su: reset also RLIMIT_FSIZE and RLIMIT_NOFILE

Addresses: https://github.com/linux-pam/linux-pam/issues/85
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/login-utils/su-common.c b/login-utils/su-common.c
index c8eb6cf051347bd965d7e2b9ad663c42f64fe02a..02687892ce62b95d9560f9c25f9f3057ead569cd 100644 (file)
--- a/login-utils/su-common.c
+++ b/login-utils/su-common.c
@@ -959,13 +959,27 @@ static int is_not_root(void)
        return (uid_t) 0 == ruid && ruid == euid ? 0 : 1;
 }
 
+/* Don't rely on PAM and reset the most important limits. */
 static void sanitize_prlimits(void)
 {
 #ifdef HAVE_SYS_RESOURCE_H
        struct rlimit lm = { .rlim_cur = 0, .rlim_max = 0 };
 
+       /* reset to zero */
        setrlimit(RLIMIT_NICE, &lm);
        setrlimit(RLIMIT_RTPRIO, &lm);
+
+       /* reset to unlimited */
+       lm.rlim_cur = RLIM_INFINITY;
+       lm.rlim_max = RLIM_INFINITY;
+       setrlimit(RLIMIT_FSIZE, &lm);
+
+       /* reset soft limit only */
+       getrlimit(RLIMIT_NOFILE, &lm);
+       if (lm.rlim_cur != FD_SETSIZE) {
+               lm.rlim_cur = FD_SETSIZE;
+               setrlimit(RLIMIT_NOFILE, &lm);
+       }
 #endif
 }
 

diff --git a/login-utils/su.1.adoc b/login-utils/su.1.adoc
index add7fbb5229f6c36fec5da08a63a9b237fac3ba9..9c9f772715162f269fcfeca7db227036b022f20f 100644 (file)
--- a/login-utils/su.1.adoc
+++ b/login-utils/su.1.adoc
@@ -29,7 +29,7 @@ This version of *su* uses PAM for authentication, account and session management
 
 Note that *su* in all cases uses PAM (*pam_getenvlist*(3)) to do the final environment modification. Command-line options such as *--login* and *--preserve-environment* affect the environment before it is modified by PAM.
 
-Since version 2.38 *su* resets process resource limits RLIMIT_NICE and RLIMIT_RTPRIO to zero.
+Since version 2.38 *su* resets process resource limits RLIMIT_NICE, RLIMIT_RTPRIO, RLIMIT_FSIZE and RLIMIT_NOFILE.
 
 == OPTIONS