为什么在 su 中执行命令会改变限制?

tag-icon tag-icon linux ubuntu bash
为什么在 su 中执行命令会改变限制?

我试图弄清楚为什么su要改变限制,以及如何阻止这种行为。

这就是我今天看到的:

# ulimit on host
$ ulimit -n
131072
# ulimit in docker
$ docker run ubuntu bash -c 'ulimit -n'
1048576
# ulimit in sudo
$ docker run ubuntu bash -c 'apt update; apt install sudo; sudo bash -c "ulimit -n"'
...
1048576
# ulimit in su
$ docker run ubuntu su -c bash -c 'ulimit -n'
1024

我跑了strace -f su -c bash -c 'echo' |& grep 1024 -C 25,我看见了在哪里确实有这种情况,但我不知道为什么

openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=977, ...}) = 0
mmap(NULL, 977, PROT_READ, MAP_SHARED, 3, 0) = 0x7f209aea0000
lseek(3, 977, SEEK_SET)                 = 977
munmap(0x7f209aea0000, 977)             = 0
close(3)                                = 0
...
prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024*1024, rlim_max=1024*1024}) = 0  # SET CORRECTLY HERE!!
...
openat(AT_FDCWD, "/proc/1/limits", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "Limit                     Soft L"..., 1024) = 1024
read(3, "  \nMax msgqueue size         819"..., 1024) = 299
read(3, "", 1024)                       = 0
close(3)                                = 0
getpriority(PRIO_PROCESS, 0)            = 20
openat(AT_FDCWD, "/etc/security/limits.conf", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2150, ...}) = 0
read(3, "# /etc/security/limits.conf\n#\n#E"..., 4096) = 2150
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/etc/security/limits.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getdents(3, /* 2 entries */, 32768)     = 48
getdents(3, /* 0 entries */, 32768)     = 0
close(3)                                = 0
...
prlimit64(0, RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024*1024}, NULL) = 0  # CHANGED HERE!!
...
setpriority(PRIO_PROCESS, 0, 0)         = 0
openat(AT_FDCWD, "/etc/login.defs", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=10550, ...}) = 0
read(3, "#\n# /etc/login.defs - Configurat"..., 4096) = 4096
read(3, " issuing \n# the \"mesg y\" command"..., 4096) = 4096
close(3)                                = 0
openat(AT_FDCWD, "/etc/login.defs", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=10550, ...}) = 0
read(3, "#\n# /etc/login.defs - Configurat"..., 4096) = 4096
read(3, " issuing \n# the \"mesg y\" command"..., 4096) = 4096
close(3)                                = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=977, ...}) = 0
mmap(NULL, 977, PROT_READ, MAP_SHARED, 3, 0) = 0x7f209aea0000
lseek(3, 977, SEEK_SET)                 = 977
munmap(0x7f209aea0000, 977)             = 0
close(3)                                = 0
umask(022)                              = 022
getuid()                                = 0
openat(AT_FDCWD, "/etc/login.defs", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=10550, ...}) = 0
  • /etc/security/limits.conf为空(仅包含所有评论的默认文件)
  • /proc/1/limits显示 1048576
  • /etc/login.defs似乎没有任何限制相关

相关内容