From 5e692576c956c28fad7da09f0ec2e4c9713b386f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 20 Aug 2019 07:25:53 -0600
Subject: [PATCH] Restore core dump resource limit before the PAM session
 module is run. Otherwise, we may override the limits set by PAM. Bug #894

---
 src/exec.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/exec.c b/src/exec.c
index 8acbf9ec1..2c663168d 100644
--- a/src/exec.c
+++ b/src/exec.c
@@ -119,10 +119,6 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
     }
 #endif
 
-    /* Restore coredumpsize resource limit before running. */
-    if (sudo_conf_disable_coredump())
-	disable_coredump(true);
-
     if (details->pw != NULL) {
 #ifdef HAVE_PROJECT_H
 	set_project(details->pw);
@@ -410,6 +406,13 @@ sudo_execute(struct command_details *details, struct command_status *cstat)
 	}
     }
 
+    /*
+     * Restore coredumpsize resource limit before running.
+     * We must do this *before* calling the PAM session module.
+     */
+    if (sudo_conf_disable_coredump())
+	disable_coredump(true);
+
     /*
      * Run the command in a new pty if there is an I/O plugin or the policy
      * has requested a pty.  If /dev/tty is unavailable and no I/O plugin
-- 
2.40.0