5:16 p.m.
Since the kernel sets a number of dynamic rlimits based on the system
properties (e.g. physical memory for nproc), these rlimits should be
respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
Signed-off-by: Kees Cook <kees.cook(a)canonical.com>
---
modules/pam_limits/pam_limits.c | 157 +++++++++++++++++++++++++++++++++++++-
1 files changed, 152 insertions(+), 5 deletions(-)
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 8814652..fa1d35f 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -51,9 +51,10 @@
#define LIMITS_DEF_USER 0 /* limit was set by an user entry */
#define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */
#define LIMITS_DEF_ALLGROUP 2 /* limit was set by a group entry */
-#define LIMITS_DEF_ALL 3 /* limit was set by an default entry */
-#define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */
-#define LIMITS_DEF_NONE 5 /* this limit was not set yet */
+#define LIMITS_DEF_ALL 3 /* limit was set by an all entry */
+#define LIMITS_DEF_DEFAULT 4 /* limit was set by a default entry */
+#define LIMITS_DEF_KERNEL 5 /* limit was set from /proc/1/limits */
+#define LIMITS_DEF_NONE 6 /* this limit was not set yet */
#define LIMIT_RANGE_ERR -1 /* error in specified uid/gid range */
#define LIMIT_RANGE_NONE 0 /* no range specified */
@@ -67,6 +68,7 @@ static const char *limits_def_names[] = {
"ALLGROUP",
"ALL",
"DEFAULT",
+ "KERNEL",
"NONE",
NULL
};
@@ -292,7 +294,139 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int
ctrl,
return 0;
}
-static int init_limits(struct pam_limit_s *pl)
+static const char * lnames[RLIM_NLIMITS] = {
+ [RLIMIT_CPU] = "Max cpu time",
+ [RLIMIT_FSIZE] = "Max file size",
+ [RLIMIT_DATA] = "Max data size",
+ [RLIMIT_STACK] = "Max stack size",
+ [RLIMIT_CORE] = "Max core file size",
+ [RLIMIT_RSS] = "Max resident set",
+ [RLIMIT_NPROC] = "Max processes",
+ [RLIMIT_NOFILE] = "Max open files",
+ [RLIMIT_MEMLOCK] = "Max locked memory",
+#ifdef RLIMIT_AS
+ [RLIMIT_AS] = "Max address space",
+#endif
+#ifdef RLIMIT_LOCKS
+ [RLIMIT_LOCKS] = "Max file locks",
+#endif
+#ifdef RLIMIT_SIGPENDING
+ [RLIMIT_SIGPENDING] = "Max pending signals",
+#endif
+#ifdef RLIMIT_MSGQUEUE
+ [RLIMIT_MSGQUEUE] = "Max msgqueue size",
+#endif
+#ifdef RLIMIT_NICE
+ [RLIMIT_NICE] = "Max nice priority",
+#endif
+#ifdef RLIMIT_RTPRIO
+ [RLIMIT_RTPRIO] = "Max realtime priority",
+#endif
+#ifdef RLIMIT_RTTIME
+ [RLIMIT_RTTIME] = "Max realtime timeout",
+#endif
+};
+
+static int str2rlimit(char *name) {
+ int i;
+ if (!name || *name == '\0')
+ return -1;
+ for(i = 0; i < RLIM_NLIMITS; i++) {
+ if (strcmp(name, lnames[i]) == 0) return i;
+ }
+ return -1;
+}
+
+static rlim_t str2rlim_t(char *value) {
+ unsigned long long rlimit = 0;
+
+ if (!value) return (rlim_t)rlimit;
+ if (strcmp(value, "unlimited") == 0) {
+ return RLIM_INFINITY;
+ }
+ rlimit = strtoull(value, NULL, 10);
+ return (rlim_t)rlimit;
+}
+
+#define LIMITS_SKIP_WHITESPACE { \
+ /* step backwards over spaces */ \
+ pos--; \
+ while (pos && line[pos] == ' ') pos--; \
+ if (!pos) continue; \
+ line[pos+1] = '\0'; \
+}
+#define LIMITS_MARK_ITEM(item) { \
+ /* step backwards over non-spaces */ \
+ pos--; \
+ while (pos && line[pos] != ' ') pos--; \
+ if (!pos) continue; \
+ item = line + pos + 1; \
+}
+
+static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl)
+{
+ int i, maxlen = 0;
+ FILE *limitsfile;
+ const char *proclimits = "/proc/1/limits";
+ char line[256];
+ char *units, *hard, *soft, *name;
+
+ if (!(limitsfile = fopen(proclimits, "r"))) {
+ pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM
defaults", proclimits, strerror(errno));
+ return;
+ }
+
+ while (fgets(line, 256, limitsfile)) {
+ int pos = strlen(line);
+ if (pos < 2) continue;
+
+ /* drop trailing newline */
+ if (line[pos-1] == '\n') {
+ pos--;
+ line[pos] = '\0';
+ }
+
+ /* determine formatting boundry of limits report */
+ if (!maxlen && strncmp(line, "Limit", 5) == 0) {
+ maxlen = pos;
+ continue;
+ }
+
+ if (pos == maxlen) {
+ /* step backwards over "Units" name */
+ LIMITS_SKIP_WHITESPACE;
+ LIMITS_MARK_ITEM(units);
+ }
+ else {
+ units = "";
+ }
+
+ /* step backwards over "Hard Limit" value */
+ LIMITS_SKIP_WHITESPACE;
+ LIMITS_MARK_ITEM(hard);
+
+ /* step backwards over "Soft Limit" value */
+ LIMITS_SKIP_WHITESPACE;
+ LIMITS_MARK_ITEM(soft);
+
+ /* step backwards over name of limit */
+ LIMITS_SKIP_WHITESPACE;
+ name = line;
+
+ i = str2rlimit(name);
+ if (i < 0 || i >= RLIM_NLIMITS) {
+ pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit '%s'
ignored", name);
+ continue;
+ }
+ pl->limits[i].limit.rlim_cur = str2rlim_t(soft);
+ pl->limits[i].limit.rlim_max = str2rlim_t(hard);
+ pl->limits[i].src_soft = LIMITS_DEF_KERNEL;
+ pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
+ }
+ fclose(limitsfile);
+}
+
+static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl)
{
int i;
int retval = PAM_SUCCESS;
@@ -313,6 +447,19 @@ static int init_limits(struct pam_limit_s *pl)
}
}
+#ifdef __linux__
+ parse_kernel_limits(pamh, pl);
+#endif
+
+ for(i = 0; i < RLIM_NLIMITS; i++) {
+ if (pl->limits[i].supported &&
+ (pl->limits[i].src_soft == LIMITS_DEF_NONE ||
+ pl->limits[i].src_hard == LIMITS_DEF_NONE)) {
+#ifdef __linux__
+ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM
default", rlimit2str(i));
+#endif
+ }
+
errno = 0;
pl->priority = getpriority (PRIO_PROCESS, 0);
if (pl->priority == -1 && errno != 0)
@@ -873,7 +1020,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
return PAM_USER_UNKNOWN;
}
- retval = init_limits(pl);
+ retval = init_limits(pamh, pl);
if (retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_WARNING, "cannot initialize");
return PAM_ABORT;
--
1.7.4.1
--
Kees Cook
Ubuntu Security Team
1:47 a.m.
On Thu, 2011-03-31 at 15:16 -0700, Kees Cook wrote:
Since the kernel sets a number of dynamic rlimits based on the
system
properties (e.g. physical memory for nproc), these rlimits should be
respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
Please provide a better rationale for the patch. The pam_limits module
will not change any limits that are not set in the configuration file.
And for the limits that are set there, the value in the configuration
file should be respected. If I understand your patch correctly, you
basically want to reset the limit to the values set on the init process.
This definitely should not be a default behavior.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
7:12 p.m.
On Fri, Apr 01, 2011 at 08:47:19AM +0200, Tomas Mraz wrote:
On Thu, 2011-03-31 at 15:16 -0700, Kees Cook wrote:
> Since the kernel sets a number of dynamic rlimits based on the system
> properties (e.g. physical memory for nproc), these rlimits should be
> respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
Please provide a better rationale for the patch. The pam_limits module
will not change any limits that are not set in the configuration file.
And for the limits that are set there, the value in the configuration
file should be respected. If I understand your patch correctly, you
basically want to reset the limit to the values set on the init process.
This definitely should not be a default behavior.
This patch provides the lowest level of default. The configuration files
will always override them if the config is present.
The primary reason for doing this is that when PAM runs, it may not have a
sensible set of default rlimits, so it should always start over from the
kernel-defined defaults. (Some distros, at least Debian and Ubuntu, have
worked around this in the past by using hard-coded defaults, but this is
suboptimal in the face of dynamic rlimits set by the kernel based on
memory/cpu/etc.)
Additionally, this allows PAM running in containers to adjust automatically
to what is set as the rlimit defaults for the "init" running in a given
container namespace.
Thanks,
-Kees
--
Kees Cook
Ubuntu Security Team
2:15 a.m.
On Mon, Apr 04, 2011 at 05:12:58PM -0700, Kees Cook wrote:
On Fri, Apr 01, 2011 at 08:47:19AM +0200, Tomas Mraz wrote:
> On Thu, 2011-03-31 at 15:16 -0700, Kees Cook wrote:
> > Since the kernel sets a number of dynamic rlimits based on the system
> > properties (e.g. physical memory for nproc), these rlimits should be
> > respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
>
> Please provide a better rationale for the patch. The pam_limits module
> will not change any limits that are not set in the configuration file.
> And for the limits that are set there, the value in the configuration
> file should be respected. If I understand your patch correctly, you
> basically want to reset the limit to the values set on the init process.
> This definitely should not be a default behavior.
This patch provides the lowest level of default. The configuration files
will always override them if the config is present.
The primary reason for doing this is that when PAM runs, it may not have a
sensible set of default rlimits,
It may or it may not. With your patch, rlimits of applications would be
totally ignored in favour of init's rlimits. I'm not sure such a change
of default is quite safe wrt applications which may rely on ability to
define default rlimits.
so it should always start over from the kernel-defined defaults.
I'm not quite sure that it must _always_ drop rlimits inheritance.
While the feature looks useful, I think it have to be configurable via
some on/off switch.
--
ldv
10:49 a.m.
On Tue, Apr 05, 2011 at 11:15:47AM +0400, Dmitry V. Levin wrote:
I'm not quite sure that it must _always_ drop rlimits
inheritance.
While the feature looks useful, I think it have to be configurable via
some on/off switch.
Okay, seems fair. I still think it should default to enabled since most
(but not all) applications using PAM are fully delegating these kinds of
things. If you have pam_limits in your stack, you expect it to do its work.
What would you like to see? I haven't done pam config variables before...
-Kees
--
Kees Cook
Ubuntu Security Team
3:28 a.m.
On Mon, Apr 04, Kees Cook wrote:
On Fri, Apr 01, 2011 at 08:47:19AM +0200, Tomas Mraz wrote:
> On Thu, 2011-03-31 at 15:16 -0700, Kees Cook wrote:
> > Since the kernel sets a number of dynamic rlimits based on the system
> > properties (e.g. physical memory for nproc), these rlimits should be
> > respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
>
> Please provide a better rationale for the patch. The pam_limits module
> will not change any limits that are not set in the configuration file.
> And for the limits that are set there, the value in the configuration
> file should be respected. If I understand your patch correctly, you
> basically want to reset the limit to the values set on the init process.
> This definitely should not be a default behavior.
This patch provides the lowest level of default. The configuration files
will always override them if the config is present.
The primary reason for doing this is that when PAM runs, it may not have a
sensible set of default rlimits, so it should always start over from the
kernel-defined defaults.
That would be a wrong behavior of pam_limits. If an application sets
limits and then forks, pam_limits shouldn't reset that values.
(Some distros, at least Debian and Ubuntu, have
worked around this in the past by using hard-coded defaults, but this is
suboptimal in the face of dynamic rlimits set by the kernel based on
memory/cpu/etc.)
Additionally, this allows PAM running in containers to adjust automatically
to what is set as the rlimit defaults for the "init" running in a given
container namespace.
I have to admit that I still don't understand the problem.
But we use a package "ulimits" to set global, usefull limits
during boot time. Afterwards the init scripts/processes can
overwrite them for their needs.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
4:35 a.m.
Hi Thorsten,
On Tue, Apr 05, 2011 at 10:28:47AM +0200, Thorsten Kukuk wrote:
> On Fri, Apr 01, 2011 at 08:47:19AM +0200, Tomas Mraz wrote:
> > On Thu, 2011-03-31 at 15:16 -0700, Kees Cook wrote:
> > > Since the kernel sets a number of dynamic rlimits based on the system
> > > properties (e.g. physical memory for nproc), these rlimits should be
> > > respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
> > Please provide a better rationale for the patch. The
pam_limits module
> > will not change any limits that are not set in the configuration file.
> > And for the limits that are set there, the value in the configuration
> > file should be respected. If I understand your patch correctly, you
> > basically want to reset the limit to the values set on the init process.
> > This definitely should not be a default behavior.
> This patch provides the lowest level of default. The
configuration files
> will always override them if the config is present.
> The primary reason for doing this is that when PAM runs, it may
not have a
> sensible set of default rlimits, so it should always start over from the
> kernel-defined defaults.
That would be a wrong behavior of pam_limits. If an application sets
limits and then forks, pam_limits shouldn't reset that values.
Can you give an example of why an application would do this and then open a
PAM session for which it calls pam_limits, if it expects these limits to be
retained?
I understand that the status quo is that the upstream pam_limits doesn't do
that, and so it would come as a surprise if pam_limits started resetting
limits; but I don't see any reason why, from the POV of application design
or distro packaging, it would make sense for an application that cared about
setting limits to by default then turn around and let pam_limits change
these settings.
> (Some distros, at least Debian and Ubuntu, have
> worked around this in the past by using hard-coded defaults, but this is
> suboptimal in the face of dynamic rlimits set by the kernel based on
> memory/cpu/etc.)
> Additionally, this allows PAM running in containers to adjust
automatically
> to what is set as the rlimit defaults for the "init" running in a given
> container namespace.
I have to admit that I still don't understand the problem.
But we use a package "ulimits" to set global, usefull limits
during boot time. Afterwards the init scripts/processes can
overwrite them for their needs.
The original patch that Kees's work is based on was added to the Debian
package by Ben Collins some years ago to address the issue that when
changing from one user to another with 'su', the limits configured from the
original user would be retained unless explicitly overridden in limits.conf.
I think it's pretty unambiguously correct to reset the limits to a clean
slate in this case (why would you want su to a user to give different
limits, based on the identity of the login user, than a direct login?), but
it's difficult to separate this case out from those cases where you say the
limits should *not* be reset.
Have you guys solved this issue some other way?
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek(a)ubuntu.com vorlon(a)debian.org
3:40 a.m.
Hey again,
On Tue, Apr 05, 2011 at 02:35:43AM -0700, Steve Langasek wrote:
Hi Thorsten,
> > (Some distros, at least Debian and Ubuntu, have
> > worked around this in the past by using hard-coded defaults, but this is
> > suboptimal in the face of dynamic rlimits set by the kernel based on
> > memory/cpu/etc.)
> > Additionally, this allows PAM running in containers to
adjust automatically
> > to what is set as the rlimit defaults for the "init" running in a
given
> > container namespace.
> I have to admit that I still don't understand the problem.
> But we use a package "ulimits" to set global, usefull limits
> during boot time. Afterwards the init scripts/processes can
> overwrite them for their needs.
The original patch that Kees's work is based on was added to the
Debian
package by Ben Collins some years ago to address the issue that when
changing from one user to another with 'su', the limits configured from the
original user would be retained unless explicitly overridden in limits.conf.
I think it's pretty unambiguously correct to reset the limits to a clean
slate in this case (why would you want su to a user to give different
limits, based on the identity of the login user, than a direct login?), but
it's difficult to separate this case out from those cases where you say the
limits should *not* be reset.
Have you guys solved this issue some other way?
Hmm, no answer to this question... does that mean everyone's still thinking
it over, or just totally horrified by the idea?
For reference, here's the original Debian bug report that led to this patch
being carried. Unfortunately I don't think it was ever forwarded upstream
at the time.
http://bugs.debian.org/63230
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek(a)ubuntu.com vorlon(a)debian.org
4:34 a.m.
On Sun, May 01, Steve Langasek wrote:
Hmm, no answer to this question... does that mean everyone's
still thinking
it over, or just totally horrified by the idea?
I don't have anything against the idea itself, but to have it active
by default. I still think the behavior is wrong.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
4:58 a.m.
On Wed, 2011-05-04 at 11:34 +0200, Thorsten Kukuk wrote:
On Sun, May 01, Steve Langasek wrote:
> Hmm, no answer to this question... does that mean everyone's still thinking
> it over, or just totally horrified by the idea?
I don't have anything against the idea itself, but to have it active
by default. I still think the behavior is wrong.
+1
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
4:32 a.m.
On Tue, Apr 05, Steve Langasek wrote:
Hi Thorsten,
On Tue, Apr 05, 2011 at 10:28:47AM +0200, Thorsten Kukuk wrote:
> > On Fri, Apr 01, 2011 at 08:47:19AM +0200, Tomas Mraz wrote:
> > > On Thu, 2011-03-31 at 15:16 -0700, Kees Cook wrote:
> > > > Since the kernel sets a number of dynamic rlimits based on the
system
> > > > properties (e.g. physical memory for nproc), these rlimits should be
> > > > respected by PAM. Parse /proc/1/limits for the kernel-defined
rlimits.
> > > Please provide a better rationale for the patch. The pam_limits module
> > > will not change any limits that are not set in the configuration file.
> > > And for the limits that are set there, the value in the configuration
> > > file should be respected. If I understand your patch correctly, you
> > > basically want to reset the limit to the values set on the init process.
> > > This definitely should not be a default behavior.
> > This patch provides the lowest level of default. The configuration files
> > will always override them if the config is present.
> > The primary reason for doing this is that when PAM runs, it may not have a
> > sensible set of default rlimits, so it should always start over from the
> > kernel-defined defaults.
> That would be a wrong behavior of pam_limits. If an application sets
> limits and then forks, pam_limits shouldn't reset that values.
Can you give an example of why an application would do this and then open a
PAM session for which it calls pam_limits, if it expects these limits to be
retained?
You should ask big ISVs, especially database vendors, why they
are doing this.
But in short: Some resources depending on memory, diskspace, and
processors are calculated dynamically depending on your hardware,
others are fix values coming from the config file.
I understand that the status quo is that the upstream pam_limits
doesn't do
that, and so it would come as a surprise if pam_limits started resetting
limits; but I don't see any reason why, from the POV of application design
or distro packaging, it would make sense for an application that cared about
setting limits to by default then turn around and let pam_limits change
these settings.
Because you don't know what the defaults are and who did set them for
which reason.
On openSUSE/SLES we have the ulimits package, which sets global, default
limits for all processes based on a config file and available hardware
through the init process.
This patch by default enabled would reset the limits to something
surprising. And worse, not for everything, but only for this, who
are called by a process which did run pam_limits before.
> I have to admit that I still don't understand the problem.
> But we use a package "ulimits" to set global, usefull limits
> during boot time. Afterwards the init scripts/processes can
> overwrite them for their needs.
The original patch that Kees's work is based on was added to the Debian
package by Ben Collins some years ago to address the issue that when
changing from one user to another with 'su', the limits configured from the
original user would be retained unless explicitly overridden in limits.conf.
Correct.
I think it's pretty unambiguously correct to reset the limits to
a clean
slate in this case (why would you want su to a user to give different
limits, based on the identity of the login user, than a direct login?)
What is the clean state in this case? How do you know who did set
the limit and for which reason? And what should be the correct one?
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
10:52 a.m.
On Tue, Apr 05, 2011 at 10:28:47AM +0200, Thorsten Kukuk wrote:
On Mon, Apr 04, Kees Cook wrote:
> The primary reason for doing this is that when PAM runs, it may not have a
> sensible set of default rlimits, so it should always start over from the
> kernel-defined defaults.
That would be a wrong behavior of pam_limits. If an application sets
limits and then forks, pam_limits shouldn't reset that values.
I think that if pam_limits is in the stack, this makes sense, but I'm happy
to add a toggle for it.
I have to admit that I still don't understand the problem.
But we use a package "ulimits" to set global, usefull limits
during boot time. Afterwards the init scripts/processes can
overwrite them for their needs.
How do you deal with the kernel's dynamic setting of nproc?
-Kees
--
Kees Cook
Ubuntu Security Team
8:33 a.m.
New subject: [PATCH] pam_limits: initialize rlimits from kernel values
On Thu, Mar 31, Kees Cook wrote:
Since the kernel sets a number of dynamic rlimits based on the
system
properties (e.g. physical memory for nproc), these rlimits should be
respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
Ok, attached is a patch, where I fixed the syntax errors and I
added an "init_all" option. Means by default no behavior changes
against the current version. If admin specifies "init_all", the missing
limits will be set from the one of process with PId 1.
Comments?
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
9 a.m.
Hi Thorsten,
On Wed, Jun 15, 2011 at 03:33:54PM +0200, Thorsten Kukuk wrote:
On Thu, Mar 31, Kees Cook wrote:
> Since the kernel sets a number of dynamic rlimits based on the system
> properties (e.g. physical memory for nproc), these rlimits should be
> respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
Ok, attached is a patch, where I fixed the syntax errors and I
added an "init_all" option. Means by default no behavior changes
against the current version. If admin specifies "init_all", the missing
limits will be set from the one of process with PId 1.
Thanks, this looks good. I made one additional change since sending this
originally to reduce the syslog spam on some distros that are behind on
their rlimits headers:
+ i = str2rlimit(name);
+ if (i < 0 || i >= RLIM_NLIMITS) {
if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit
'%s' ignored", name);
+ continue;
+ }
+#ifdef __linux__
+ if (ctrl & PAM_INIT_ALL) {
Should this be called PAM_INIT_ALL_ARG instead?
Thanks,
-Kees
--
Kees Cook
Ubuntu Security Team
9:04 a.m.
On Wed, Jun 15, Kees Cook wrote:
Hi Thorsten,
On Wed, Jun 15, 2011 at 03:33:54PM +0200, Thorsten Kukuk wrote:
> On Thu, Mar 31, Kees Cook wrote:
>
> > Since the kernel sets a number of dynamic rlimits based on the system
> > properties (e.g. physical memory for nproc), these rlimits should be
> > respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
>
> Ok, attached is a patch, where I fixed the syntax errors and I
> added an "init_all" option. Means by default no behavior changes
> against the current version. If admin specifies "init_all", the missing
> limits will be set from the one of process with PId 1.
Thanks, this looks good. I made one additional change since sending this
originally to reduce the syslog spam on some distros that are behind on
their rlimits headers:
> + i = str2rlimit(name);
> + if (i < 0 || i >= RLIM_NLIMITS) {
if (ctrl & PAM_DEBUG_ARG)
Ok, added.
> + pam_syslog(pamh, LOG_DEBUG, "Unknown kernel
rlimit '%s' ignored", name);
> + continue;
> + }
> +#ifdef __linux__
> + if (ctrl & PAM_INIT_ALL) {
Should this be called PAM_INIT_ALL_ARG instead?
Why should it? No other option has the _ARG suffix besice
the PAM_DEBUG_ARG, and that has only to avoid a symbol conflict
with libpam headers itself.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
9:11 a.m.
On Wed, Jun 15, 2011 at 04:04:14PM +0200, Thorsten Kukuk wrote:
On Wed, Jun 15, Kees Cook wrote:
> On Wed, Jun 15, 2011 at 03:33:54PM +0200, Thorsten Kukuk wrote:
> > On Thu, Mar 31, Kees Cook wrote:
> >
> > > Since the kernel sets a number of dynamic rlimits based on the system
> > > properties (e.g. physical memory for nproc), these rlimits should be
> > > respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
> >
> > Ok, attached is a patch, where I fixed the syntax errors and I
> > added an "init_all" option. Means by default no behavior changes
> > against the current version. If admin specifies "init_all", the
missing
> > limits will be set from the one of process with PId 1.
>
> Thanks, this looks good. I made one additional change since sending this
> originally to reduce the syslog spam on some distros that are behind on
> their rlimits headers:
>
> > + i = str2rlimit(name);
> > + if (i < 0 || i >= RLIM_NLIMITS) {
>
> if (ctrl & PAM_DEBUG_ARG)
Ok, added.
> > + pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit
'%s' ignored", name);
> > + continue;
> > + }
>
>
> > +#ifdef __linux__
> > + if (ctrl & PAM_INIT_ALL) {
>
> Should this be called PAM_INIT_ALL_ARG instead?
Why should it? No other option has the _ARG suffix besice
the PAM_DEBUG_ARG, and that has only to avoid a symbol conflict
with libpam headers itself.
Okay, cool. I didn't go check the others. Thanks!
-Kees
--
Kees Cook
Ubuntu Security Team
2:13 p.m.
On Wed, 2011-06-15 at 15:33 +0200, Thorsten Kukuk wrote:
On Thu, Mar 31, Kees Cook wrote:
> Since the kernel sets a number of dynamic rlimits based on the system
> properties (e.g. physical memory for nproc), these rlimits should be
> respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits.
Ok, attached is a patch, where I fixed the syntax errors and I
added an "init_all" option. Means by default no behavior changes
against the current version. If admin specifies "init_all", the missing
limits will be set from the one of process with PId 1.
I'm just slightly opposed to the 'init_all' option name. Perhaps
something like 'reset_all' or 'reset_from_init' would better describe
the functionality?
Also the new functions should be #ifdef __linux__.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
10:27 a.m.
On Wed, Jun 15, Tomas Mraz wrote:
> Ok, attached is a patch, where I fixed the syntax errors and I
> added an "init_all" option. Means by default no behavior changes
> against the current version. If admin specifies "init_all", the missing
> limits will be set from the one of process with PId 1.
I'm just slightly opposed to the 'init_all' option name. Perhaps
something like 'reset_all' or 'reset_from_init' would better describe
the functionality?
I'm confused, I thought I had answered already, but cannot find my mail ...
I have no problem with renaming that option, but I don't like "reset*",
because that sounds like there are modified default values. But in reality,
we use the values from the init process, which are not necessarly the
default system values.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
10:56 a.m.
On Mon, 2011-06-20 at 17:27 +0200, Thorsten Kukuk wrote:
On Wed, Jun 15, Tomas Mraz wrote:
> > Ok, attached is a patch, where I fixed the syntax errors and I
> > added an "init_all" option. Means by default no behavior changes
> > against the current version. If admin specifies "init_all", the
missing
> > limits will be set from the one of process with PId 1.
>
> I'm just slightly opposed to the 'init_all' option name. Perhaps
> something like 'reset_all' or 'reset_from_init' would better
describe
> the functionality?
I'm confused, I thought I had answered already, but cannot find my mail ...
I have no problem with renaming that option, but I don't like "reset*",
because that sounds like there are modified default values. But in reality,
we use the values from the init process, which are not necessarly the
default system values.
OK, then what about "set_from_init" or more simple "set_all"?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
11:04 a.m.
New subject: [PATCH] pam_limits: initialize rlimits from kernel values
On Mon, Jun 20, Tomas Mraz wrote:
On Mon, 2011-06-20 at 17:27 +0200, Thorsten Kukuk wrote:
> On Wed, Jun 15, Tomas Mraz wrote:
>
> > > Ok, attached is a patch, where I fixed the syntax errors and I
> > > added an "init_all" option. Means by default no behavior changes
> > > against the current version. If admin specifies "init_all", the
missing
> > > limits will be set from the one of process with PId 1.
> >
> > I'm just slightly opposed to the 'init_all' option name. Perhaps
> > something like 'reset_all' or 'reset_from_init' would better
describe
> > the functionality?
>
> I'm confused, I thought I had answered already, but cannot find my mail ...
>
> I have no problem with renaming that option, but I don't like
"reset*",
> because that sounds like there are modified default values. But in reality,
> we use the values from the init process, which are not necessarly the
> default system values.
OK, then what about "set_from_init" or more simple "set_all"?
"set_all" would be fine for me.
If nobody objects, I will make the #if __kernel__ change and rename
the option and commit tomorrow.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
1:41 p.m.
New subject: [PATCH] pam_limits: initialize rlimits from kernel values
On Mon, Jun 20, 2011 at 06:04:20PM +0200, Thorsten Kukuk wrote:
On Mon, Jun 20, Tomas Mraz wrote:
> On Mon, 2011-06-20 at 17:27 +0200, Thorsten Kukuk wrote:
> > On Wed, Jun 15, Tomas Mraz wrote:
> > > > Ok, attached is a patch, where I fixed the syntax
errors and I
> > > > added an "init_all" option. Means by default no behavior
changes
> > > > against the current version. If admin specifies "init_all",
the missing
> > > > limits will be set from the one of process with PId 1.
> > > I'm just slightly opposed to the
'init_all' option name. Perhaps
> > > something like 'reset_all' or 'reset_from_init' would
better describe
> > > the functionality?
> > I'm confused, I thought I had answered already, but
cannot find my mail ...
> > I have no problem with renaming that option, but I
don't like "reset*",
> > because that sounds like there are modified default values. But in reality,
> > we use the values from the init process, which are not necessarly the
> > default system values.
> OK, then what about "set_from_init" or more simple
"set_all"?
"set_all" would be fine for me.
That sounds good to me as well. Thanks!
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek(a)ubuntu.com vorlon(a)debian.org
4693
days inactive
4774
days old
pam-developers@lists.fedorahosted.org
20 comments
5 participants
participants (5)
-
Dmitry V. Levin -
Kees Cook -
Steve Langasek -
Thorsten Kukuk -
Tomas Mraz