Bug 173807 - runuser does not set per-process limits
runuser does not set per-process limits
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: coreutils (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-21 09:50 EST by Mihai Ibanescu
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 5.93-4.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-12 12:43:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to make runuser use pam for setting limits. (3.41 KB, patch)
2005-11-22 08:03 EST, Russell Coker
no flags Details | Diff
suggested pam config file for runuser (157 bytes, text/plain)
2005-11-22 08:06 EST, Russell Coker
no flags Details

  None (edit)
Description Mihai Ibanescu 2005-11-21 09:50:58 EST
Trying to get a daemon to increase the number of maximum file descriptors
(daemon running as non-root).

According to rcoker's descruption:

"runuser was designed to not call any PAM functions, so it is working
according to design in this regard (it's pam_limits.so which interprets
the limits.conf file).

You make a good case for a change to runuser in this regard.  There are
three options IMHO.  One option is to use pam for all operations
(runuser running as root will meet the criteria of pam_rootok.so so
nothing will be prevented), NB if we do this then we will not be calling
pam_selinux.so.  Another option is to just hard-code a call to
pam_limits.so which will do what you want.  A third option is to use pam
for the session option but not for auth etc (which may not be much
different to the first option in practice).
"
Comment 1 Russell Coker 2005-11-22 08:03:37 EST
Created attachment 121342 [details]
Patch to make runuser use pam for setting limits.

This patch removes the need for a runuser.c file.  The file su.c will contain
all the necessary code.  It also contains a patch for the Makefile, I'm not
sure how to get this into the automake system.	Maybe we should just fork su.c.
Comment 2 Russell Coker 2005-11-22 08:06:39 EST
Created attachment 121343 [details]
suggested pam config file for runuser
Comment 3 Tim Waugh 2005-11-24 12:27:29 EST
Thanks.  I'm testing out an automake-aware version.
Comment 4 Tim Waugh 2005-11-24 18:09:40 EST
Building 5.93-4.
Comment 5 Robert Scheck 2005-11-26 11:06:43 EST
Is it possible to change the runuser.pamd file to the following:

#%PAM-1.0
auth            sufficient      pam_rootok.so
session         required        pam_limits.so
session         required        pam_unix.so

Or is there a special reason to keep "/lib/security/$ISA/"? Currently, none of 
my /etc/pam.d/* files includes the path anyway? At least I found the following 
information in the pam rpm changelog:

* Mon Dec 02 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-45
- create /lib/security, even if it isn't /%{_lib}/security, because we
  can't locate /lib/security/$ISA without it (noted by Arnd Bergmann)
- clear out the duplicate docs directory created during %install

[...]

* Tue Oct 22 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-43
- patch to interpret $ISA in case the fist module load attempt fails
- use $ISA in default configs
Comment 6 Russell Coker 2005-11-26 15:56:32 EST
There is no special reason to have "/lib/security/$ISA/", it works fine 
without it.  I copied data from /etc/pam.d/system-auth which has those paths, 
it was probably a mistake.  I've reopened the bug as I think that Robert is 
correct and the full paths should be removed. 
Comment 7 Tim Waugh 2005-12-02 12:06:50 EST
Fixed in CVS.
Comment 8 Tim Waugh 2005-12-12 12:43:55 EST
Fixed package is coreutils-5.93-4.1.

Note You need to log in before you can comment on or make changes to this bug.