Red Hat Bugzilla – Bug 54643
pam_limits does not handle nproc correctly
Last modified: 2007-04-18 12:37:36 EDT
Description of Problem: When a nproc limit is set, it is checked for the root user, not the user attempting to log in. Version-Release number of selected component (if applicable): pam-0.72-20.6.x How Reproducible: Steps to Reproduce: 1. Add this line to /etc/security/limits.conf "<username> hard nproc 10" 2. Count how many root processes there are 3. Count how many <username> processes there are 2. Try to log in. If root has more that 10 processes then the user can not log in Actual Results: Expected Results: Additional Information: I think this has been resolved in newer versions of PAM.
Under redhat 7.1, this works when you add the change_uid to the pam config file. There should then be an option in authconfig which will produce an appropriate system-auth file. This is option is not available under 6.2
I think it's bug in modules/pam_limits/pam_limits.c in function init_limits() that calls getrlimit() without real UID essure. For example for standard login is this function called with UID=0 for standard user. It's wrong because getrlimit(2) returns RLIMIT_NPROC information for real proces UID. For example login by ssh is OK, beacuse it use pam probably by other way than login (login run under UID=0). I think pam_limits.so (and others modules) should be check/fix for which UID load information from system.
Next note: this "bug" never appear in new code because getrlimit() call is used for first limit initialization and it's overwritten by limits.conf setting or root's limits are used as default for new session. A little funny is code logic that sometimes load system limits for root (login) and sometimes for real user (sshd).