bugzilla-daemon at mindrot.org
2002-Jan-29 12:47 UTC
[Bug 83] New: fork() fails when there are PAM limits set
http://bugzilla.mindrot.org/show_bug.cgi?id=83
Summary: fork() fails when there are PAM limits set
Product: Portable OpenSSH
Version: 3.0.2p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: vasil at dobrich.net
Background: debian woody, kernel 2.4.17
The problem is, when you set some resource limits in /etc/security/limits.conf
for group X - nproc 20 ( maximum of running user processes - 20 ), and try to
log with some user with group X, sshd says 'fork failed - resource temporary
unavialable'. There are no other processes running for this user, and as far
as
i've seen, it makes something like authenticate-set limits-fork()-setuid() ,
and
because there is a moment when it's running under root with really lowered
limits, it bombs out.
Any solutions?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Matthew Vernon
2002-Jan-31 09:54 UTC
[Bug 83] New: fork() fails when there are PAM limits set
bugzilla-daemon at mindrot.org writes:> The problem is, when you set some resource limits in /etc/security/limits.conf > for group X - nproc 20 ( maximum of running user processes - 20 ), and try to > log with some user with group X, sshd says 'fork failed - resource temporary > unavialable'. There are no other processes running for this user, and as far as > i've seen, it makes something like authenticate-set limits-fork()-setuid() , and > because there is a moment when it's running under root with really lowered > limits, it bombs out. > Any solutions?My understanding of this is that it's a result of a fundamental mis-design of PAM - you have to do the entire PAM conversation in one go (as root), so this sort of PAM-based limiting is always going to be prone to this sort of error. Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org
Darren Moffat
2002-Jan-31 18:03 UTC
[Bug 83] New: fork() fails when there are PAM limits set
>> The problem is, when you set some resource limits in/etc/security/limits.conf>> for group X - nproc 20 ( maximum of running user processes - 20 ), and tryto>> log with some user with group X, sshd says 'fork failed - resourcetemporary>> unavialable'. There are no other processes running for this user, and asfar as>> i've seen, it makes something like authenticate-set limits-fork()-setuid(), and>> because there is a moment when it's running under root with really lowered >> limits, it bombs out. >> Any solutions? > >My understanding of this is that it's a result of a fundamental >mis-design of PAM - you have to do the entire PAM conversation in one >go (as root), so this sort of PAM-based limiting is always going to be >prone to this sort of error.No. There is nothing wrong with the PAM API. The problem here is misconfiguration of particular pam module provided by some Linux distributions and how it interacts with OpenSSH. The problem is the module not the PAM API. -- Darren J Moffat