Red Hat Bugzilla – Bug 54643
pam_limits does not handle nproc correctly
Last modified: 2007-04-18 12:37:36 EDT
Description of Problem:
When a nproc limit is set, it is checked for the root user, not the user attempting to log in.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Add this line to /etc/security/limits.conf "<username> hard nproc 10"
2. Count how many root processes there are
3. Count how many <username> processes there are
2. Try to log in. If root has more that 10 processes then the user can not log in
I think this has been resolved in newer versions of PAM.
Under redhat 7.1, this works when you add the change_uid to the pam config file. There should then be an option in authconfig
which will produce an appropriate system-auth file.
This is option is not available under 6.2
I think it's bug in modules/pam_limits/pam_limits.c in function
init_limits() that calls getrlimit() without real UID essure. For
example for standard login is this function called with UID=0 for
standard user. It's wrong because getrlimit(2) returns RLIMIT_NPROC
information for real proces UID.
For example login by ssh is OK, beacuse it use pam probably by other
way than login (login run under UID=0).
I think pam_limits.so (and others modules) should be check/fix for
which UID load information from system.
Next note: this "bug" never appear in new code because getrlimit()
call is used for first limit initialization and it's overwritten by
limits.conf setting or root's limits are used as default for new
session. A little funny is code logic that sometimes load system
limits for root (login) and sometimes for real user (sshd).