diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2009-02-20 13:27:12 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2009-02-20 13:27:12 +0000 |
| commit | 2eb9c8be027c7b30dde7e8eaf8466434a0de3aa0 (patch) | |
| tree | bd39a1479b7b886bacd2350f607e610fb43af5d2 /modules | |
| parent | 2afda8880a7bdec2cae03ba4d210916fe7289804 (diff) | |
| download | pam-2eb9c8be027c7b30dde7e8eaf8466434a0de3aa0.tar.gz pam-2eb9c8be027c7b30dde7e8eaf8466434a0de3aa0.tar.bz2 pam-2eb9c8be027c7b30dde7e8eaf8466434a0de3aa0.zip | |
Relevant BUGIDs:
Purpose of commit: enhancement
Commit summary:
---------------
2009-02-20 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_limits/limits.conf.5.xml: Document that the kernel
can refuse values out of range for the local system.
* modules/pam_limits/pam_limits.c (setup_limits): Log if setrlimit
fails.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_limits/limits.conf.5.xml | 14 | ||||
| -rw-r--r-- | modules/pam_limits/pam_limits.c | 80 |
2 files changed, 88 insertions, 6 deletions
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index aabcf2cc..a9757a7f 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -230,11 +230,18 @@ </variablelist> <para> - All items support the values <emphasis>-1</emphasis>, + All items support the values <emphasis>-1</emphasis>, <emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit, except for <emphasis remap='B'>priority</emphasis> and <emphasis remap='B'>nice</emphasis>. </para> <para> + If a hard limit or soft limit of a resource is set to a valid value, + but outside of the supported range of the local system, the system + may reject the new limit or unexpected behavior may occur. If the + control value <emphasis>required</emphasis> is used, the module will + reject the login if a limit could not be set. + </para> + <para> In general, individual limits have priority over group limits, so if you impose no limits for <emphasis>admin</emphasis> group, but one of the members in this group have a limits line, the user will have its @@ -251,8 +258,8 @@ - after which the rest of the line is ignored. </para> <para> - The pam_limits module does its best to report configuration problems - found in its configuration file via <citerefentry> + The pam_limits module does report configuration problems + found in its configuration file and errors via <citerefentry> <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. </para> </refsect1> @@ -281,6 +288,7 @@ ftp hard nproc 0 <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry> + <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry> </para> </refsect1> diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index f1e29b85..f446f9e3 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -42,7 +42,7 @@ #include <locale.h> #ifdef HAVE_LIBAUDIT -#include <libaudit.h> +#include <libaudit.h> #endif /* Module defines */ @@ -141,6 +141,73 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, return ctrl; } +static const char * +rlimit2str (int i) +{ + switch (i) { + case RLIMIT_CPU: + return "cpu"; + break; + case RLIMIT_FSIZE: + return "fsize"; + break; + case RLIMIT_DATA: + return "data"; + break; + case RLIMIT_STACK: + return "stack"; + break; + case RLIMIT_CORE: + return "core"; + break; + case RLIMIT_RSS: + return "rss"; + break; + case RLIMIT_NPROC: + return "nproc"; + break; + case RLIMIT_NOFILE: + return "nofile"; + break; + case RLIMIT_MEMLOCK: + return "memlock"; + break; +#ifdef RLIMIT_AS + case RLIMIT_AS: + return "as"; + break; +#endif +#ifdef RLIMIT_LOCKS + case RLIMIT_LOCKS: + return "locks"; + break; +#endif +#ifdef RLIMIT_SIGPENDING + case RLIMIT_SIGPENDING: + return "sigpending"; + break; +#endif +#ifdef RLIMIT_MSGQUEUE + case RLIMIT_MSGQUEUE: + return "msgqueue"; + break; +#endif +#ifdef RLIMIT_NICE + case RLIMIT_NICE: + return "nice"; + break; +#endif +#ifdef RLIMIT_RTPRIO + case RLIMIT_RTPRIO: + return "rtprio"; + break; +#endif + default: + return "UNKNOWN"; + break; + } +} + #define LIMITED_OK 0 /* limit setting appeared to work */ #define LIMIT_ERR 1 /* error setting a limit */ @@ -416,8 +483,8 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, if (int_value < -20) int_value = -20; rlimit_value = 20 - int_value; -#endif break; +#endif } if ( (limit_item != LIMIT_LOGIN) @@ -575,6 +642,8 @@ static int setup_limits(pam_handle_t *pamh, int retval = LIMITED_OK; for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) { + int res; + if (!pl->limits[i].supported) { /* skip it if its not known to the system */ continue; @@ -586,7 +655,11 @@ static int setup_limits(pam_handle_t *pamh, } if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; - status |= setrlimit(i, &pl->limits[i].limit); + res = setrlimit(i, &pl->limits[i].limit); + if (res != 0) + pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", + rlimit2str(i)); + status |= res; } if (status) { @@ -595,6 +668,7 @@ static int setup_limits(pam_handle_t *pamh, status = setpriority(PRIO_PROCESS, 0, pl->priority); if (status != 0) { + pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m"); retval = LIMIT_ERR; } |