From 2eb9c8be027c7b30dde7e8eaf8466434a0de3aa0 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 20 Feb 2009 13:27:12 +0000
Subject: Relevant BUGIDs:

Purpose of commit: enhancement

Commit summary:
---------------

2009-02-20  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_limits/limits.conf.5.xml: Document that the kernel
        can refuse values out of range for the local system.
        * modules/pam_limits/pam_limits.c (setup_limits): Log if setrlimit
        fails.
---
 modules/pam_limits/limits.conf.5.xml | 14 +++++--
 modules/pam_limits/pam_limits.c      | 80 ++++++++++++++++++++++++++++++++++--
 2 files changed, 88 insertions(+), 6 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
index aabcf2cc..a9757a7f 100644
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -230,10 +230,17 @@
 
     </variablelist>
     <para>
-      All items support the values <emphasis>-1</emphasis>, 
+      All items support the values <emphasis>-1</emphasis>,
       <emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
       except for <emphasis remap='B'>priority</emphasis> and <emphasis remap='B'>nice</emphasis>.
     </para>
+    <para>
+      If a hard limit or soft limit of a resource is set to a valid value,
+      but outside of the supported range of the local system, the system
+      may reject the new limit or unexpected behavior may occur. If the
+      control value <emphasis>required</emphasis>  is used, the module will
+      reject the login if a limit could not be set.
+    </para>
     <para>
       In general, individual limits have priority over group limits, so if
       you impose no limits for <emphasis>admin</emphasis> group, but one of
@@ -251,8 +258,8 @@
       - after which the rest of the line is ignored.
     </para>
     <para>
-      The pam_limits module does its best to report configuration problems
-      found in its configuration file via <citerefentry>
+      The pam_limits module does report configuration problems
+      found in its configuration file and errors via <citerefentry>
       <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
     </para>
   </refsect1>
@@ -281,6 +288,7 @@ ftp             hard    nproc           0
       <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry>
     </para>
   </refsect1>
 
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index f1e29b85..f446f9e3 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -42,7 +42,7 @@
 #include <locale.h>
 
 #ifdef HAVE_LIBAUDIT
-#include <libaudit.h>                                                                                                                                            
+#include <libaudit.h>
 #endif
 
 /* Module defines */
@@ -141,6 +141,73 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
     return ctrl;
 }
 
+static const char *
+rlimit2str (int i)
+{
+  switch (i) {
+  case RLIMIT_CPU:
+    return "cpu";
+    break;
+  case RLIMIT_FSIZE:
+    return "fsize";
+    break;
+  case RLIMIT_DATA:
+    return "data";
+    break;
+  case RLIMIT_STACK:
+    return "stack";
+    break;
+  case RLIMIT_CORE:
+    return "core";
+    break;
+  case RLIMIT_RSS:
+    return "rss";
+    break;
+  case RLIMIT_NPROC:
+    return "nproc";
+    break;
+  case RLIMIT_NOFILE:
+    return "nofile";
+    break;
+  case RLIMIT_MEMLOCK:
+    return "memlock";
+    break;
+#ifdef RLIMIT_AS
+  case RLIMIT_AS:
+    return "as";
+    break;
+#endif
+#ifdef RLIMIT_LOCKS
+  case RLIMIT_LOCKS:
+    return "locks";
+    break;
+#endif
+#ifdef RLIMIT_SIGPENDING
+  case RLIMIT_SIGPENDING:
+    return "sigpending";
+    break;
+#endif
+#ifdef RLIMIT_MSGQUEUE
+  case RLIMIT_MSGQUEUE:
+    return "msgqueue";
+    break;
+#endif
+#ifdef RLIMIT_NICE
+  case RLIMIT_NICE:
+    return "nice";
+    break;
+#endif
+#ifdef RLIMIT_RTPRIO
+  case RLIMIT_RTPRIO:
+    return "rtprio";
+    break;
+#endif
+  default:
+    return "UNKNOWN";
+    break;
+  }
+}
+
 
 #define LIMITED_OK 0 /* limit setting appeared to work */
 #define LIMIT_ERR  1 /* error setting a limit */
@@ -416,8 +483,8 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
 	 if (int_value < -20)
 	   int_value = -20;
 	 rlimit_value = 20 - int_value;
-#endif
          break;
+#endif
     }
 
     if ( (limit_item != LIMIT_LOGIN)
@@ -575,6 +642,8 @@ static int setup_limits(pam_handle_t *pamh,
     int retval = LIMITED_OK;
 
     for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
+      int res;
+
 	if (!pl->limits[i].supported) {
 	    /* skip it if its not known to the system */
 	    continue;
@@ -586,7 +655,11 @@ static int setup_limits(pam_handle_t *pamh,
 	}
         if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
             pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
-	status |= setrlimit(i, &pl->limits[i].limit);
+	res = setrlimit(i, &pl->limits[i].limit);
+	if (res != 0)
+	  pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+		     rlimit2str(i));
+	status |= res;
     }
 
     if (status) {
@@ -595,6 +668,7 @@ static int setup_limits(pam_handle_t *pamh,
 
     status = setpriority(PRIO_PROCESS, 0, pl->priority);
     if (status != 0) {
+        pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m");
         retval = LIMIT_ERR;
     }
 
-- 
cgit v1.2.3