On Tue, Dec 04, 2007 at 05:03:34PM +0100, Emjay wrote: > adding "session required pam_limits.so" to /etc/pam.d/login results in > limits beeing taken ONLY from /etc/security/limits.conf - all default values > are flushed.
Where is it documented that pam_limits will do anything other than this? > 1) This is a minor security issue because the default configuration is an > empty (only commented lines) limits.conf (thus leaving almost no limits in > place where the user tries to increase security/useablility of the system and > by default doing exactly the opposite). And "by default", pam_limits clearly has no limits configured, so it makes no sense to enable it without configuring limits.conf (and verifying the outcome of those configuration changes). (If it's a "minor" security issue, why are you claiming that it's a "grave" bug?) > - no idea what is causing this bug, probably an issue with pam_limits.so > - should it be the default behaviour and not be considered a bug I suggest > there should be a BIG WARNING in the pam.d/login file regarding this matter. Here are the limits that I see when logging in via ssh to a system *without* pam_limits: $ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited max nice (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 8118 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 max rt priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 8118 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited $ and the results when logging into the same system with pam_limits enabled but not configured: $ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited max nice (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 8118 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 max rt priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 8118 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited $ So which of these are you claiming is affected negatively by pam_limits' default behavior? I no longer have any systems with pam 0.79 installed, so this may be fixed in 0.99.7 and above due to a change introduced upstream in Linux-PAM 0.99.5.0. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
