bugzilla-daemon at mindrot.org
2002-Jan-31 10:46 UTC
[Bug 83] fork() fails when there are PAM limits set
http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Version|3.0.2p1 |-current ------- Additional Comments From djm at mindrot.org 2002-01-31 21:46 ------- I'm putting some replies from the openssh-unix-dev mailing list into the bug so we capture the history in one place. On Thu, 2002-01-31 at 21:11, Frank Cusack wrote:> On Thu, Jan 31, 2002 at 09:54:36AM +0000, Matthew Vernon wrote: > > My understanding of this is that it's a result of a fundamental > > mis-design of PAM - you have to do the entire PAM conversation in one > > go (as root), so this sort of PAM-based limiting is always going to be > > prone to this sort of error. > > I don't see how this is a problem with PAM? You do have to do the > entire conversation in one go, but not as root (other than a possible > requirement for access to some resources like /etc/shadow -- but, eg, > with krb5 you MUST NOT be root when doing PAM auth). Regardless, why > would PAM trip up here, and why would the conversation matter? Limits > such as described would not be managed during pam_authenticate() (when the > conversation happens). Perhaps I am not familiar enough with nuances > of debian's PAM implementation.The problem is that we call pam_session as root, before we fork the child. Therefore the server picks up the limits, rather than the child. I recall that we tried moving the pam_session call to the child a while (~18 months) ago to avoid this problem, but other stuff broke much worse. IIRC the breakage was because we did pam_session stuff in one process (as non-root) and then did cleanup in another process (as root). A possible way around this is with a gratuitous fork() before we call pam_session, but that is pretty ugly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 83] PAM limits applied incorrectly (pam_session being called as non-root)
- [Bug 83] New: fork() fails when there are PAM limits set
- [Bug 83] PAM limits applied incorrectly (pam_session being called as non-root)
- [Bug 83] PAM limits applied incorrectly (pam_session being called as non-root)
- [Bug 83] PAM limits applied incorrectly (pam_session being called as non-root)