Bug 116133 - pam_limits.so does not pick up unlimited settings
Summary: pam_limits.so does not pick up unlimited settings
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Jay Turner
: 113335 157294 (view as bug list)
Depends On:
Blocks: 116727
TreeView+ depends on / blocked
Reported: 2004-02-18 15:36 UTC by Neil Horman
Modified: 2018-12-01 18:00 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-08-18 20:02:25 UTC
Target Upstream Version:

Attachments (Terms of Use)
patch to recognize unlimited settings. (3.01 KB, patch)
2004-02-18 15:37 UTC, Neil Horman
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2004:347 0 normal SHIPPED_LIVE Updated pam packages 2004-09-02 04:00:00 UTC

Description Neil Horman 2004-02-18 15:36:45 UTC
Description of problem:
the RHEL3 version of pam_limits.so does not appear to properly set
limits which have been set to unlimited.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.configure /etc/security/limits.conf to set a limit to unlimited for
some user (I tested with memlock and as)
2.log in with that user
Actual results:
ulimit -a shows the corresponding limits are unchanged

Expected results:
ulimit -a should show configured limits as unlimited

Additional info:

Comment 1 Neil Horman 2004-02-18 15:37:54 UTC
Created attachment 97798 [details]
patch to recognize unlimited settings.

This patch picks up the unlimited settings in limits.conf and properly sets the
corresponding limit value to RLIM_INFINITY

Comment 4 Jay Turner 2004-08-17 20:19:31 UTC
With pam-0.75-57, the soft limits aren't getting picked up when set in
/etc/security/limits.conf, no matter if they are set to "unlimited" or
to a real value.  'ulimit -Sa' will display the default limit, which
'ulimit -Ha' will display whatever hard limit you've set in the
limits.conf file.  Definitely appears there's still an issue somewhere.

Comment 6 Neil Horman 2004-08-18 13:24:01 UTC
I ran an strace on this, and as it would appear, the problem is not in
pam incorrectly setting limits, but rather bash resetting the specific
soft core file limit.  Further testing shows that this patch correctly
allows other limits to be set to unlimited correctly.  I'm moving this
back to modified, and opening a new bug on bash for the RLIMIT core issue.

Comment 7 Neil Horman 2004-08-18 14:26:16 UTC
nevermind on the new bash bug.  Its just /etc/profile explicity
setting the soft limit for core files to 0.  That will always override
the pam_limits settings, as its supposed to.

Comment 8 Jay Turner 2004-08-18 20:02:25 UTC
OK, looks like we've worked out all of the kinks here.  Closing out as
verified with pam-0.75-57.

Comment 9 Neil Horman 2004-08-26 13:39:25 UTC
*** Bug 113335 has been marked as a duplicate of this bug. ***

Comment 10 Jay Turner 2004-09-02 04:09:02 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Comment 11 Mads Kiilerich 2004-09-24 09:44:57 UTC
A problem remains: limits are only applied for logins through ssh 
if "UseLogin yes" is set. They should be set without UseLogin too. 
UseLogin disables X11Forwarding forwarding and is thus not an 
option. "UsePrivilegeSeparation no" causes limits to be set 
correctly, but we really do want the privilege separation.


Logging in using ssh with UseLogin disabled - limits not set 
Using username "mk".
[mk@crunch mk]$ ulimit -l
[mk@crunch mk]$ echo $DISPLAY
[mk@crunch mk]$ su - mk
[mk@crunch mk]$ ulimit -l
[mk@crunch mk]$

Logging in using ssh with UseLogin enabled - causes X11 forwarding to 
be disabled:
Using username "mk".
[mk@crunch mk]$ ulimit -l
[mk@crunch mk]$ echo $DISPLAY

[mk@crunch mk]$

Logging in using ssh with UsePrivilegeSeparation disabled - works but 
gives less security:
Using username "mk".
[mk@crunch mk]$ ulimit -l
[mk@crunch mk]$ echo $DISPLAY
[mk@crunch mk]$

Comment 12 Jeff Pitman 2005-01-18 08:17:49 UTC
Is there another bug addressing comment #11?  Because RHEL3 with the
latest updates, SSH still doesn't allow for application of PAM limits
in the default install.  I consider this a bug.  Especially because
the work-around actually causes a degradation in security to fix it.

Comment 13 Peter Mueller 2005-03-21 18:20:21 UTC
Please re-open.  Turning off privsep to enable /etc/security/limits.conf
functionality is a bug.

Comment 14 Paul Dyer 2005-04-07 19:56:49 UTC
From Knowledgebase article ID 3504, updated 9/2/2004

Note: This problem has been fixed in version 3.8 of SSH which may be included in
future releases of Red Hat Enterprise Linux.

Comment 15 Matteo Vescovi 2005-05-11 12:29:23 UTC
*** Bug 157294 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.