Coredump size limit forced to 0 for non-root users

vadhvis

vadhvis

Hello there, I'm having the weirdest problem with an old Freebsd 12.2 install.
On non root users only ulimit -c and limits -c return 0.
If I run ulimit -c unlimited it returns:
Code: 
ulimit: core file size: cannot modify limit: Operation not permitted

limits -c unlimited seems to be working but when i check the limit is back to 0. Same thing goes for ulimit -Hc.
I already checked login.conf and the default class has unlimited set. Here's the file contents:

Code: 
# login.conf - login class capabilities database.
#
# Remember to rebuild the database after each change to this file:
#
#       cap_mkdb /etc/login.conf
#
# This file controls resource limits, accounting limits and
# default user environment settings.
#
# $FreeBSD: releng/12.2/usr.bin/login/login.conf 357789 2020-02-12 02:04:03Z kevans $
#

# Default settings effectively disable resource limits, see the
# examples below for a starting point to enable them.

# defaults
# These settings are used by login(1) by default for classless users
# Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
#
# Note that since a colon ':' is used to separate capability entries,
# a \c escape sequence must be used to embed a literal colon in the
# value or name of a capability (see the ``CGETNUM AND CGETSTR SYNTAX
# AND SEMANTICS'' section of getcap(3) for more escape sequences).

default:\
        :passwd_format=sha512:\
        :copyright=/etc/COPYRIGHT:\
        :welcome=/etc/motd:\
        :setenv=BLOCKSIZE=K:\
        :mail=/var/mail/$:\
        :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
        :nologin=/var/run/nologin:\
        :cputime=unlimited:\
        :datasize=unlimited:\
        :stacksize=unlimited:\
        :memorylocked=64K:\
        :memoryuse=unlimited:\
        :filesize=unlimited:\
        :coredumpsize=unlimited:\
        :coredumpsize-max=unlimited:\
        :openfiles=unlimited:\
        :maxproc=unlimited:\
        :sbsize=unlimited:\
        :vmemoryuse=unlimited:\
        :swapuse=unlimited:\
        :pseudoterminals=unlimited:\
        :kqueues=unlimited:\
        :umtxp=unlimited:\
        :priority=0:\
        :ignoretime@:\
        :umask=022:


#
# A collection of common class names - forward them all to 'default'
# (login would normally do this anyway, but having a class name
#  here suppresses the diagnostic)
#
standard:\
        :tc=default:
xuser:\
        :tc=default:
staff:\
        :tc=default:
daemon:\
        :mail@:\
        :memorylocked=128M:\
        :tc=default:
news:\
        :tc=default:
dialer:\
        :tc=default:

#
# Root can always login
#
# N.B.  login_getpwclass(3) will use this entry for the root account,
#       in preference to 'default'.
root:\
        :ignorenologin:\
        :memorylocked=unlimited:\
        :tc=default:

#
# Russian Users Accounts. Setup proper environment variables.
#
russian|Russian Users Accounts:\
        :charset=UTF-8:\
        :lang=ru_RU.UTF-8:\
        :tc=default:


######################################################################
######################################################################
##
## Example entries
##
######################################################################
######################################################################

## Example defaults
## These settings are used by login(1) by default for classless users
## Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
#
#default:\
#       :cputime=infinity:\
#       :datasize-cur=22M:\
#       :stacksize-cur=8M:\
#       :memorylocked-cur=10M:\
#       :memoryuse-cur=30M:\
#       :filesize=infinity:\
#       :coredumpsize=infinity:\
#       :maxproc-cur=64:\
#       :openfiles-cur=64:\
#       :priority=0:\
#       :requirehome@:\
#       :umask=022:\
#       :tc=auth-defaults:
#
#
##
## standard - standard user defaults
##
#standard:\
#       :copyright=/etc/COPYRIGHT:\
#       :welcome=/etc/motd:\
#       :setenv=BLOCKSIZE=K:\
#       :mail=/var/mail/$:\
#       :path=~/bin /bin /usr/bin /usr/local/bin:\
#       :manpath=/usr/share/man /usr/local/man:\
#       :nologin=/var/run/nologin:\
#       :cputime=1h30m:\
#       :datasize=8M:\
#       :vmemoryuse=100M:\
#       :stacksize=2M:\
#       :memorylocked=4M:\
#       :memoryuse=8M:\
#       :filesize=8M:\
#       :coredumpsize=8M:\
#       :openfiles=24:\
#       :maxproc=32:\
#       :priority=0:\
#       :requirehome:\
#       :passwordtime=90d:\
#       :umask=002:\
#       :ignoretime@:\
#       :tc=default:
#
#
##
## users of X (needs more resources!)
##
#xuser:\
#       :manpath=/usr/share/man /usr/local/man:\
#       :cputime=4h:\
#       :datasize=12M:\
#       :vmemoryuse=infinity:\
#       :stacksize=4M:\
#       :filesize=8M:\
#       :memoryuse=16M:\
#       :openfiles=32:\
#       :maxproc=48:\
#       :tc=standard:
#
#
##
## Staff users - few restrictions and allow login anytime
##
#staff:\
#       :ignorenologin:\
#       :ignoretime:\
#       :requirehome@:\
#       :accounted@:\
#       :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
#       :umask=022:\
#       :tc=standard:
#
#
##
## root - fallback for root logins
##
#root:\
#       :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
#       :cputime=infinity:\
#       :datasize=infinity:\
#       :stacksize=infinity:\
#       :memorylocked=infinity:\
#       :memoryuse=infinity:\
#       :filesize=infinity:\
#       :coredumpsize=infinity:\
#       :openfiles=infinity:\
#       :maxproc=infinity:\
#       :memoryuse-cur=32M:\
#       :maxproc-cur=64:\
#       :openfiles-cur=1024:\
#       :priority=0:\
#       :requirehome@:\
#       :umask=022:\
#       :tc=auth-root-defaults:
#
#
##
## Settings used by /etc/rc
##
#daemon:\
#       :coredumpsize@:\
#       :coredumpsize-cur=0:\
#       :datasize=infinity:\
#       :datasize-cur@:\
#       :maxproc=512:\
#       :maxproc-cur@:\
#       :memoryuse-cur=64M:\
#       :memorylocked-cur=64M:\
#       :openfiles=1024:\
#       :openfiles-cur@:\
#       :stacksize=16M:\
#       :stacksize-cur@:\
#       :tc=default:
#
#
##
## Settings used by news subsystem
##
#news:\
#       :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
#       :cputime=infinity:\
#       :filesize=128M:\
#       :datasize-cur=64M:\
#       :stacksize-cur=32M:\
#       :coredumpsize-cur=0:\
#       :maxmemorysize-cur=128M:\
#       :memorylocked=32M:\
#       :maxproc=128:\
#       :openfiles=256:\
#       :tc=default:
#
#
##
## The dialer class should be used for a dialup PPP account
## Welcome messages/news suppressed
##
#dialer:\
#       :hushlogin:\
#       :requirehome@:\
#       :cputime=unlimited:\
#       :filesize=2M:\
#       :datasize=2M:\
#       :stacksize=4M:\
#       :coredumpsize=0:\
#       :memoryuse=4M:\
#       :memorylocked=1M:\
#       :maxproc=16:\
#       :openfiles=32:\
#       :tc=standard:
#
#
##
## Site full-time 24/7 PPP connection
## - no time accounting, restricted to access via dialin lines
##
#site:\
#       :ignoretime:\
#       :passwordtime@:\
#       :refreshtime@:\
#       :refreshperiod@:\
#       :sessionlimit@:\
#       :autodelete@:\
#       :expireperiod@:\
#       :graceexpire@:\
#       :gracetime@:\
#       :warnexpire@:\
#       :warnpassword@:\
#       :idletime@:\
#       :sessiontime@:\
#       :daytime@:\
#       :weektime@:\
#       :monthtime@:\
#       :warntime@:\
#       :accounted@:\
#       :tc=dialer:\
#       :tc=staff:
#
#
##
## Example standard accounting entries for subscriber levels
##
#
#subscriber|Subscribers:\
#       :accounted:\
#       :refreshtime=180d:\
#       :refreshperiod@:\
#       :sessionlimit@:\
#       :autodelete=30d:\
#       :expireperiod=180d:\
#       :graceexpire=7d:\
#       :gracetime=10m:\
#       :warnexpire=7d:\
#       :warnpassword=7d:\
#       :idletime=30m:\
#       :sessiontime=4h:\
#       :daytime=6h:\
#       :weektime=40h:\
#       :monthtime=120h:\
#       :warntime=4h:\
#       :tc=standard:
#
#
##
## Subscriber accounts. These accounts have their login times
## accounted and have access limits applied.
##
#subppp|PPP Subscriber Accounts:\
#       :tc=dialer:\
#       :tc=subscriber:
#
#
#subshell|Shell Subscriber Accounts:\
#       :tc=subscriber:
#
##
## If you want some of the accounts to use traditional UNIX DES based
## password hashes.
##
#des_users:\
#       :passwd_format=des:\
#       :tc=default:

Any ideas? I really don't know what could be causing this.
 
No longer supported by the Security Officer, still, it's thought-provoking. I thought first of release notes, nothing there to explain it:

Code: 
% rg --sort path --count ulimit /usr/doc/website/content/en/releases
/usr/doc/website/content/en/releases/4.5R/cd2.txt:2
/usr/doc/website/content/en/releases/4.6R/cd2.txt:2
%
 
I'm aware that freebsd 12 is beyond support, sadly I'm not authorized to upgrade this machine.
Any pointer would be helpful
 
Hi
What shell do you use for non-root users?

In case of csh:
Code: 
root@initr0 ~> which ulimit
/usr/bin/ulimit
ulimit is a command, not builtin, also 'type ulimit' show opposite.

I think it's better to use
unlimit [-hf] [resource]
Removes the limitation on resource or, if no resource is speci-
fied, all resource limitations. With -h, the corresponding
hard limits are removed. Only the super-user may do this.
Note that unlimit may not exit successful, since most systems
do not allow descriptors to be unlimited. With -f errors are ignored.

but it requires root privileges

In case of bash:
I have found in manual
The special limit values hard, soft, and unlimited stand for the current hard limit, the current soft limit, and no limit, respectively. A hard limit cannot be increased by a non-root user once it is set; a soft limit may be increased up to the value of the hard limit.

It's like problem lays in privileges
 
dark.initr0 said:
Hi
What shell do you use for non-root users?

In case of csh:
Code: 
root@initr0 ~> which ulimit
/usr/bin/ulimit
ulimit is a command, not builtin, also 'type ulimit' show opposite.

I think it's better to use
unlimit [-hf] [resource]
Removes the limitation on resource or, if no resource is speci-
fied, all resource limitations. With -h, the corresponding
hard limits are removed. Only the super-user may do this.
Note that unlimit may not exit successful, since most systems
do not allow descriptors to be unlimited. With -f errors are ignored.

but it requires root privileges

In case of bash:
I have found in manual
The special limit values hard, soft, and unlimited stand for the current hard limit, the current soft limit, and no limit, respectively. A hard limit cannot be increased by a non-root user once it is set; a soft limit may be increased up to the value of the hard limit.

It's like problem lays in privileges
Click to expand...
I'm using bash, but the problem seems to be present with csh too.
It's worth noting also that this problem seems to be present with every non-root user, both system ones and newly created users. I did test already creating a new user and checking the limit there: always 0.
Hard is set to 0 too.

I tried running (in csh)
Code: 
# unlimit -hf coredumpsize
But it doesn't seem like it made any difference
Of course as non root i get:
Code: 
% unlimit -hf coredumpsize                                                                                                         
unlimit: coredumpsize: Can't remove hard limit (Operation not permitted)
 
Update: Since I had this problem with a brand new machine I was pushed into investigating more.
The problem seems to be
sudo: When running sudo bash ulimit reports 0, however switching user with su works completely fine.

Now this is not a dealbreaker in any way but I would still like sudo to work correctly. If anyone has a solution that'd be welcome.
 
You must log in or register to reply here.
Back
Top