[Bug 83] New: fork() fails when there are PAM limits set

Frank Cusack fcusack at fcusack.com
Thu Jan 31 21:11:13 EST 2002


On Thu, Jan 31, 2002 at 09:54:36AM +0000, Matthew Vernon wrote:
> bugzilla-daemon at mindrot.org writes:
> 
> >  The problem is, when you set some resource limits in /etc/security/limits.conf
> > for group X - nproc 20 ( maximum of running user processes - 20 ), and try to
> > log with some user with group X, sshd says 'fork failed - resource temporary
> > unavialable'. There are no other processes running for this user, and as far as
> > i've seen, it makes something like authenticate-set limits-fork()-setuid() , and
> > because there is a moment when it's running under root with really lowered
> > limits, it bombs out. 
> >   Any solutions?
> 
> My understanding of this is that it's a result of a fundamental
> mis-design of PAM - you have to do the entire PAM conversation in one
> go (as root), so this sort of PAM-based limiting is always going to be
> prone to this sort of error.

I don't see how this is a problem with PAM?  You do have to do the
entire conversation in one go, but not as root (other than a possible
requirement for access to some resources like /etc/shadow -- but, eg,
with krb5 you MUST NOT be root when doing PAM auth).  Regardless, why
would PAM trip up here, and why would the conversation matter?  Limits
such as described would not be managed during pam_authenticate() (when the
conversation happens).  Perhaps I am not familiar enough with nuances
of debian's PAM implementation.

/fc




More information about the openssh-unix-dev mailing list