similar to: [Bug 83] PAM limits applied incorrectly (pam_session being called as non-root)

http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |misiek at pld.org.pl Summary|PAM limits applied |PAM limits applied |incorrectly

http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|sshd |PAM support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From dtucker at zip.com.au 2003-09-15 12:13 ------- Hey, isn't this fixed in -current? do_pam_session is now called before permanently_set_uid. Could you please try a snapshot? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From djm at mindrot.org 2003-03-10 15:49 ------- Created an attachment (id=247) --> (http://bugzilla.mindrot.org/attachment.cgi?id=247&action=view) Call pam_session after child fork() Hopefully this patch will allow people to gather the feedback necessary to close this bug. ------- You are receiving this

http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|fork() fails when there are |PAM limits applied |PAM limits set |incorrectly ------- You are receiving this mail because: ------- You

http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Version|3.0.2p1 |-current ------- Additional Comments From djm at mindrot.org 2002-01-31 21:46 ------- I'm putting some replies from the

http://bugzilla.mindrot.org/show_bug.cgi?id=354 Summary: sshd with privsep doesn't do pam session setup properly Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=301 ------- Additional Comments From misiek at pld.org.pl 2002-10-16 10:14 ------- Of course this bug is not fixed even in latest 3.5 release :-( PAM really _needs_ root priviledges. Any comments? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=83 Summary: fork() fails when there are PAM limits set Product: Portable OpenSSH Version: 3.0.2p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:

With OpenSSH 2.9.9p2 as the server, I'm not able to do scp or "ssh machinename command" in general to any of my Suns! I tracked this down a bit; the problem occurs only when PAM support is enabled. However, if I remove line 430 of session.c, "do_pam_session(s->pw->pw_name, NULL);" inside of do_exec_no_pty, the problem goes away. It looks like the following entry

http://bugzilla.mindrot.org/show_bug.cgi?id=301 Summary: In openssh 3.3 and 3.4 pam session seems be called from non-root Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: critical Priority: P3 Component: sshd AssignedTo:

http://bugzilla.mindrot.org/show_bug.cgi?id=301 ------- Additional Comments From ldv at altlinux.org 2002-06-27 03:09 ------- In your case, to make pam_limits work, use "ulimit -Sc 0" instead of "ulimit -c 0". ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Beyond any more general questions of whether pam sessions *should* be run as root, is there an immediate security concern with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@

heres a fix for pam support im openssh, inline and attached.. openssh calls do_pam_session early, before a fork(). it does this on the proc still running as root, so it checks the users limits, against what root has running, and depending on limits can fail at the fork() (and almost always does). this patch moves it past the fork. ive been running it for a couple of weeks and everything seems

http://bugzilla.mindrot.org/show_bug.cgi?id=331 ------- Additional Comments From djm at mindrot.org 2003-01-07 18:23 ------- 3 months, no followup == no bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

With the sshd in recent releases of OpenSSH, some Red Hat Linux systems complain about ulimit trying to raise a limit when logging in via ssh. The problem is that packages/redhat/sshd.pam doesn't do limit checking for an sshd session. The attached patch adds the pam_limits module to the sshd session, which checks for limits set in /etc/security/limits.conf. This works on Red Hat Linux 5.2

Hello all, On Redhat 6.2, the PAM_unix module logs the session opening, but not the session closing. This was logged as of 2.3.0p1. Upgrading to 2.5.1p1 makrs the start of the problem. Thanks in advance, Victor -- Victor J. Orlikowski ====================== v.j.orlikowski at gte.net orlikowski at apache.org vjo at us.ibm.com

http://bugzilla.mindrot.org/show_bug.cgi?id=354 ------- Additional Comments From cjwatson at debian.org 2003-01-03 02:42 ------- Alternatively, perhaps sshd could be configured to setrlimit() everything up to RLIM_INFINITY after forking but before giving up root privileges. It could then rely on pam_limits to set limits back down if the administrator wants that, which would work even with

I like the new difftime functionality. Here's a dataframe of 5k run times: > r5k race date totaltime pace mile 1 RUDOLPH 2004-12-03 19:00:00 27.76667 mins 8.937224 mins 3.106856 2 RUDOLPH 2005-12-02 18:30:00 25.28333 mins 8.137916 mins 3.106856 3 FROSTBITE 2005-12-10 07:00:00 24.75000 mins 7.966253 mins 3.106856 4 JUDICATA 2006-03-04

http://bugzilla.mindrot.org/show_bug.cgi?id=120 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement Keywords| |help-wanted ------- You are receiving this mail because: ------- You are