Description of problem: the RHEL3 version of pam_limits.so does not appear to properly set limits which have been set to unlimited. Version-Release number of selected component (if applicable): 0.75 How reproducible: always Steps to Reproduce: 1.configure /etc/security/limits.conf to set a limit to unlimited for some user (I tested with memlock and as) 2.log in with that user 3. Actual results: ulimit -a shows the corresponding limits are unchanged Expected results: ulimit -a should show configured limits as unlimited Additional info:
Created attachment 97798 [details] patch to recognize unlimited settings. This patch picks up the unlimited settings in limits.conf and properly sets the corresponding limit value to RLIM_INFINITY
With pam-0.75-57, the soft limits aren't getting picked up when set in /etc/security/limits.conf, no matter if they are set to "unlimited" or to a real value. 'ulimit -Sa' will display the default limit, which 'ulimit -Ha' will display whatever hard limit you've set in the limits.conf file. Definitely appears there's still an issue somewhere.
I ran an strace on this, and as it would appear, the problem is not in pam incorrectly setting limits, but rather bash resetting the specific soft core file limit. Further testing shows that this patch correctly allows other limits to be set to unlimited correctly. I'm moving this back to modified, and opening a new bug on bash for the RLIMIT core issue.
nevermind on the new bash bug. Its just /etc/profile explicity setting the soft limit for core files to 0. That will always override the pam_limits settings, as its supposed to.
OK, looks like we've worked out all of the kinks here. Closing out as verified with pam-0.75-57.
*** Bug 113335 has been marked as a duplicate of this bug. ***
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2004-347.html
A problem remains: limits are only applied for logins through ssh if "UseLogin yes" is set. They should be set without UseLogin too. UseLogin disables X11Forwarding forwarding and is thus not an option. "UsePrivilegeSeparation no" causes limits to be set correctly, but we really do want the privilege separation. openssh-server-3.6.1p2-33.30.1 pam-0.75-58 Logging in using ssh with UseLogin disabled - limits not set correctly: Using username "mk". [mk@crunch mk]$ ulimit -l 4 [mk@crunch mk]$ echo $DISPLAY localhost:10.0 [mk@crunch mk]$ su - mk Password: [mk@crunch mk]$ ulimit -l 7000 [mk@crunch mk]$ Logging in using ssh with UseLogin enabled - causes X11 forwarding to be disabled: Using username "mk". [mk@crunch mk]$ ulimit -l 7000 [mk@crunch mk]$ echo $DISPLAY [mk@crunch mk]$ Logging in using ssh with UsePrivilegeSeparation disabled - works but gives less security: Using username "mk". [mk@crunch mk]$ ulimit -l 7000 [mk@crunch mk]$ echo $DISPLAY localhost:10.0 [mk@crunch mk]$
Is there another bug addressing comment #11? Because RHEL3 with the latest updates, SSH still doesn't allow for application of PAM limits in the default install. I consider this a bug. Especially because the work-around actually causes a degradation in security to fix it.
Please re-open. Turning off privsep to enable /etc/security/limits.conf functionality is a bug.
From Knowledgebase article ID 3504, updated 9/2/2004 Note: This problem has been fixed in version 3.8 of SSH which may be included in future releases of Red Hat Enterprise Linux.
*** Bug 157294 has been marked as a duplicate of this bug. ***