On Mon, 2002-12-02 at 00:15, Michelle Storm wrote:
> I did find /etc/security/limits.conf <--- but it's totally commented out
> right after I sent this email.
>
>
> On Sun, Dec 01, 2002 at 09:09:21PM -0800, Michelle Storm wrote:
> > I hate being such a newbie to this, but what's this mean?
> >
> > Security Violations
> > =-=-=-=-=-=-=-=-=-=
> > Dec 1 19:23:07 dragon pam_limits[987]: setrlimit limit #7 to soft=-1, hard=-1 failed: Operation not permitted; uid=0
> > +euid=0
> > Dec 1 19:39:09 dragon pam_limits[1171]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=1008
> > +euid=1008
> > Dec 1 19:39:09 dragon pam_limits[1171]: setrlimit limit #7 to soft=-1, hard=-1 failed: Operation not permitted; uid=1008
> > +euid=1008
> >
> > It didn't start till a recent update, and I found a
> > /lib/security/pam_limits.so (can't edit this)
> >
> > Trying to find out where else I might have to edit to fix this problem,
> > but I'm not sure exactly what it's trying to do?
> >
> > Thanks
> >
> > --
> > Michelle Alexia "Jade" Storm
> > Dragon Impersonating a Human and failing.
>
>
> --
> Michelle Alexia "Jade" Storm
> Dragon Impersonating a Human and failing.
Try grepping /etc/pam.d to see what is using pam_limits - I've included
the documentation from the Linux-PAM System Administrator's Guide
(Section 6.12) - HTH
Synopsis
Module Name:
pam_limits
Authors:
Cristian Gafton <gafton@redhat.com>
Thanks are also due to Elliot Lee <sopwith@redhat.com> for his
comments on improving this module.
Maintainer:
Cristian Gafton - 1996/11/20
Management groups provided:
session
Cryptographically sensitive:
Security rating:
Clean code base:
System dependencies:
requires an /etc/security/limits.conf file and kernel support for
resource limits. Also uses the library, libpwdb.
Network aware:
Overview of module
This module, through the Linux-PAM open-session hook, sets limits on the
system resources that can be obtained in a user-session. Its actions are
dictated more explicitly through the configuration file discussed below.
Session component
Recognized arguments:
debug; conf=/path/to/file.conf; change_uid; utmp_early
Description:
Through the contents of the configuration file,
/etc/security/limits.conf, resource limits are placed on users'
sessions. Users of uid=0 are not affected by this restriction.
The behavior of this module can be modified with the following
arguments:
* debug - verbose logging to syslog(3).
* conf=/path/to/file.conf - indicate an alternative limits
configuration file to the default.
* change_uid - change real uid to the user for who the limits
are set up. Use this option if you have problems like login not forking
a shell for user who has no processes. Be warned that something else may
break when you do this.
* utmp_early - some broken applications actually allocate a utmp
entry for the user before the user is admitted to the system. If some of
the services you are configuring PAM for do this, you can selectively
use this module argument to compensate for this behavior and at the same
time maintain system-wide consistency with a single limits.conf file.
Examples/suggested usage:
In order to use this module the system administrator must first
create a root-only-readable file (default is /etc/security/limits.conf).
This file describes the resource limits the superuser wishes to impose
on users and groups. No limits are imposed on uid=0 accounts.
Each line of the configuration file describes a limit for a user in
the form:
<domain> <type> <item> <value>
The fields listed above should be filled as follows...
<domain> can be:
* a username
* a groupname, with @group syntax
* the wild-card *, for default entry
* the wild-card %, for maxlogins limit only, can also be used
with %group syntax
<type> can have the three values:
* hard for enforcing hard resource limits. These limits are set
by the superuser and enforced by the Linux Kernel. The user cannot raise
his requirement of system resources above such values.
* soft for enforcing soft resource limits. These limits are ones
that the user can move up or down within the permitted range by any
pre-exisiting hard limits. The values specified with this token can be
thought of as default values, for normal system usage.
* - for enforcing both soft and hard limits together.
<item> can be one of the following:
* core - limits the core file size (KB)
* data - max data size (KB)
* fsize - maximum filesize (KB)
* memlock - max locked-in-memory address space (KB)
* nofile - max number of open files
* rss - max resident set size (KB)
* stack - max stack size (KB)
* cpu - max CPU time (MIN)
* nproc - max number of processes
* as - address space limit
* maxlogins - max number of logins for this user
* maxsyslogins - max number of logins on system
* priority - the priority to run user process with (negative
values boost process priority)
* locks - max locked files (Linux 2.4 and higher)
* chroot - directory to chroot user to
Note, if you specify a type of ``-'' but neglect to supply the item
and value fields then the module will never enforce any limits on the
corresponding user/group-members etc. . Note, the first entry of the
form which applies to the authenticating user will override all other
entries in the limits configuration file. In such cases, the pam_limits
module will always return PAM_SUCCESS.
In general, individual limits have priority over group limits, so if
you impose no limits for admin group, but one of the members in this
group have a limits line, the user will have its limits set according to
this line.
Also, please note that all limit settings are set per login. They
are not global, nor are they permanent; existing only for the duration
of the session.
In the limits configuration file, the ``#'' character introduces a
comment - after which the rest of the line is ignored.
The pam_limits module does its best to report configuration problems
found in its configuration file via syslog(3).
The following is an example configuration file:
# EXAMPLE /etc/security/limits.conf file:
# =======================================
# <domain> <type> <item> <value>
* soft core 0
* hard rss 10000
@student hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
ftp - chroot /ftp
@student - maxlogins 4
Note, the use of soft and hard limits for the same resource (see
@faculty) -- this establishes the default and permitted extreme level of
resources that the user can obtain in a given service-session.
Note, that wild-cards * and % have the following meaning when used
for maxlogins limit
* * every user
* % all users, or entire group when %group is specified
See the following examples:
# EXAMPLE /etc/security/limits.conf file:
# <domain> <type> <item> <value>
* - maxlogins 2
@faculty - maxlogins 4
% - maxlogins 30
%student - maxlogins 10
Explanation: every user can login 2 times, members of the faculty
group can login 4 times, there can be only 30 logins, only 10 from
students group.
For the services that need resources limits (login for example) put
the following line in /etc/pam.conf as the last line for that service
(usually after the pam_unix session line:
#
# Resource limits imposed on login sessions via pam_limits
#
login session required pam_limits.so
--
Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP
ML Kahnt New Markets Consulting
Tel: (613) 531-8684 / (613) 539-0935
Email: kahnt@hosehead.dyndns.org
Attachment:
signature.asc
Description: This is a digitally signed message part