`sudo --login --user USERNAME` throws `setrlimit(RLIMIT_CORE): Operation not permitted` error when run inside a container.

Bug #1857036 reported by Thomas Ward on 2019-12-19
72
This bug affects 13 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Undecided
Unassigned
Focal
High
Bryce Harrington
Groovy
Undecided
Unassigned

Bug Description

[Impact]
Logging in as a sudo user in a Ubuntu Focal Linux container displays a
warning:

  sudo: setrlimit(RLIMIT_CORE): Operation not permitted

The warning is entirely unnecessary - the container is trying to adjust
RLIMIT_CORE, but this isn't allowed inside a container anyway.

While this is "just" a warning, logging into a container as sudo is a
very common practice, so this warning risks creating confusion for LTS
users.

[Test Case]
$ lxc launch ubuntu:20.04/amd64 sudo-sru-lp1857036-test
$ lxc shell sudo-sru-lp1857036-test

# sudo --login --user ubuntu
sudo: setrlimit(RLIMIT_CORE): Operation not permitted
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
$ logout

Enable -proposed and update
# apt-get install sudo

# sudo --login --user ubuntu
$

[Regression Potential]
As this only affects printing of a couple warnings, the only behavioral
change is in stderr output.

[Discussion]
This changes a couple warnings into equivalent debug printfs, which
brings the sudo behavior in-line with the behavior in groovy, bionic,
etc. and should cause no troubles.

This patch originates from upstream, and is already in groovy's sudo
package (which thus can be seen not to exhibit the issue).

The upstream patch includes some new debug prints which should be
harmless but are unnecessary to the fix so they've been removed.

[Original Report]
When using `sudo --login --user USERNAME` with Ubuntu Focal currently, it will correctly operate but it will also throw the following error before continuing with the logon process (which completes successfully except for the stated error):

sudo: setrlimit(RLIMIT_CORE): Operation not permitted

A full run of this was tested in a Focal LXD container after dropping to a root shell to reproduce (arstotzka is the host system, focal-test is the test container):

teward@arstotzka:~$ lxc shell focal-test
root@focal-test:~# sudo --login --user ubuntu
sudo: setrlimit(RLIMIT_CORE): Operation not permitted
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@focal-test:~$

This appears to be similar to this issue identified on RedHat's tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1773148

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: sudo 1.8.29-1ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-72.81-generic 4.15.18
Uname: Linux 4.15.0-72-generic x86_64
ApportVersion: 2.20.11-0ubuntu14
Architecture: amd64
Date: Thu Dec 19 17:16:31 2019
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: sudo
UpgradeStatus: No upgrade log present (probably fresh install)
VisudoCheck:
 /etc/sudoers: parsed OK
 /etc/sudoers.d/90-cloud-init-users: parsed OK
 /etc/sudoers.d/README: parsed OK

Related branches

Thomas Ward (teward) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sudo (Ubuntu):
status: New → Confirmed
Raman Sarda (theloudspeaker) wrote :

This also affects other non-debian/non-ubuntu distros.

https://bugzilla.redhat.com/show_bug.cgi?id=1773148

Thomas Ward (teward) on 2019-12-19
description: updated
Bryce Harrington (bryce) wrote :

The suggested workaround to put "Set disable_coredump false" into /etc/sudo.conf appears to work for me for suppressing the warning in focal lxc containers.

Patel (gp451ly) wrote :

from the redhat bug report seems to be fixed in sudo-1.8.31p1-1.fc30

Bryce Harrington (bryce) wrote :

Confirmed, I still was able to reproduce this on groovy with sudo 1.8.31-1ubuntu1, but groovy is now updated to 1.9.0-1ubuntu1 and now the behavior is correct.

From the bug report mentioned in comment #3, I found the commit with the corresponding patch.

I've added a focal bug task and marked the groovy one fixed. Although it's just a warning, it's pretty noticeable and could cause confusion so I think an SRU may be warranted.

Changed in sudo (Ubuntu Groovy):
status: Confirmed → Fix Released
Changed in sudo (Ubuntu Focal):
status: New → Triaged
Bryce Harrington (bryce) on 2020-07-15
description: updated
Changed in sudo (Ubuntu Focal):
assignee: nobody → Bryce Harrington (bryce)
importance: Undecided → High
Bryce Harrington (bryce) on 2020-07-15
description: updated
Bryce Harrington (bryce) on 2020-07-15
Changed in sudo (Ubuntu Focal):
status: Triaged → In Progress
Bryce Harrington (bryce) on 2020-07-16
Changed in sudo (Ubuntu Focal):
status: In Progress → Fix Committed
Simon Déziel (sdeziel) wrote :

Thanks Bryce for the PPA. I can confirm it does work:

# reproduce the problem:
root@sudo-sru-lp1857036-test:~# sudo true
sudo: setrlimit(RLIMIT_CORE): Operation not permitted

# get the fix from the PPA:
root@sudo-sru-lp1857036-test:~# apt-add-repository -yus ppa:bryce/sudo-sru-lp1857036-setrlimit-in-lxc
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [107 kB]
Get:2 http://ppa.launchpad.net/bryce/sudo-sru-lp1857036-setrlimit-in-lxc/ubuntu focal InRelease [17.6 kB]
Hit:3 http://archive.ubuntu.com/ubuntu focal InRelease
Get:4 http://archive.ubuntu.com/ubuntu focal-updates InRelease [111 kB]
Get:5 http://ppa.launchpad.net/bryce/sudo-sru-lp1857036-setrlimit-in-lxc/ubuntu focal/main Sources [864 B]
Get:6 http://ppa.launchpad.net/bryce/sudo-sru-lp1857036-setrlimit-in-lxc/ubuntu focal/main amd64 Packages [756 B]
Get:7 http://ppa.launchpad.net/bryce/sudo-sru-lp1857036-setrlimit-in-lxc/ubuntu focal/main Translation-en [528 B]
Get:8 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [261 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-updates/main Translation-en [102 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [28.4 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal-updates/restricted Translation-en [7,560 B]
Fetched 637 kB in 2s (389 kB/s)
Reading package lists... Done
root@sudo-sru-lp1857036-test:~# apt-get install -V sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
   sudo (1.8.31-1ubuntu1 => 1.8.31-1ubuntu2~focal1)
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,320 kB of archives.
After this operation, 1,849 kB of additional disk space will be used.
Get:1 http://ppa.launchpad.net/bryce/sudo-sru-lp1857036-setrlimit-in-lxc/ubuntu focal/main amd64 sudo amd64 1.8.31-1ubuntu2~focal1 [1,320 kB]
Fetched 1,320 kB in 3s (495 kB/s)
(Reading database ... 16712 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.31-1ubuntu2~focal1_amd64.deb ...
Unpacking sudo (1.8.31-1ubuntu2~focal1) over (1.8.31-1ubuntu1) ...
Setting up sudo (1.8.31-1ubuntu2~focal1) ...

# confirm the fix:
root@sudo-sru-lp1857036-test:~# sudo true
root@sudo-sru-lp1857036-test:~#

Hello Thomas, or anyone else affected,

Accepted sudo into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sudo/1.8.31-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
tags: added: verification-needed verification-needed-focal
Simon Déziel (sdeziel) wrote :

[Test Case]
$ lxc launch ubuntu:20.04/amd64 sudo-sru-lp1857036-test
$ lxc shell sudo-sru-lp1857036-test

Reproduce the problem

root@sudo-sru-lp1857036-test:~# sudo true
sudo: setrlimit(RLIMIT_CORE): Operation not permitted

Enable -proposed and update

root@sudo-sru-lp1857036-test:~# apt install -V sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
   sudo (1.8.31-1ubuntu1 => 1.8.31-1ubuntu1.1)
1 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.
Need to get 513 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 sudo amd64 1.8.31-1ubuntu1.1 [513 kB]
Fetched 513 kB in 1s (576 kB/s)
(Reading database ... 14621 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.31-1ubuntu1.1_amd64.deb ...
Unpacking sudo (1.8.31-1ubuntu1.1) over (1.8.31-1ubuntu1) ...
Setting up sudo (1.8.31-1ubuntu1.1) ...

Check if the fix works

root@sudo-sru-lp1857036-test:~# sudo true
root@sudo-sru-lp1857036-test:~#

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.31-1ubuntu1.1

---------------
sudo (1.8.31-1ubuntu1.1) focal; urgency=medium

  * d/p/ignore-rlimit-core-failure.patch: Ignore a failure to restore the
    RLIMIT_CORE resource limit. Linux containers don't allow RLIMIT_CORE
    to be set back to RLIM_INFINITY if we set the limit to zero, even for
    root. RLIMIT_NPROC is also not allowed to be set back. This is not a
    problem outside the container.
    (LP: #1857036)

 -- Bryce Harrington <email address hidden> Wed, 15 Jul 2020 00:17:58 +0000

Changed in sudo (Ubuntu Focal):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for sudo has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.