Bug 116133

Summary: pam_limits.so does not pick up unlimited settings
Product: Red Hat Enterprise Linux 3 Reporter: Neil Horman <nhorman>
Component: pamAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: barryn, greg.marsden, matteo.vescovi, mki, nhorman, paul, pmueller, srevivo, symbiont, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-08-18 20:02:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 116727    
Attachments:
Description Flags
patch to recognize unlimited settings. none

Description Neil Horman 2004-02-18 15:36:45 UTC 
Description of problem:
the RHEL3 version of pam_limits.so does not appear to properly set
limits which have been set to unlimited.

Version-Release number of selected component (if applicable):
0.75

How reproducible:
always

Steps to Reproduce:
1.configure /etc/security/limits.conf to set a limit to unlimited for
some user (I tested with memlock and as)
2.log in with that user
3.
  
Actual results:
ulimit -a shows the corresponding limits are unchanged

Expected results:
ulimit -a should show configured limits as unlimited

Additional info:
Comment 1 Neil Horman 2004-02-18 15:37:54 UTC 
Created attachment 97798 [details]
patch to recognize unlimited settings.

This patch picks up the unlimited settings in limits.conf and properly sets the
corresponding limit value to RLIM_INFINITY
Comment 4 Jay Turner 2004-08-17 20:19:31 UTC 
With pam-0.75-57, the soft limits aren't getting picked up when set in
/etc/security/limits.conf, no matter if they are set to "unlimited" or
to a real value.  'ulimit -Sa' will display the default limit, which
'ulimit -Ha' will display whatever hard limit you've set in the
limits.conf file.  Definitely appears there's still an issue somewhere.
Comment 6 Neil Horman 2004-08-18 13:24:01 UTC 
I ran an strace on this, and as it would appear, the problem is not in
pam incorrectly setting limits, but rather bash resetting the specific
soft core file limit.  Further testing shows that this patch correctly
allows other limits to be set to unlimited correctly.  I'm moving this
back to modified, and opening a new bug on bash for the RLIMIT core issue.
Comment 7 Neil Horman 2004-08-18 14:26:16 UTC 
nevermind on the new bash bug.  Its just /etc/profile explicity
setting the soft limit for core files to 0.  That will always override
the pam_limits settings, as its supposed to.
Comment 8 Jay Turner 2004-08-18 20:02:25 UTC 
OK, looks like we've worked out all of the kinks here.  Closing out as
verified with pam-0.75-57.
Comment 9 Neil Horman 2004-08-26 13:39:25 UTC 
*** Bug 113335 has been marked as a duplicate of this bug. ***
Comment 10 Jay Turner 2004-09-02 04:09:02 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2004-347.html
Comment 11 Mads Kiilerich 2004-09-24 09:44:57 UTC 
A problem remains: limits are only applied for logins through ssh 
if "UseLogin yes" is set. They should be set without UseLogin too. 
UseLogin disables X11Forwarding forwarding and is thus not an 
option. "UsePrivilegeSeparation no" causes limits to be set 
correctly, but we really do want the privilege separation.

openssh-server-3.6.1p2-33.30.1
pam-0.75-58

Logging in using ssh with UseLogin disabled - limits not set 
correctly:
Using username "mk".
[mk@crunch mk]$ ulimit -l
4
[mk@crunch mk]$ echo $DISPLAY
localhost:10.0
[mk@crunch mk]$ su - mk
Password:
[mk@crunch mk]$ ulimit -l
7000
[mk@crunch mk]$

Logging in using ssh with UseLogin enabled - causes X11 forwarding to 
be disabled:
Using username "mk".
[mk@crunch mk]$ ulimit -l
7000
[mk@crunch mk]$ echo $DISPLAY

[mk@crunch mk]$

Logging in using ssh with UsePrivilegeSeparation disabled - works but 
gives less security:
Using username "mk".
[mk@crunch mk]$ ulimit -l
7000
[mk@crunch mk]$ echo $DISPLAY
localhost:10.0
[mk@crunch mk]$
Comment 12 Jeff Pitman 2005-01-18 08:17:49 UTC 
Is there another bug addressing comment #11?  Because RHEL3 with the
latest updates, SSH still doesn't allow for application of PAM limits
in the default install.  I consider this a bug.  Especially because
the work-around actually causes a degradation in security to fix it.
Comment 13 Peter Mueller 2005-03-21 18:20:21 UTC 
Please re-open.  Turning off privsep to enable /etc/security/limits.conf
functionality is a bug.
Comment 14 Paul Dyer 2005-04-07 19:56:49 UTC 
From Knowledgebase article ID 3504, updated 9/2/2004

Note: This problem has been fixed in version 3.8 of SSH which may be included in
future releases of Red Hat Enterprise Linux.
Comment 15 Matteo Vescovi 2005-05-11 12:29:23 UTC 
*** Bug 157294 has been marked as a duplicate of this bug. ***