Bug 54643 - pam_limits does not handle nproc correctly
pam_limits does not handle nproc correctly
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
6.2
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-10-15 05:27 EDT by John Newbigin
Modified: 2007-04-18 12:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-20 04:05:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description John Newbigin 2001-10-15 05:27:32 EDT
Description of Problem:
When a nproc limit is set, it is checked for the root user, not the user attempting to log in.

Version-Release number of selected component (if applicable):
pam-0.72-20.6.x

How Reproducible:


Steps to Reproduce:
1. Add this line to /etc/security/limits.conf "<username> hard nproc 10"
2. Count how many root processes there are
3. Count how many <username> processes there are
2. Try to log in.  If root has more that 10 processes then the user can not log in

Actual Results:


Expected Results:


Additional Information:
I think this has been resolved in newer versions of PAM.
Comment 1 John Newbigin 2001-10-16 01:48:11 EDT
Under redhat 7.1, this works when you add the change_uid to the pam config file.  There should then be an option in authconfig 
which will produce an appropriate system-auth file.

This is option is not available under 6.2
Comment 2 Karel Zak 2004-09-09 04:31:37 EDT
I think it's bug in modules/pam_limits/pam_limits.c in function
init_limits() that calls getrlimit() without real UID essure. For
example for standard login is this function called with UID=0 for
standard user. It's wrong because getrlimit(2) returns RLIMIT_NPROC
information for real proces UID.

For example login by ssh is OK, beacuse it use pam probably by other
way than login (login run under UID=0).

I think pam_limits.so (and others modules) should be check/fix for
which UID load information from system.
Comment 3 Karel Zak 2004-09-09 07:50:42 EDT
Next note: this "bug" never appear in new code because getrlimit()
call is used for first limit initialization and it's overwritten by
limits.conf setting or root's limits are used as default for new
session. A little funny is code logic that sometimes load system
limits for root (login) and sometimes for real user (sshd).

Note You need to log in before you can comment on or make changes to this bug.