This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 173807

Summary: runuser does not set per-process limits
Product: [Fedora] Fedora Reporter: Mihai Ibanescu <mihai.ibanescu>
Component: coreutilsAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: rcoker, redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 5.93-4.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-12 12:43:55 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Description Flags
Patch to make runuser use pam for setting limits.
suggested pam config file for runuser none

Description Mihai Ibanescu 2005-11-21 09:50:58 EST
Trying to get a daemon to increase the number of maximum file descriptors
(daemon running as non-root).

According to rcoker's descruption:

"runuser was designed to not call any PAM functions, so it is working
according to design in this regard (it's which interprets
the limits.conf file).

You make a good case for a change to runuser in this regard.  There are
three options IMHO.  One option is to use pam for all operations
(runuser running as root will meet the criteria of so
nothing will be prevented), NB if we do this then we will not be calling  Another option is to just hard-code a call to which will do what you want.  A third option is to use pam
for the session option but not for auth etc (which may not be much
different to the first option in practice).
Comment 1 Russell Coker 2005-11-22 08:03:37 EST
Created attachment 121342 [details]
Patch to make runuser use pam for setting limits.

This patch removes the need for a runuser.c file.  The file su.c will contain
all the necessary code.  It also contains a patch for the Makefile, I'm not
sure how to get this into the automake system.	Maybe we should just fork su.c.
Comment 2 Russell Coker 2005-11-22 08:06:39 EST
Created attachment 121343 [details]
suggested pam config file for runuser
Comment 3 Tim Waugh 2005-11-24 12:27:29 EST
Thanks.  I'm testing out an automake-aware version.
Comment 4 Tim Waugh 2005-11-24 18:09:40 EST
Building 5.93-4.
Comment 5 Robert Scheck 2005-11-26 11:06:43 EST
Is it possible to change the runuser.pamd file to the following:

auth            sufficient
session         required
session         required

Or is there a special reason to keep "/lib/security/$ISA/"? Currently, none of 
my /etc/pam.d/* files includes the path anyway? At least I found the following 
information in the pam rpm changelog:

* Mon Dec 02 2002 Nalin Dahyabhai <> 0.75-45
- create /lib/security, even if it isn't /%{_lib}/security, because we
  can't locate /lib/security/$ISA without it (noted by Arnd Bergmann)
- clear out the duplicate docs directory created during %install


* Tue Oct 22 2002 Nalin Dahyabhai <> 0.75-43
- patch to interpret $ISA in case the fist module load attempt fails
- use $ISA in default configs
Comment 6 Russell Coker 2005-11-26 15:56:32 EST
There is no special reason to have "/lib/security/$ISA/", it works fine 
without it.  I copied data from /etc/pam.d/system-auth which has those paths, 
it was probably a mistake.  I've reopened the bug as I think that Robert is 
correct and the full paths should be removed. 
Comment 7 Tim Waugh 2005-12-02 12:06:50 EST
Fixed in CVS.
Comment 8 Tim Waugh 2005-12-12 12:43:55 EST
Fixed package is coreutils-5.93-4.1.