Bug 113559

Description of problem:

pam_limits is incompatible with privsep. If privsep is in use
following message is logged:

Jan 15 00:21:32 hibernia sshd[20396]: fatal: PAM session setup
failed[6]: Permission denied

And ssh login fails. The problem obviously being that pam_limits may
need elevated privileges itself in order to set limits.

To work around this either:

- do not use ssh with privsep

or

- chmod o-r /etc/security/limits.conf (

I notice Fedora seems to ship with the latter work around enabled.
However, this in itself is a problem as it silently ignores the limits
configuration. I'm not sure there is an easy solution to this - the
privilege seperated daemon (running as user) would need privileges
needed to set limits, possibly easiest solution would be for the
privsep'd daemon to retain CAP_SYS_RESOURCE until after it has
completed PAM authentication.

Version-Release number of selected component (if applicable):

pam-0.77-15
openssh-server-3.6.1p2-19

How reproducible:

100%.

Steps to Reproduce:
1. run ssh server in privsep mode
2. configure pam_limits for ssh service make sure limits.conf is
readable to all
3. try to ssh to the server.
  
Actual results:

authentication succeeds, session setup fails, ssh session is dropped.

Expected results:

ssh session is created and user is able to login via ssh.

Additional info:

none.