Trying to get a daemon to increase the number of maximum file descriptors (daemon running as non-root). According to rcoker's descruption: "runuser was designed to not call any PAM functions, so it is working according to design in this regard (it's pam_limits.so which interprets the limits.conf file). You make a good case for a change to runuser in this regard. There are three options IMHO. One option is to use pam for all operations (runuser running as root will meet the criteria of pam_rootok.so so nothing will be prevented), NB if we do this then we will not be calling pam_selinux.so. Another option is to just hard-code a call to pam_limits.so which will do what you want. A third option is to use pam for the session option but not for auth etc (which may not be much different to the first option in practice). "
Created attachment 121342 [details] Patch to make runuser use pam for setting limits. This patch removes the need for a runuser.c file. The file su.c will contain all the necessary code. It also contains a patch for the Makefile, I'm not sure how to get this into the automake system. Maybe we should just fork su.c.
Created attachment 121343 [details] suggested pam config file for runuser
Thanks. I'm testing out an automake-aware version.
Building 5.93-4.
Is it possible to change the runuser.pamd file to the following: #%PAM-1.0 auth sufficient pam_rootok.so session required pam_limits.so session required pam_unix.so Or is there a special reason to keep "/lib/security/$ISA/"? Currently, none of my /etc/pam.d/* files includes the path anyway? At least I found the following information in the pam rpm changelog: * Mon Dec 02 2002 Nalin Dahyabhai <nalin> 0.75-45 - create /lib/security, even if it isn't /%{_lib}/security, because we can't locate /lib/security/$ISA without it (noted by Arnd Bergmann) - clear out the duplicate docs directory created during %install [...] * Tue Oct 22 2002 Nalin Dahyabhai <nalin> 0.75-43 - patch to interpret $ISA in case the fist module load attempt fails - use $ISA in default configs
There is no special reason to have "/lib/security/$ISA/", it works fine without it. I copied data from /etc/pam.d/system-auth which has those paths, it was probably a mistake. I've reopened the bug as I think that Robert is correct and the full paths should be removed.
Fixed in CVS.
Fixed package is coreutils-5.93-4.1.