From: Karel Zak <kzak@redhat.com>
Date: Mon, 4 Oct 2021 13:39:40 +0000 (+0200)
Subject: su: reset also RLIMIT_FSIZE and RLIMIT_NOFILE
X-Git-Tag: v2.38-rc1~231
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08273c672b105602e1a9031160ccefec171b02ed;p=thirdparty%2Futil-linux.git

su: reset also RLIMIT_FSIZE and RLIMIT_NOFILE

Addresses: https://github.com/linux-pam/linux-pam/issues/85
Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/login-utils/su-common.c b/login-utils/su-common.c
index c8eb6cf051..02687892ce 100644
--- a/login-utils/su-common.c
+++ b/login-utils/su-common.c
@@ -959,13 +959,27 @@ static int is_not_root(void)
 	return (uid_t) 0 == ruid && ruid == euid ? 0 : 1;
 }
 
+/* Don't rely on PAM and reset the most important limits. */
 static void sanitize_prlimits(void)
 {
 #ifdef HAVE_SYS_RESOURCE_H
 	struct rlimit lm = { .rlim_cur = 0, .rlim_max = 0 };
 
+	/* reset to zero */
 	setrlimit(RLIMIT_NICE, &lm);
 	setrlimit(RLIMIT_RTPRIO, &lm);
+
+	/* reset to unlimited */
+	lm.rlim_cur = RLIM_INFINITY;
+	lm.rlim_max = RLIM_INFINITY;
+	setrlimit(RLIMIT_FSIZE, &lm);
+
+	/* reset soft limit only */
+	getrlimit(RLIMIT_NOFILE, &lm);
+	if (lm.rlim_cur != FD_SETSIZE) {
+		lm.rlim_cur = FD_SETSIZE;
+		setrlimit(RLIMIT_NOFILE, &lm);
+	}
 #endif
 }
 
diff --git a/login-utils/su.1.adoc b/login-utils/su.1.adoc
index add7fbb522..9c9f772715 100644
--- a/login-utils/su.1.adoc
+++ b/login-utils/su.1.adoc
@@ -29,7 +29,7 @@ This version of *su* uses PAM for authentication, account and session management
 
 Note that *su* in all cases uses PAM (*pam_getenvlist*(3)) to do the final environment modification. Command-line options such as *--login* and *--preserve-environment* affect the environment before it is modified by PAM.
 
-Since version 2.38 *su* resets process resource limits RLIMIT_NICE and RLIMIT_RTPRIO to zero.
+Since version 2.38 *su* resets process resource limits RLIMIT_NICE, RLIMIT_RTPRIO, RLIMIT_FSIZE and RLIMIT_NOFILE.
 
 == OPTIONS