diff options
Diffstat (limited to 'security/sudo/patches')
| -rw-r--r-- | security/sudo/patches/patch-Makefile.in | 10 | ||||
| -rw-r--r-- | security/sudo/patches/patch-configure | 26 | ||||
| -rw-r--r-- | security/sudo/patches/patch-include_sudo__compat.h | 20 | ||||
| -rw-r--r-- | security/sudo/patches/patch-include_sudo__event.h | 16 | ||||
| -rw-r--r-- | security/sudo/patches/patch-lib_util_sig2str.c | 23 | ||||
| -rw-r--r-- | security/sudo/patches/patch-lib_util_str2sig.c | 31 | ||||
| -rw-r--r-- | security/sudo/patches/patch-plugins_sudoers_Makefile.in | 10 | ||||
| -rw-r--r-- | security/sudo/patches/patch-plugins_sudoers_logging.c | 16 | ||||
| -rw-r--r-- | security/sudo/patches/patch-plugins_sudoers_starttime.c | 15 | ||||
| -rw-r--r-- | security/sudo/patches/patch-plugins_sudoers_sudoers.c | 37 | ||||
| -rw-r--r-- | security/sudo/patches/patch-src_Makefile.in | 8 | ||||
| -rw-r--r-- | security/sudo/patches/patch-src_limits.c | 126 |
12 files changed, 27 insertions, 311 deletions
diff --git a/security/sudo/patches/patch-Makefile.in b/security/sudo/patches/patch-Makefile.in index 98b6c7eb03b..4d12fc38dcf 100644 --- a/security/sudo/patches/patch-Makefile.in +++ b/security/sudo/patches/patch-Makefile.in @@ -1,10 +1,10 @@ -$NetBSD: patch-Makefile.in,v 1.1 2018/08/14 13:18:38 adam Exp $ +$NetBSD: patch-Makefile.in,v 1.1.14.1 2020/02/09 19:21:38 bsiegert Exp $ Don't setuid here. ---- Makefile.in.orig 2015-10-31 23:35:07.000000000 +0000 -+++ Makefile.in -@@ -63,7 +63,8 @@ SHELL = @SHELL@ +--- Makefile.in.orig 2019-10-28 15:51:30.000000000 +0200 ++++ Makefile.in 2019-12-28 21:41:28.028886752 +0200 +@@ -64,7 +64,8 @@ SED = @SED@ INSTALL = $(SHELL) $(top_srcdir)/install-sh -c @@ -14,7 +14,7 @@ Don't setuid here. ECHO_N = @ECHO_N@ ECHO_C = @ECHO_C@ -@@ -129,7 +130,7 @@ install-doc: config.status ChangeLog +@@ -165,7 +166,7 @@ exit $$?; \ done diff --git a/security/sudo/patches/patch-configure b/security/sudo/patches/patch-configure index c5872016794..25cbe9eb1a5 100644 --- a/security/sudo/patches/patch-configure +++ b/security/sudo/patches/patch-configure @@ -1,4 +1,4 @@ -$NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ +$NetBSD: patch-configure,v 1.1.14.1 2020/02/09 19:21:38 bsiegert Exp $ * Add "--with-nbsdops" option, NetBSD standard options. * Link with util(3) in the case of DragonFly, too. @@ -7,9 +7,9 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ functions (HAVE_KRB5_*). * Remove setting sysconfdir to "/etc". ---- configure.orig 2017-05-29 20:33:06.000000000 +0000 -+++ configure -@@ -865,6 +865,7 @@ with_libpath +--- configure.orig 2019-12-26 06:24:43.000000000 +0200 ++++ configure 2019-12-28 21:41:28.049372280 +0200 +@@ -869,6 +869,7 @@ with_libraries with_efence with_csops @@ -17,7 +17,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ with_passwd with_skey with_opie -@@ -1571,7 +1572,7 @@ Fine tuning of the installation director +@@ -1581,7 +1582,7 @@ --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] @@ -26,7 +26,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] -@@ -1674,6 +1675,7 @@ Optional Packages: +@@ -1694,6 +1695,7 @@ --with-libraries additional libraries to link with --with-efence link with -lefence for malloc() debugging --with-csops add CSOps standard options @@ -34,7 +34,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ --without-passwd don't use passwd/shadow file for authentication --with-skey[=DIR] enable S/Key support --with-opie[=DIR] enable OPIE support -@@ -4746,6 +4748,23 @@ fi +@@ -4797,6 +4799,23 @@ @@ -58,7 +58,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ # Check whether --with-passwd was given. if test "${with_passwd+set}" = set; then : withval=$with_passwd; case $with_passwd in -@@ -15770,7 +15789,7 @@ fi +@@ -15925,7 +15944,7 @@ : ${mansectsu='1m'} : ${mansectform='4'} ;; @@ -67,7 +67,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ shadow_funcs="getspnam" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h -@@ -17995,7 +18014,7 @@ if test "x$ac_cv_header_login_cap_h" = x +@@ -18163,7 +18182,7 @@ _ACEOF LOGINCAP_USAGE='[-c class] '; LCMAN=1 case "$OS" in @@ -76,7 +76,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ SUDO_LIBS="${SUDO_LIBS} -lutil" SUDOERS_LIBS="${SUDOERS_LIBS} -lutil" ;; -@@ -22483,10 +22502,9 @@ if test ${with_pam-"no"} != "no"; then +@@ -22993,10 +23012,9 @@ # Check for pam_start() in libpam first, then for pam_appl.h. # found_pam_lib=no @@ -89,7 +89,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -@@ -22510,18 +22528,17 @@ return pam_start (); +@@ -23020,18 +23038,17 @@ } _ACEOF if ac_fn_c_try_link "$LINENO"; then : @@ -113,7 +113,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ found_pam_lib=yes fi -@@ -23256,6 +23273,8 @@ fi +@@ -23766,6 +23783,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext AUTH_OBJS="$AUTH_OBJS kerb5.lo" fi @@ -122,7 +122,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $ _LIBS="$LIBS" LIBS="${LIBS} ${SUDOERS_LIBS}" for ac_func in krb5_verify_user krb5_init_secure_context -@@ -26426,7 +26445,6 @@ test "$datarootdir" = '${prefix}/share' +@@ -27026,7 +27045,6 @@ test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)' test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale' test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var' diff --git a/security/sudo/patches/patch-include_sudo__compat.h b/security/sudo/patches/patch-include_sudo__compat.h deleted file mode 100644 index 0b1597035a5..00000000000 --- a/security/sudo/patches/patch-include_sudo__compat.h +++ /dev/null @@ -1,20 +0,0 @@ -$NetBSD: patch-include_sudo__compat.h,v 1.1 2017/05/31 02:22:02 maya Exp $ - -Work around missing WCONTINUED/WIFCONTINUED support in -NetBSD<8 - ---- include/sudo_compat.h.orig 2017-05-10 15:38:43.000000000 +0000 -+++ include/sudo_compat.h -@@ -304,6 +304,12 @@ extern int errno; - # define SIG2STR_MAX 32 - #endif - -+/* Deficiencies in NetBSD<8 */ -+#ifndef WCONTINUED -+# define WCONTINUED 0 -+# define WIFCONTINUED(a) 0 -+#endif -+ - /* WCOREDUMP is not POSIX, this usually works (verified on AIX). */ - #ifndef WCOREDUMP - # define WCOREDUMP(x) ((x) & 0x80) diff --git a/security/sudo/patches/patch-include_sudo__event.h b/security/sudo/patches/patch-include_sudo__event.h deleted file mode 100644 index 8d1708aa59e..00000000000 --- a/security/sudo/patches/patch-include_sudo__event.h +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-include_sudo__event.h,v 1.2 2017/09/12 06:34:22 adam Exp $ - -Missing include, fixes build error: -error: field 'timeout' has incomplete type -struct timeval timeout; /* for SUDO_EV_TIMEOUT */ - ---- include/sudo_event.h.orig 2017-08-23 18:07:28.000000000 +0000 -+++ include/sudo_event.h -@@ -19,6 +19,7 @@ - - #include <signal.h> /* for sigatomic_t and NSIG */ - #include "sudo_queue.h" -+#include <sys/time.h> /* timeval */ - - /* Event types */ - #define SUDO_EV_TIMEOUT 0x01 /* fire after timeout */ diff --git a/security/sudo/patches/patch-lib_util_sig2str.c b/security/sudo/patches/patch-lib_util_sig2str.c deleted file mode 100644 index 831d865c826..00000000000 --- a/security/sudo/patches/patch-lib_util_sig2str.c +++ /dev/null @@ -1,23 +0,0 @@ -$NetBSD: patch-lib_util_sig2str.c,v 1.1 2019/10/14 20:05:58 maya Exp $ - -Handle sysconf(_SC_RTSIG_MAX) not existing (netbsd): -just assume the static limits is good enough. - ---- lib/util/sig2str.c.orig 2019-10-10 16:33:03.000000000 +0000 -+++ lib/util/sig2str.c -@@ -65,6 +65,7 @@ sudo_sig2str(int signo, char *signame) - #if defined(SIGRTMIN) && defined(SIGRTMAX) - /* Realtime signal support. */ - if (signo >= SIGRTMIN && signo <= SIGRTMAX) { -+#ifdef _SC_RTSIG_MAX - const long rtmax = sysconf(_SC_RTSIG_MAX); - if (rtmax > 0) { - if (signo == SIGRTMIN) { -@@ -79,6 +80,7 @@ sudo_sig2str(int signo, char *signame) - (SIGRTMAX - signo)); - } - } -+#endif - return 0; - } - #endif diff --git a/security/sudo/patches/patch-lib_util_str2sig.c b/security/sudo/patches/patch-lib_util_str2sig.c deleted file mode 100644 index 49a26d449ac..00000000000 --- a/security/sudo/patches/patch-lib_util_str2sig.c +++ /dev/null @@ -1,31 +0,0 @@ -$NetBSD: patch-lib_util_str2sig.c,v 1.2 2019/10/16 20:25:21 maya Exp $ - -Handle sysconf(_SC_RTSIG_MAX) not existing (netbsd): -just assume the static limits is good enough. - ---- lib/util/str2sig.c.orig 2019-10-10 16:33:03.000000000 +0000 -+++ lib/util/str2sig.c -@@ -112,7 +112,11 @@ sudo_str2sig(const char *signame, int *r - } - if (signame[5] == '+') { - if (isdigit((unsigned char)signame[6])) { -+#ifdef _SC_RTSIG_MAX - const long rtmax = sysconf(_SC_RTSIG_MAX); -+#else -+ const long rtmax = SIGRTMAX - SIGRTMIN; -+#endif - const int off = signame[6] - '0'; - - if (rtmax > 0 && off < rtmax / 2) { -@@ -131,7 +135,11 @@ sudo_str2sig(const char *signame, int *r - } - if (signame[5] == '-') { - if (isdigit((unsigned char)signame[6])) { -+#ifdef _SC_RTSIG_MAX - const long rtmax = sysconf(_SC_RTSIG_MAX); -+#else -+ const long rtmax = SIGRTMAX - SIGRTMIN; -+#endif - const int off = signame[6] - '0'; - - if (rtmax > 0 && off < rtmax / 2) { diff --git a/security/sudo/patches/patch-plugins_sudoers_Makefile.in b/security/sudo/patches/patch-plugins_sudoers_Makefile.in index c3e735cf49b..88acff799ce 100644 --- a/security/sudo/patches/patch-plugins_sudoers_Makefile.in +++ b/security/sudo/patches/patch-plugins_sudoers_Makefile.in @@ -1,11 +1,11 @@ -$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.2 2019/12/15 18:42:10 adam Exp $ +$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.2.4.1 2020/02/09 19:21:38 bsiegert Exp $ Do not install the sudoers file to etc. ---- plugins/sudoers/Makefile.in.orig 2019-10-28 12:28:53.000000000 +0000 -+++ plugins/sudoers/Makefile.in -@@ -394,7 +394,7 @@ pre-install: - ./visudo -c -f $(sudoersdir)/sudoers; \ +--- plugins/sudoers/Makefile.in.orig 2019-12-25 21:21:05.000000000 +0200 ++++ plugins/sudoers/Makefile.in 2019-12-28 22:01:00.540953438 +0200 +@@ -396,7 +396,7 @@ + fi; \ fi -install: install-plugin install-binaries install-sudoers install-doc diff --git a/security/sudo/patches/patch-plugins_sudoers_logging.c b/security/sudo/patches/patch-plugins_sudoers_logging.c deleted file mode 100644 index 6d2722874b8..00000000000 --- a/security/sudo/patches/patch-plugins_sudoers_logging.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-plugins_sudoers_logging.c,v 1.2 2018/03/07 09:17:06 adam Exp $ - -Make sure CODESET is actually defined, for the sake of -old NetBSD versions - ---- plugins/sudoers/logging.c.orig 2015-10-31 23:35:25.000000000 +0000 -+++ plugins/sudoers/logging.c -@@ -722,7 +722,7 @@ send_mail(const char *fmt, ...) - (void) fputc(*p, mail); - } - --#ifdef HAVE_NL_LANGINFO -+#if defined(HAVE_NL_LANGINFO) && defined(CODESET) - if (strcmp(def_sudoers_locale, "C") != 0) - (void) fprintf(mail, "\nContent-Type: text/plain; charset=\"%s\"\nContent-Transfer-Encoding: 8bit", nl_langinfo(CODESET)); - #endif /* HAVE_NL_LANGINFO */ diff --git a/security/sudo/patches/patch-plugins_sudoers_starttime.c b/security/sudo/patches/patch-plugins_sudoers_starttime.c deleted file mode 100644 index d6d81642fea..00000000000 --- a/security/sudo/patches/patch-plugins_sudoers_starttime.c +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-plugins_sudoers_starttime.c,v 1.2 2019/12/15 18:42:10 adam Exp $ - -Fix a typo. - ---- plugins/sudoers/starttime.c.orig 2019-10-28 12:28:52.000000000 +0000 -+++ plugins/sudoers/starttime.c -@@ -31,7 +31,7 @@ - - #include <sys/types.h> - #include <sys/stat.h> --#if defined(HAVE_KINFO_PROC_44BSD) || defined (HAVE_KINFO_PROC_OPENBSD) || defined(HAVE_KINFO_PROC2_NETBSD2) -+#if defined(HAVE_KINFO_PROC_44BSD) || defined (HAVE_KINFO_PROC_OPENBSD) || defined(HAVE_KINFO_PROC2_NETBSD) - # include <sys/sysctl.h> - #elif defined(HAVE_KINFO_PROC_FREEBSD) - # include <sys/param.h> diff --git a/security/sudo/patches/patch-plugins_sudoers_sudoers.c b/security/sudo/patches/patch-plugins_sudoers_sudoers.c deleted file mode 100644 index 8d122222734..00000000000 --- a/security/sudo/patches/patch-plugins_sudoers_sudoers.c +++ /dev/null @@ -1,37 +0,0 @@ -$NetBSD: patch-plugins_sudoers_sudoers.c,v 1.1 2019/12/18 15:56:11 kim Exp $ - -Indicate the resource for which get/setrlimit fails. -Make the code match what src/limits.c does. - ---- plugins/sudoers/sudoers.c.orig 2019-10-28 14:28:53.000000000 +0200 -+++ plugins/sudoers/sudoers.c 2019-12-18 15:41:53.019149463 +0200 -@@ -123,16 +123,15 @@ - unlimit_nproc(void) - { - #ifdef __linux__ -- struct rlimit rl; -+ struct rlimit rl = { RLIM_INFINITY, RLIM_INFINITY }; - debug_decl(unlimit_nproc, SUDOERS_DEBUG_UTIL) - - if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) -- sudo_warn("getrlimit"); -- rl.rlim_cur = rl.rlim_max = RLIM_INFINITY; -- if (setrlimit(RLIMIT_NPROC, &rl) != 0) { -+ sudo_warn("getrlimit(RLIMIT_NPROC)"); -+ if (setrlimit(RLIMIT_NPROC, &rl) == -1) { - rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; - if (setrlimit(RLIMIT_NPROC, &rl) != 0) -- sudo_warn("setrlimit"); -+ sudo_warn("setrlimit(RLIMIT_NPROC)"); - } - debug_return; - #endif /* __linux__ */ -@@ -148,7 +147,7 @@ - debug_decl(restore_nproc, SUDOERS_DEBUG_UTIL) - - if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) -- sudo_warn("setrlimit"); -+ sudo_warn("setrlimit(RLIMIT_NPROC)"); - - debug_return; - #endif /* __linux__ */ diff --git a/security/sudo/patches/patch-src_Makefile.in b/security/sudo/patches/patch-src_Makefile.in index 420b225b0c3..a790d0e57e2 100644 --- a/security/sudo/patches/patch-src_Makefile.in +++ b/security/sudo/patches/patch-src_Makefile.in @@ -1,10 +1,10 @@ -$NetBSD: patch-src_Makefile.in,v 1.3 2018/03/07 09:17:06 adam Exp $ +$NetBSD: patch-src_Makefile.in,v 1.3.18.1 2020/02/09 19:21:38 bsiegert Exp $ * install the suid sudo without write-bits ---- src/Makefile.in.orig 2015-10-31 23:35:25.000000000 +0000 -+++ src/Makefile.in -@@ -198,7 +198,7 @@ install-rc: install-dirs +--- src/Makefile.in.orig 2019-12-10 15:11:46.000000000 +0200 ++++ src/Makefile.in 2019-12-28 21:51:27.794734242 +0200 +@@ -219,7 +219,7 @@ fi install-binaries: install-dirs $(PROGS) diff --git a/security/sudo/patches/patch-src_limits.c b/security/sudo/patches/patch-src_limits.c deleted file mode 100644 index b7ea3d6f062..00000000000 --- a/security/sudo/patches/patch-src_limits.c +++ /dev/null @@ -1,126 +0,0 @@ -$NetBSD: patch-src_limits.c,v 1.2 2019/12/19 16:59:44 kim Exp $ - -* Disable RLIMIT_STACK on NetBSD, see https://gnats.netbsd.org/51158 -* Indicate the name of the resource for which setrlimit fails. -* Simplify resource limit fallback logic a bit. -* Don't set the RLIMIT_STACK soft/hard limits to unlimited. -* macOS does not allow rlim_cur to be set to RLIM_INFINITY for RLIMIT_NOFILE. - ---- src/limits.c.orig 2019-10-28 14:28:52.000000000 +0200 -+++ src/limits.c 2019-12-19 18:52:11.232251175 +0200 -@@ -37,28 +37,48 @@ - #ifdef __linux__ - # include <sys/prctl.h> - #endif -+#include <limits.h> - - #include "sudo.h" - -+#if defined(OPEN_MAX) && OPEN_MAX > 256 -+# define SUDO_OPEN_MAX OPEN_MAX -+#else -+# define SUDO_OPEN_MAX 256 -+#endif -+ -+/* -+ * macOS doesn't allow nofile soft limit to be infinite or -+ * the stack hard limit to be infinite. -+ * Linux containers have a problem with an infinite stack soft limit. -+ */ -+static struct rlimit nofile_fallback = { SUDO_OPEN_MAX, RLIM_INFINITY }; -+static struct rlimit stack_fallback = { 8192 * 1024, 65532 * 1024 }; -+ - static struct saved_limit { -+ char *name; - int resource; - bool saved; -- struct rlimit limit; -+ struct rlimit *fallback; -+ struct rlimit newlimit; -+ struct rlimit oldlimit; - } saved_limits[] = { - #ifdef RLIMIT_AS -- { RLIMIT_AS }, -+ { "RLIMIT_AS", RLIMIT_AS, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } }, - #endif -- { RLIMIT_CPU }, -- { RLIMIT_DATA }, -- { RLIMIT_FSIZE }, -- { RLIMIT_NOFILE }, -+ { "RLIMIT_CPU", RLIMIT_CPU, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } }, -+ { "RLIMIT_DATA", RLIMIT_DATA, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } }, -+ { "RLIMIT_FSIZE", RLIMIT_FSIZE, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } }, -+ { "RLIMIT_NOFILE", RLIMIT_NOFILE, false, &nofile_fallback, { RLIM_INFINITY, RLIM_INFINITY } }, - #ifdef RLIMIT_NPROC -- { RLIMIT_NPROC }, -+ { "RLIMIT_NPROC", RLIMIT_NPROC, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } }, - #endif - #ifdef RLIMIT_RSS -- { RLIMIT_RSS }, -+ { "RLIMIT_RSS", RLIMIT_RSS, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } }, -+#endif -+#ifndef __NetBSD__ -+ { "RLIMIT_STACK", RLIMIT_STACK, false, &stack_fallback, { 8192 * 1024, RLIM_INFINITY } } - #endif -- { RLIMIT_STACK } - }; - - static struct rlimit corelimit; -@@ -160,21 +180,39 @@ - void - unlimit_sudo(void) - { -- struct rlimit inf = { RLIM_INFINITY, RLIM_INFINITY }; - unsigned int idx; -+ int rc; - debug_decl(unlimit_sudo, SUDO_DEBUG_UTIL) - - /* Set resource limits to unlimited and stash the old values. */ - for (idx = 0; idx < nitems(saved_limits); idx++) { - struct saved_limit *lim = &saved_limits[idx]; -- if (getrlimit(lim->resource, &lim->limit) == -1) -+ if (getrlimit(lim->resource, &lim->oldlimit) == -1) - continue; - lim->saved = true; -- if (setrlimit(lim->resource, &inf) == -1) { -- struct rlimit rl = lim->limit; -- rl.rlim_cur = rl.rlim_max; -- if (setrlimit(lim->resource, &rl) == -1) -- sudo_warn("setrlimit(%d)", lim->resource); -+ if (lim->newlimit.rlim_cur != RLIM_INFINITY) { -+ /* Don't reduce the soft resource limit. */ -+ if (lim->oldlimit.rlim_cur == RLIM_INFINITY || -+ lim->oldlimit.rlim_cur > lim->newlimit.rlim_cur) -+ lim->newlimit.rlim_cur = lim->oldlimit.rlim_cur; -+ } -+ if (lim->newlimit.rlim_max != RLIM_INFINITY) { -+ /* Don't reduce the hard resource limit. */ -+ if (lim->oldlimit.rlim_max == RLIM_INFINITY || -+ lim->oldlimit.rlim_max > lim->newlimit.rlim_max) -+ lim->newlimit.rlim_max = lim->oldlimit.rlim_max; -+ } -+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -+ if (lim->fallback != NULL) -+ rc = setrlimit(lim->resource, lim->fallback); -+ if (rc == -1) { -+ /* Try setting new rlim_cur to old rlim_max. */ -+ lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; -+ lim->newlimit.rlim_max = lim->oldlimit.rlim_max; -+ rc = setrlimit(lim->resource, &lim->newlimit); -+ } -+ if (rc == -1) -+ sudo_warn("setrlimit(%s)", lim->name); - } - } - -@@ -194,8 +232,8 @@ - for (idx = 0; idx < nitems(saved_limits); idx++) { - struct saved_limit *lim = &saved_limits[idx]; - if (lim->saved) { -- if (setrlimit(lim->resource, &lim->limit) == -1) -- sudo_warn("setrlimit(%d)", lim->resource); -+ if (setrlimit(lim->resource, &lim->oldlimit) == -1) -+ sudo_warn("setrlimit(%s)", lim->name); - } - } - restore_coredump(); |