Bug 113335
Summary: | mlock value in limits.conf has no effect on ulimit -l | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Greg Marsden <greg.marsden> |
Component: | pam | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED DUPLICATE | QA Contact: | Jay Turner <jturner> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | CC: | guru.anbalagane, jcaruso, srevivo |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-02-21 19:00:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Greg Marsden
2004-01-12 20:15:03 UTC
"UsePrivilegeSeparation yes" does solve the problem, and uncovers why this is happening: because ssh forks of a child process to handle the authentication, that child process invokes the PAM routines but doesn't have the permissions to set the proper ulimit values. Then when the process returns, ssh assumes that the limits have been set already, and doesn't invoke the PAM stuff again. In this case, whatever ulimit values are set when ssh is invoked, these values are passed along to the new login session (this is not correct). The "right" way to get around this is to tell sshd "UseLogin yes", as this will reinvoke the pam limits stuff after the authentication process returns. The real right way, though, would be to fix either pam or ssh to ensure that the right limits are set. That should read "UsePrivilegeSeparation no" in the first line. This is fixed in SSH version 3.8, not sure if it's been packaged for distribution though. Me too. This bug can have *very* serious implications for Oracle sites running large SGAs; see bug 127897 for details. *** This bug has been marked as a duplicate of 116133 *** Changed to 'CLOSED' state since 'RESOLVED' has been deprecated. |