pam_limits and OpenSSH

Nalin Dahyabhai nalin at redhat.com
Sat Sep 8 07:21:10 EST 2001


On Fri, Sep 07, 2001 at 04:05:11PM +0200, Wojtek Pilorz wrote:
> > From: Nalin Dahyabhai <nalin at redhat.com>
> > Opening the PAM session after performing the fork() and setuid() fixes
> > this for pam_limits, but breaks other modules which expect to be running
> > with superuser privileges when their pam_open_session() handlers are
>
> So what about opening PAM session after performing fork but before
> setuid() ? Would it be correct ?

It's been a while since I looked at what's going on in that area of
the tree, but IIRC the child exec()s the user's shell, and opening
the session in the child makes it difficult for the parent to close
the session when the user logs out.  This depends on which modules
are in use, though -- some modules handle this sort of situation
just fine, while others will just fail.

Nalin



More information about the openssh-unix-dev mailing list