Bug 830259

Summary: /etc/security/limits.conf - only allowed to increase limits once (limit -u) even when set between original soft and hard values.
Product: Red Hat Enterprise Linux 6 Reporter: Everett Bennett <everett.bennett>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.2CC: everett.bennett, luke2261-2017
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-11 06:33:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Everett Bennett 2012-06-08 16:46:05 UTC 
Description of problem:  Settings in /etc/security/limits.conf.

A non-root user cannot change the limit of say, nproc, more than once.
For example, if I have 'soft nproc 32768' and 'hard nproc 262144',
I can set the nproc to any number between 32768 and 262144 once per
login session.  However, once it is set, I cannot exceed the new
number even if is within the range of the original 'soft' and 'hard'
limits.  Also, note that '*' seems to no longer be accepted
in 'Domain' field.  The '*' worked on a RHEL 5.6 system.


Version-Release number of selected component (if applicable):

- RHEL 6.2 2.6.32-220.17.1.el6.x86_64
- RHEL 5.6 2.6.32-164  ( Note '*' works in this release. )


How reproducible:


Steps to Reproduce:
1.  Edit /etc/security/limits.conf, log into the system and attempt change limits using ulimit utility.

Actual results:

.  Edit /etc/security/limits.conf and insert lines as follows.

   *     	soft	nproc	65536
   *    	hard	nproc	262144
   login	soft	nproc	32768
   login 	hard	nproc	262144
2. Login as 'login'
3. ulimit -u 200000
4. ulimit -u 262144
5. ulimit -u 200001
6. ulimit -u 199999
7. ulimit -u 262145
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
8. ulimit -u 262144
9. ulimit -u 200000
10. ulimit -u 200001
11. ulimit -u 199999

Expected results:

.  Edit /etc/security/limits.conf and insert lines as follows.

   *     	soft	nproc	65536
   *    	hard	nproc	262144
   login	soft	nproc	32768
   login 	hard	nproc	262144
2. Login as 'login'
3. ulimit -u 200000
4. ulimit -u 262144
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
5. ulimit -u 200001
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
6. ulimit -u 199999
7. exit, log off, and log back in as 'login'
8. ulimit -u 262145
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
9. ulimit -u 262144
10. ulimit -u 200000
11. ulimit -u 200001
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
12. ulimit -u 199999

Additional info:

Apprently, similar issues have exist in other releases of Linux for some time now.  The disabling of the '*' in the Domain field may have been a more recent fix or bug, depending on how you look at it.
Comment 2 Tomas Mraz 2012-06-11 06:33:27 UTC 
There is /etc/security/limits.d/90-nproc.conf which overrides your nproc value. If you comment out the line in the file, everything will work as in RHEL-5.
Comment 3 Tomas Mraz 2012-06-11 06:39:34 UTC 
Comment #2 was about the "disabling" of the '*'. As for the ulimit semantics change - I am not sure where/if this changed however ulimit -u will set both hard and soft limits and hard limit cannot be raised only lowered. using ulimit -Su will change only the soft limit giving you the semantics you expect.
Comment 4 Everett Bennett, Jr. 2012-06-12 16:34:15 UTC 
Thanks for the info.  Apparently, one should re-read man pages on occasion.
My other objection was to document this issue as it appeared to be an issue in google search land.