Bug 116133 - pam_limits.so does not pick up unlimited settings
pam_limits.so does not pick up unlimited settings
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
:
: 113335 157294 (view as bug list)
Depends On:
Blocks: 116727
  Show dependency treegraph
 
Reported: 2004-02-18 10:36 EST by Neil Horman
Modified: 2015-01-07 19:07 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-18 16:02:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to recognize unlimited settings. (3.01 KB, patch)
2004-02-18 10:37 EST, Neil Horman
no flags Details | Diff

  None (edit)
Description Neil Horman 2004-02-18 10:36:45 EST
Description of problem:
the RHEL3 version of pam_limits.so does not appear to properly set
limits which have been set to unlimited.

Version-Release number of selected component (if applicable):
0.75

How reproducible:
always

Steps to Reproduce:
1.configure /etc/security/limits.conf to set a limit to unlimited for
some user (I tested with memlock and as)
2.log in with that user
3.
  
Actual results:
ulimit -a shows the corresponding limits are unchanged

Expected results:
ulimit -a should show configured limits as unlimited

Additional info:
Comment 1 Neil Horman 2004-02-18 10:37:54 EST
Created attachment 97798 [details]
patch to recognize unlimited settings.

This patch picks up the unlimited settings in limits.conf and properly sets the
corresponding limit value to RLIM_INFINITY
Comment 4 Jay Turner 2004-08-17 16:19:31 EDT
With pam-0.75-57, the soft limits aren't getting picked up when set in
/etc/security/limits.conf, no matter if they are set to "unlimited" or
to a real value.  'ulimit -Sa' will display the default limit, which
'ulimit -Ha' will display whatever hard limit you've set in the
limits.conf file.  Definitely appears there's still an issue somewhere.
Comment 6 Neil Horman 2004-08-18 09:24:01 EDT
I ran an strace on this, and as it would appear, the problem is not in
pam incorrectly setting limits, but rather bash resetting the specific
soft core file limit.  Further testing shows that this patch correctly
allows other limits to be set to unlimited correctly.  I'm moving this
back to modified, and opening a new bug on bash for the RLIMIT core issue.
Comment 7 Neil Horman 2004-08-18 10:26:16 EDT
nevermind on the new bash bug.  Its just /etc/profile explicity
setting the soft limit for core files to 0.  That will always override
the pam_limits settings, as its supposed to.
Comment 8 Jay Turner 2004-08-18 16:02:25 EDT
OK, looks like we've worked out all of the kinks here.  Closing out as
verified with pam-0.75-57.
Comment 9 Neil Horman 2004-08-26 09:39:25 EDT
*** Bug 113335 has been marked as a duplicate of this bug. ***
Comment 10 Jay Turner 2004-09-02 00:09:02 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2004-347.html
Comment 11 Mads Kiilerich 2004-09-24 05:44:57 EDT
A problem remains: limits are only applied for logins through ssh 
if "UseLogin yes" is set. They should be set without UseLogin too. 
UseLogin disables X11Forwarding forwarding and is thus not an 
option. "UsePrivilegeSeparation no" causes limits to be set 
correctly, but we really do want the privilege separation.

openssh-server-3.6.1p2-33.30.1
pam-0.75-58

Logging in using ssh with UseLogin disabled - limits not set 
correctly:
Using username "mk".
[mk@crunch mk]$ ulimit -l
4
[mk@crunch mk]$ echo $DISPLAY
localhost:10.0
[mk@crunch mk]$ su - mk
Password:
[mk@crunch mk]$ ulimit -l
7000
[mk@crunch mk]$

Logging in using ssh with UseLogin enabled - causes X11 forwarding to 
be disabled:
Using username "mk".
[mk@crunch mk]$ ulimit -l
7000
[mk@crunch mk]$ echo $DISPLAY

[mk@crunch mk]$

Logging in using ssh with UsePrivilegeSeparation disabled - works but 
gives less security:
Using username "mk".
[mk@crunch mk]$ ulimit -l
7000
[mk@crunch mk]$ echo $DISPLAY
localhost:10.0
[mk@crunch mk]$
Comment 12 Jeff Pitman 2005-01-18 03:17:49 EST
Is there another bug addressing comment #11?  Because RHEL3 with the
latest updates, SSH still doesn't allow for application of PAM limits
in the default install.  I consider this a bug.  Especially because
the work-around actually causes a degradation in security to fix it.

Comment 13 Peter Mueller 2005-03-21 13:20:21 EST
Please re-open.  Turning off privsep to enable /etc/security/limits.conf
functionality is a bug.
Comment 14 Paul Dyer 2005-04-07 15:56:49 EDT
From Knowledgebase article ID 3504, updated 9/2/2004

Note: This problem has been fixed in version 3.8 of SSH which may be included in
future releases of Red Hat Enterprise Linux.
Comment 15 Matteo Vescovi 2005-05-11 08:29:23 EDT
*** Bug 157294 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.