Bug 173807

Summary: runuser does not set per-process limits
Product: [Fedora] Fedora Reporter: Mihai Ibanescu <mihai.ibanescu>
Component: coreutilsAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: rcoker, redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.93-4.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-12 12:43:55 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
Patch to make runuser use pam for setting limits.
none
suggested pam config file for runuser none

Description Mihai Ibanescu 2005-11-21 09:50:58 EST 
Trying to get a daemon to increase the number of maximum file descriptors
(daemon running as non-root).

According to rcoker's descruption:

"runuser was designed to not call any PAM functions, so it is working
according to design in this regard (it's pam_limits.so which interprets
the limits.conf file).

You make a good case for a change to runuser in this regard.  There are
three options IMHO.  One option is to use pam for all operations
(runuser running as root will meet the criteria of pam_rootok.so so
nothing will be prevented), NB if we do this then we will not be calling
pam_selinux.so.  Another option is to just hard-code a call to
pam_limits.so which will do what you want.  A third option is to use pam
for the session option but not for auth etc (which may not be much
different to the first option in practice).
"
Comment 1 Russell Coker 2005-11-22 08:03:37 EST 
Created attachment 121342 [details]
Patch to make runuser use pam for setting limits.

This patch removes the need for a runuser.c file.  The file su.c will contain
all the necessary code.  It also contains a patch for the Makefile, I'm not
sure how to get this into the automake system.	Maybe we should just fork su.c.
Comment 2 Russell Coker 2005-11-22 08:06:39 EST 
Created attachment 121343 [details]
suggested pam config file for runuser
Comment 3 Tim Waugh 2005-11-24 12:27:29 EST 
Thanks.  I'm testing out an automake-aware version.
Comment 4 Tim Waugh 2005-11-24 18:09:40 EST 
Building 5.93-4.
Comment 5 Robert Scheck 2005-11-26 11:06:43 EST 
Is it possible to change the runuser.pamd file to the following:

#%PAM-1.0
auth            sufficient      pam_rootok.so
session         required        pam_limits.so
session         required        pam_unix.so

Or is there a special reason to keep "/lib/security/$ISA/"? Currently, none of 
my /etc/pam.d/* files includes the path anyway? At least I found the following 
information in the pam rpm changelog:

* Mon Dec 02 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-45
- create /lib/security, even if it isn't /%{_lib}/security, because we
  can't locate /lib/security/$ISA without it (noted by Arnd Bergmann)
- clear out the duplicate docs directory created during %install

[...]

* Tue Oct 22 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-43
- patch to interpret $ISA in case the fist module load attempt fails
- use $ISA in default configs
Comment 6 Russell Coker 2005-11-26 15:56:32 EST 
There is no special reason to have "/lib/security/$ISA/", it works fine 
without it.  I copied data from /etc/pam.d/system-auth which has those paths, 
it was probably a mistake.  I've reopened the bug as I think that Robert is 
correct and the full paths should be removed.
Comment 7 Tim Waugh 2005-12-02 12:06:50 EST 
Fixed in CVS.
Comment 8 Tim Waugh 2005-12-12 12:43:55 EST 
Fixed package is coreutils-5.93-4.1.