pam_limits and OpenSSH

Nalin Dahyabhai nalin at redhat.com
Thu Sep 6 07:31:10 EST 2001


On Wed, Sep 05, 2001 at 04:53:05PM +0300, Ognyan Kulev wrote:
> Perhaps the daemon first sets process limits and then switches to the 
> user and/or fork().  But fork() cannot succeed because there is a 
> process number limit to 40 that is applied to root.  This is my 
> hypothesis.  I didn't look at sources.  What you think about all this? 
> Do you need more information?  I use Debian GNU/Linux potato and OpenSSH 
> 1.2.3-9.3.

This is exactly the case.  The process limit is set while the server
is still running as the superuser, so it can't fork() to start the
child (which would then do a setuid() to the user's ID).

Opening the PAM session after performing the fork() and setuid() fixes
this for pam_limits, but breaks other modules which expect to be running
with superuser privileges when their pam_open_session() handlers are
called.  This was the crux of the whole pam_open_session mess from a few
months ago -- my apologies for setting it in motion.

Other process limits are going to have similar effects on sshd, and I
don't see a clean way to handle process limits within PAM in this case.

Hope this cleared things up a bit,

Nalin



More information about the openssh-unix-dev mailing list