Bug 173807 - runuser does not set per-process limits
Summary: runuser does not set per-process limits
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: coreutils
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-11-21 14:50 UTC by Mihai Ibanescu
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 5.93-4.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-12-12 17:43:55 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Patch to make runuser use pam for setting limits. (3.41 KB, patch)
2005-11-22 13:03 UTC, Russell Coker 		no flags Details | Diff
suggested pam config file for runuser (157 bytes, text/plain)
2005-11-22 13:06 UTC, Russell Coker 		no flags Details
View All

Description Mihai Ibanescu 2005-11-21 14:50:58 UTC 
Trying to get a daemon to increase the number of maximum file descriptors
(daemon running as non-root).

According to rcoker's descruption:

"runuser was designed to not call any PAM functions, so it is working
according to design in this regard (it's pam_limits.so which interprets
the limits.conf file).

You make a good case for a change to runuser in this regard.  There are
three options IMHO.  One option is to use pam for all operations
(runuser running as root will meet the criteria of pam_rootok.so so
nothing will be prevented), NB if we do this then we will not be calling
pam_selinux.so.  Another option is to just hard-code a call to
pam_limits.so which will do what you want.  A third option is to use pam
for the session option but not for auth etc (which may not be much
different to the first option in practice).
"
Comment 1 Russell Coker 2005-11-22 13:03:37 UTC 
Created attachment 121342 [details]
Patch to make runuser use pam for setting limits.

This patch removes the need for a runuser.c file.  The file su.c will contain
all the necessary code.  It also contains a patch for the Makefile, I'm not
sure how to get this into the automake system.	Maybe we should just fork su.c.
Comment 2 Russell Coker 2005-11-22 13:06:39 UTC 
Created attachment 121343 [details]
suggested pam config file for runuser
Comment 3 Tim Waugh 2005-11-24 17:27:29 UTC 
Thanks.  I'm testing out an automake-aware version.
Comment 4 Tim Waugh 2005-11-24 23:09:40 UTC 
Building 5.93-4.
Comment 5 Robert Scheck 2005-11-26 16:06:43 UTC 
Is it possible to change the runuser.pamd file to the following:

#%PAM-1.0
auth            sufficient      pam_rootok.so
session         required        pam_limits.so
session         required        pam_unix.so

Or is there a special reason to keep "/lib/security/$ISA/"? Currently, none of 
my /etc/pam.d/* files includes the path anyway? At least I found the following 
information in the pam rpm changelog:

* Mon Dec 02 2002 Nalin Dahyabhai <nalin> 0.75-45
- create /lib/security, even if it isn't /%{_lib}/security, because we
  can't locate /lib/security/$ISA without it (noted by Arnd Bergmann)
- clear out the duplicate docs directory created during %install

[...]

* Tue Oct 22 2002 Nalin Dahyabhai <nalin> 0.75-43
- patch to interpret $ISA in case the fist module load attempt fails
- use $ISA in default configs
Comment 6 Russell Coker 2005-11-26 20:56:32 UTC 
There is no special reason to have "/lib/security/$ISA/", it works fine 
without it.  I copied data from /etc/pam.d/system-auth which has those paths, 
it was probably a mistake.  I've reopened the bug as I think that Robert is 
correct and the full paths should be removed.
Comment 7 Tim Waugh 2005-12-02 17:06:50 UTC 
Fixed in CVS.
Comment 8 Tim Waugh 2005-12-12 17:43:55 UTC 
Fixed package is coreutils-5.93-4.1.
Note You need to log in before you can comment on or make changes to this bug.