Bug 54643 - pam_limits does not handle nproc correctly
Summary: pam_limits does not handle nproc correctly
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 6.2
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-10-15 09:27 UTC by John Newbigin
Modified: 2007-04-18 16:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-10-20 08:05:25 UTC
Embargoed:


Attachments (Terms of Use)

Description John Newbigin 2001-10-15 09:27:32 UTC
Description of Problem:
When a nproc limit is set, it is checked for the root user, not the user attempting to log in.

Version-Release number of selected component (if applicable):
pam-0.72-20.6.x

How Reproducible:


Steps to Reproduce:
1. Add this line to /etc/security/limits.conf "<username> hard nproc 10"
2. Count how many root processes there are
3. Count how many <username> processes there are
2. Try to log in.  If root has more that 10 processes then the user can not log in

Actual Results:


Expected Results:


Additional Information:
I think this has been resolved in newer versions of PAM.

Comment 1 John Newbigin 2001-10-16 05:48:11 UTC
Under redhat 7.1, this works when you add the change_uid to the pam config file.  There should then be an option in authconfig 
which will produce an appropriate system-auth file.

This is option is not available under 6.2

Comment 2 Karel Zak 2004-09-09 08:31:37 UTC
I think it's bug in modules/pam_limits/pam_limits.c in function
init_limits() that calls getrlimit() without real UID essure. For
example for standard login is this function called with UID=0 for
standard user. It's wrong because getrlimit(2) returns RLIMIT_NPROC
information for real proces UID.

For example login by ssh is OK, beacuse it use pam probably by other
way than login (login run under UID=0).

I think pam_limits.so (and others modules) should be check/fix for
which UID load information from system.

Comment 3 Karel Zak 2004-09-09 11:50:42 UTC
Next note: this "bug" never appear in new code because getrlimit()
call is used for first limit initialization and it's overwritten by
limits.conf setting or root's limits are used as default for new
session. A little funny is code logic that sometimes load system
limits for root (login) and sometimes for real user (sshd).


Note You need to log in before you can comment on or make changes to this bug.