[Pkg-shadow-devel] [PATCH] Add enforce limits to su.

Fri Oct 12 19:11:59 UTC 2007

First, let me extend my thanks to all of you for taking over upstream
development.  Now I actually know who to email!

Attached is a patch that adds a new command line option to su.  From the man
page:

-L, --enforce-limits
  Enforce the limits in /etc/limits.
  If PAM was enabled at compile time, this option has no effect.

Currently when su'ing from root to another user, setup_limits() is never
called.  Typically this is probably not a huge problem, but when you're
su'ing to a user that has an increased real-time priority, it's nice to not
have to call ulimit first.

Thanks,
-- 
Justin Bronder
-------------- next part --------------
diff -urN shadow-svn/man/su.1.xml shadow-svn_patched/man/su.1.xml

--- shadow-svn/man/su.1.xml	2007-10-12 14:38:05.000000000 -0400
+++ shadow-svn_patched/man/su.1.xml	2007-10-12 14:46:16.000000000 -0400
@@ -161,6 +161,17 @@
 	  </para>
 	</listitem>
       </varlistentry>
+      <varlistentry>
+	<term>
+	  <option>-L</option>, <option>--enforce-limits</option>
+	</term>
+	<listitem>
+	  <para>Enforce the limits in /etc/limits.</para>
+	  <para>
+	    If PAM was enabled at compile time, this option has no effect.
+	  </para>
+	</listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff -urN shadow-svn/src/su.c shadow-svn_patched/src/su.c
--- shadow-svn/src/su.c	2007-10-12 14:40:19.000000000 -0400
+++ shadow-svn_patched/src/su.c	2007-10-12 15:04:51.000000000 -0400
@@ -258,6 +258,7 @@
 			   "  -c, --command COMMAND		pass COMMAND to the invoked shell\n"
 			   "  -h, --help			display this help message and exit\n"
 			   "  -, -l, --login		make the shell a login shell\n"
+			   "  -L, --enforce-limits  Enforce users limits from /etc/limits\n"
 			   "  -m, -p,\n"
 			   "  --preserve-environment	do not reset environment variables, and keep\n"
 			   "				the same shell\n"
@@ -282,6 +283,7 @@
 	const char *tty = 0;	/* Name of tty SU is run from        */
 	int doshell = 0;
 	int fakelogin = 0;
+   	int enforcelimits = 0;
 	int amroot = 0;
 	uid_t my_uid;
 	struct passwd *pw = 0;
@@ -336,11 +338,12 @@
 			{"login", no_argument, NULL, 'l'},
 			{"preserve-environment", no_argument, NULL, 'p'},
 			{"shell", required_argument, NULL, 's'},
+			{"enforce-limits", no_argument, NULL, 'L' },
 			{NULL, 0, NULL, '\0'}
 		};
 
 		while ((c =
-			getopt_long (argc, argv, "-c:hlmps:", long_options,
+			getopt_long (argc, argv, "-c:hlmps:L", long_options,
 				     &option_index)) != -1) {
 			switch (c) {
 			case 1:
@@ -373,6 +376,9 @@
 			case 's':
 				shellstr = optarg;
 				break;
+			case 'L':
+				enforcelimits = 1;
+				break;
 			default:
 				usage ();	/* NOT REACHED */
 			}
@@ -790,8 +796,8 @@
 	}
 #else				/* !USE_PAM */
 	environ = newenvp;	/* make new environment active */
-	
-	if (!amroot)		/* no limits if su from root */
+
+	if (!amroot | enforcelimits)		/* no limits if su from root */
 		setup_limits (&pwent);
 
 	if (setup_uid_gid (&pwent, is_console))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20071012/e2f1a409/attachment.pgp 
