pam_limits and OpenSSH
Wojtek Pilorz
wpilorz at bdk.pl
Sat Sep 8 00:05:11 EST 2001
On Wed, 5 Sep 2001, Nalin Dahyabhai wrote:
> Date: Wed, 5 Sep 2001 17:31:10 -0400
> From: Nalin Dahyabhai <nalin at redhat.com>
> To: Ognyan Kulev <ogi at fmi.uni-sofia.bg>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: pam_limits and OpenSSH
>
> On Wed, Sep 05, 2001 at 04:53:05PM +0300, Ognyan Kulev wrote:
> > Perhaps the daemon first sets process limits and then switches to the
> > user and/or fork(). But fork() cannot succeed because there is a
> > process number limit to 40 that is applied to root. This is my
> > hypothesis. I didn't look at sources. What you think about all this?
> > Do you need more information? I use Debian GNU/Linux potato and OpenSSH
> > 1.2.3-9.3.
>
> This is exactly the case. The process limit is set while the server
> is still running as the superuser, so it can't fork() to start the
> child (which would then do a setuid() to the user's ID).
>
> Opening the PAM session after performing the fork() and setuid() fixes
> this for pam_limits, but breaks other modules which expect to be running
> with superuser privileges when their pam_open_session() handlers are
So what about opening PAM session after performing fork but before
setuid() ? Would it be correct ?
> called. This was the crux of the whole pam_open_session mess from a few
> months ago -- my apologies for setting it in motion.
>
> Other process limits are going to have similar effects on sshd, and I
> don't see a clean way to handle process limits within PAM in this case.
>
> Hope this cleared things up a bit,
>
> Nalin
>
Best regards,
Wojtek
More information about the openssh-unix-dev
mailing list