Try typing
        'who am i' to discover who you really are. If you really
        want to be root use rlogin with -l.



        --
 Emanuele Lombardi
 mail: AMB-GEM-CLIM ENEA Casaccia
        I-00060 S.M. di Galeria (RM) ITALY
 mailto:lele_at_mantegna.casaccia.enea.it
 tel +39 6 30483366 fax +39 6 30483591

     This transmission was made possible by 100% recycled electrons.




/* Code which summarize login limits for all C2 users.
   To be compiled with -lsecurity switch
   Emanuele Lombardi lele_at_mantegna.casaccia.enea.it december 1998
*/
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/security.h>
#include <prot.h>
#include <stdio.h>

struct es_passwd *es ;
struct es_passwd *es_tmpl ;
long osflim[8],osflim_user[8],osflim_tmpl[8];
int osflag[8],osflag_user[8],osflag_tmpl[8];
char *limc[]={"CPU" ,"FILE SIZE","DATA SEGM",
              "STACK SEGM" ,"CORE SIZE" ,"PROC SIZE",
              "OPEN FILES","ADDR.SPACE"};
char *limc2[]={"cputime" ,"filesize","datasize",
              "stacksize" ,"coredumpsz" ,"memoryuse",
              "descriptrs","vmemoryuse"};

main () {
  int i;
  set_auth_parameters();
  printf("%23s"," "); for (i = 0; i < 8; i++) printf("%10s ",limc[i]);printf("\n");
  printf("%23s"," "); for (i = 0; i < 8; i++) printf("%10s ",limc2[i]);printf("\n");
  while ( es = getespwent()) {
    check(es);
  }
}

check (struct es_passwd *es)
{
  char *name[30];
  int i,uid;
  for (i = 0; i < 8; i++) osflag_user[i]=0;
  strcpy(name,es->ufld->fd_name);
  uid=es->ufld->fd_uid;
  if (es->uflg->fg_template) {
    /* the user belongs to a template which is not the DEFAULT */
    printf("USR %-10s",name);
  } else {
    /* the user belongs to the DEFAULT template */
    printf("USER %-10s",name);
  }
  printf(" %5d ",uid);
  
  assign(osflag_user,osflim_user,es);
  
  for (i = 0; i < 8; i++) print(i,osflag_user[i],osflim_user[i]);
  
  if (es->uflg->fg_template) {
    /* the user belongs to a template which is not the DEFAULT */
    printf("TMPL %-18s",es->ufld->fd_template);
    es_tmpl = getespwnam(es->ufld->fd_template);
    assign(osflag_tmpl,osflim_tmpl,es_tmpl);
    for (i = 0; i < 8; i++) print(i,osflag_tmpl[i],osflim_tmpl[i]);
    
    for (i = 0; i < 8; i++) {
      if (osflag_tmpl[i] == 0 && osflag_user[i] == 0) {
        osflag[i]=0;
      } else if (osflag_tmpl[i] == 1 && osflag_user[i] == 0) {
        osflag[i]=1;
        osflim[i]=osflim_tmpl[i];
      } else if (osflag_tmpl[i] == 0 && osflag_user[i] == 1) {
        osflag[i]=1;
        osflim[i]=osflim_user[i];
      } else if (osflag_tmpl[i] == 1 && osflag_user[i] == 1) {
        osflag[i]=1;
        osflim[i]=osflim_user[i];
      }
      es_tmpl = getespwnam(name); /* restore to the position of user in db*/
    }
    printf("USER %-10s",name);
    printf(" %5d ",uid);
    for (i = 0; i < 8; i++) print(i,osflag[i],osflim[i]);
  }
}

assign (int flags[8], long limits[8], struct es_passwd *es) {
  int i;
  for (i = 0; i < 8; i++) flags[i]=0;
  if (es->uflg->fg_rlim_cpu == 1)
    {limits[0] = es->ufld->fd_rlim_cpu;flags[0]=1;}
  if (es->uflg->fg_rlim_fsize == 1)
    {limits[1] = es->ufld->fd_rlim_fsize;flags[1]=1;}
  if (es->uflg->fg_rlim_data == 1)
    {limits[2] = es->ufld->fd_rlim_data;flags[2]=1;}
  if (es->uflg->fg_rlim_stack== 1)
    {limits[3] = es->ufld->fd_rlim_stack;flags[3]=1;}
  if (es->uflg->fg_rlim_core == 1)
    {limits[4] = es->ufld->fd_rlim_core;flags[4]=1;}
  if (es->uflg->fg_rlim_rss == 1)
    {limits[5] = es->ufld->fd_rlim_rss;flags[5]=1;}
  if (es->uflg->fg_rlim_nofile == 1)
    {limits[6] = es->ufld->fd_rlim_nofile;flags[6]=1;}
  if (es->uflg->fg_rlim_vmem == 1)
    {limits[7] = es->ufld->fd_rlim_vmem;flags[7]=1;}
}

print (int i, long int flag, long int limit) {
  if (flag == 1) {
    if (limit != RLIM_INFINITY) {
      if (i != 0 && i != 6) {
        limit=limit/1024;
      }
      printf("%10d ",limit);
    } else {
      printf("%10s ","INFINITY");
    }
  } else {
    printf("%10s ","undefined");
  }
  if (i == 7) printf("\n");

}
Received on Tue Dec 22 1998 - 10:00:55 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:38 NZDT