Bug 830259 - /etc/security/limits.conf - only allowed to increase limits once (limit -u) even when set between original soft and hard values.
/etc/security/limits.conf - only allowed to increase limits once (limit -u) e...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam (Show other bugs)
6.2
x86_64 Linux
unspecified Severity low
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-08 12:46 EDT by Everett Bennett
Modified: 2012-06-12 12:34 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-11 02:33:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Everett Bennett 2012-06-08 12:46:05 EDT
Description of problem:  Settings in /etc/security/limits.conf.

A non-root user cannot change the limit of say, nproc, more than once.
For example, if I have 'soft nproc 32768' and 'hard nproc 262144',
I can set the nproc to any number between 32768 and 262144 once per
login session.  However, once it is set, I cannot exceed the new
number even if is within the range of the original 'soft' and 'hard'
limits.  Also, note that '*' seems to no longer be accepted
in 'Domain' field.  The '*' worked on a RHEL 5.6 system.


Version-Release number of selected component (if applicable):

- RHEL 6.2 2.6.32-220.17.1.el6.x86_64
- RHEL 5.6 2.6.32-164  ( Note '*' works in this release. )


How reproducible:


Steps to Reproduce:
1.  Edit /etc/security/limits.conf, log into the system and attempt change limits using ulimit utility.

Actual results:

.  Edit /etc/security/limits.conf and insert lines as follows.

   *     	soft	nproc	65536
   *    	hard	nproc	262144
   login	soft	nproc	32768
   login 	hard	nproc	262144
2. Login as 'login'
3. ulimit -u 200000
4. ulimit -u 262144
5. ulimit -u 200001
6. ulimit -u 199999
7. ulimit -u 262145
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
8. ulimit -u 262144
9. ulimit -u 200000
10. ulimit -u 200001
11. ulimit -u 199999

Expected results:

.  Edit /etc/security/limits.conf and insert lines as follows.

   *     	soft	nproc	65536
   *    	hard	nproc	262144
   login	soft	nproc	32768
   login 	hard	nproc	262144
2. Login as 'login'
3. ulimit -u 200000
4. ulimit -u 262144
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
5. ulimit -u 200001
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
6. ulimit -u 199999
7. exit, log off, and log back in as 'login'
8. ulimit -u 262145
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
9. ulimit -u 262144
10. ulimit -u 200000
11. ulimit -u 200001
-bash: ulimit: max user processes: cannot modify limit: Operation not permitted
12. ulimit -u 199999

Additional info:

Apprently, similar issues have exist in other releases of Linux for some time now.  The disabling of the '*' in the Domain field may have been a more recent fix or bug, depending on how you look at it.
Comment 2 Tomas Mraz 2012-06-11 02:33:27 EDT
There is /etc/security/limits.d/90-nproc.conf which overrides your nproc value. If you comment out the line in the file, everything will work as in RHEL-5.
Comment 3 Tomas Mraz 2012-06-11 02:39:34 EDT
Comment #2 was about the "disabling" of the '*'. As for the ulimit semantics change - I am not sure where/if this changed however ulimit -u will set both hard and soft limits and hard limit cannot be raised only lowered. using ulimit -Su will change only the soft limit giving you the semantics you expect.
Comment 4 Everett Bennett, Jr. 2012-06-12 12:34:15 EDT
Thanks for the info.  Apparently, one should re-read man pages on occasion.
My other objection was to document this issue as it appeared to be an issue in google search land.

Note You need to log in before you can comment on or make changes to this bug.