Debian Bug report logs - #515673
libpam-modules: limits set in /etc/security/limits.conf are ignored

version graph

Package: libpam-modules; Maintainer for libpam-modules is Steve Langasek <vorlon@debian.org>; Source for libpam-modules is src:pam.

Reported by: Sasha Martsinuk <sasha@uawow.com>

Date: Mon, 16 Feb 2009 20:33:02 UTC

Severity: important

Found in version pam/1.0.1-5

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#515673; Package libpam-modules. (Mon, 16 Feb 2009 20:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sasha Martsinuk <sasha@uawow.com>:
New Bug report received and forwarded. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 16 Feb 2009 20:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sasha Martsinuk <sasha@uawow.com>
To: submit@bugs.debian.org
Subject: libpam-modules: limits set in /etc/security/limits.conf are ignored
Date: Mon, 16 Feb 2009 22:32:09 +0200
Package: libpam-modules
Version: 1.0.1-5
Severity: important

When the custom limit of resources for user or group is set in
/etc/security/limits.conf,
it is ignored at user login.
Foe example, we need to increase the number of open files for the user.
We add this line to the config file:

user       hard    nofile      4096

The limit is default:
# ulimit -n
1024

Now we change user:
#su - user
user@:~$ ulimit -n
1024

So, there is no way to increase this limit for a user.
In etch there was a way to set ulimit in the root shell and then su
into this user.
Now this is fixed and the limits are reset when user is changed.

-- System Information:
Debian Release: 5.0
 APT prefers stable
 APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_UA.UTF-8, LC_CTYPE=ru_UA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]         1.5.24     Debian configuration management sy
ii  libc6                         2.7-18     GNU C Library: Shared libraries
ii  libdb4.6                      4.6.21-11  Berkeley v4.6 Database Libraries [
ii  libpam0g                      1.0.1-5    Pluggable Authentication Modules l
ii  libselinux1                   2.0.65-5   SELinux shared libraries

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#515673; Package libpam-modules. (Mon, 16 Feb 2009 21:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sasha Martsinuk <sasha@uawow.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 16 Feb 2009 21:21:07 GMT) Full text and rfc822 format available.

Message #10 received at 515673@bugs.debian.org (full text, mbox):

From: Sasha Martsinuk <sasha@uawow.com>
To: 515673@bugs.debian.org
Subject: Re: Bug#515673: Acknowledgement (libpam-modules: limits set in /etc/security/limits.conf are ignored)
Date: Mon, 16 Feb 2009 23:17:25 +0200
Decreasing the limit works OK.

/etc/security/limits.conf:
user2           hard    nofile          220

user1@:~$ ulimit -n
1024
user1:~$ sudo su - user2
user2@:~$ ulimit -n
220




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#515673; Package libpam-modules. (Tue, 17 Feb 2009 07:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. (Tue, 17 Feb 2009 07:42:04 GMT) Full text and rfc822 format available.

Message #15 received at 515673@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Sasha Martsinuk <sasha@uawow.com>, 515673@bugs.debian.org
Subject: Re: Bug#515673: libpam-modules: limits set in /etc/security/limits.conf are ignored
Date: Mon, 16 Feb 2009 23:41:08 -0800
tags 515673 confirmed
thanks

On Mon, Feb 16, 2009 at 10:32:09PM +0200, Sasha Martsinuk wrote:
> When the custom limit of resources for user or group is set in
> /etc/security/limits.conf,
> it is ignored at user login.
> Foe example, we need to increase the number of open files for the user.
> We add this line to the config file:

> user       hard    nofile      4096

> The limit is default:
> # ulimit -n
> 1024

> Now we change user:
> #su - user
> user@:~$ ulimit -n
> 1024

> So, there is no way to increase this limit for a user.
> In etch there was a way to set ulimit in the root shell and then su
> into this user.
> Now this is fixed and the limits are reset when user is changed.

Yes, unfortunately I can confirm this bug, which has also been reported
in Ubuntu just a few days ago at
<https://bugs.launchpad.net/ubuntu/+source/pam/+bug/327597>.

It's a bug in a Debian-specific patch, which was recently changed to fix a
previous bug, that initializing the limit to RLIM_INFINITY would throw
warnings.  We need to fix this to set "sensible" hard and soft limits for
nofile.  RLIM_INFINITY is not such a value; the value of
/proc/sys/fs/nr_open might be a reasonable hard limit, though not a
reasonable default soft limit.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Tags added: confirmed Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Tue, 17 Feb 2009 07:42:05 GMT) Full text and rfc822 format available.

Tags removed: confirmed Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Mon, 02 Mar 2009 21:58:11 GMT) Full text and rfc822 format available.

Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. (Mon, 02 Mar 2009 21:58:30 GMT) Full text and rfc822 format available.

Notification sent to Sasha Martsinuk <sasha@uawow.com>:
Bug acknowledged by developer. (Mon, 02 Mar 2009 21:58:30 GMT) Full text and rfc822 format available.

Message #24 received at 515673-done@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Sasha Martsinuk <sasha@uawow.com>, 515673-done@bugs.debian.org
Subject: Re: Bug#515673: libpam-modules: limits set in /etc/security/limits.conf are ignored
Date: Mon, 2 Mar 2009 13:51:33 -0800
tags 515673 -confirmed
thanks

On Mon, Feb 16, 2009 at 11:41:08PM -0800, Steve Langasek wrote:
> On Mon, Feb 16, 2009 at 10:32:09PM +0200, Sasha Martsinuk wrote:
> > When the custom limit of resources for user or group is set in
> > /etc/security/limits.conf,
> > it is ignored at user login.
> > Foe example, we need to increase the number of open files for the user.
> > We add this line to the config file:

> > user       hard    nofile      4096

> > The limit is default:
> > # ulimit -n
> > 1024

> > Now we change user:
> > #su - user
> > user@:~$ ulimit -n
> > 1024

> > So, there is no way to increase this limit for a user.
> > In etch there was a way to set ulimit in the root shell and then su
> > into this user.
> > Now this is fixed and the limits are reset when user is changed.

> Yes, unfortunately I can confirm this bug, which has also been reported
> in Ubuntu just a few days ago at
> <https://bugs.launchpad.net/ubuntu/+source/pam/+bug/327597>.

> It's a bug in a Debian-specific patch, which was recently changed to fix a
> previous bug, that initializing the limit to RLIM_INFINITY would throw
> warnings.  We need to fix this to set "sensible" hard and soft limits for
> nofile.  RLIM_INFINITY is not such a value; the value of
> /proc/sys/fs/nr_open might be a reasonable hard limit, though not a
> reasonable default soft limit.

I've dug into this now and found that this isn't a PAM bug at all.

Your test shows that you're setting the hard limit in limits.conf.  But
'ulimit -n' doesn't check the hard limit, it checks the soft limit.

Run 'ulimit -H -n' to compare.  If I set up a user with 'user hard nofile
4096' and su to that user, the soft limit (ulimit -n; ulimit -S -n) is left
alone as expected, and the hard limit (ulimit -H -n) is raised as expected.

If you want to also raise the soft limit (i.e., the limit currently applied
to the process, as distinct from the maximum value the user is allowed to
set the limit to), you should also set 'user soft nofile 4096' in
limits.conf.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 31 Mar 2009 07:33:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:15:51 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.