[rsbac] RSBAC RES Module

Chirag Pandya cpandya at gmail.com
Tue Jun 14 19:43:22 CEST 2005 

I can't get RSBAC RES settings to propagate correctly over su.  I
am using pam-0.75.  I have the line "session required pam_limits.so"
in  /etc/pam.d/su, /etc/pam.d/login and /etc/pam.d/system-auth

I run the script script below to set some RES values for all users and
override default values for some power users.

#!/bin/bash
# Limit User Resources

# default permissions for all users
# limit max datasize to 100M
# attr_set_user RES 4294967292 res_max data 102400
# limit max filesize to 100M
attr_set_user RES 4294967292 res_max fsize 10485760
# limit max number of processes to 100
attr_set_user RES 4294967292 res_max nproc 100
# limit max number of open files to 100
attr_set_user RES 4294967292 res_max nofile 100

# Override settings for "power users" giving them unlimited resources
while read user; do
       [[ $user = \#* || $user = "" ]] && continue

       echo "Set RES $user: full resources"
       attr_set_user RES $user res_max fsize 0
       attr_set_user RES $user res_max nproc 0
       attr_set_user RES $user res_max nofile 0
done << POWER_USER_LIST
root
fwadmin
POWER_USER_LIST

Here is the output I get when I login and then su to a "Power User"
login as: user1
Password:
Last login: Sat Jun 11 01:21:52 2005 from 172.26.100.42
-sh-2.05b$ ulimit -a
core file size        (blocks, -c) 0
data seg size         (kbytes, -d) unlimited
file size             (blocks, -f) 10240
max locked memory     (kbytes, -l) 32
max memory size       (kbytes, -m) unlimited
open files                    (-n) 100
pipe size          (512 bytes, -p) 8
stack size            (kbytes, -s) 8192
cpu time             (seconds, -t) unlimited
max user processes            (-u) 100
virtual memory        (kbytes, -v) unlimited
-sh-2.05b$ su -l fwadmin
Password:
-sh-2.05b$ ulimit -a
core file size        (blocks, -c) 0
data seg size         (kbytes, -d) unlimited
file size             (blocks, -f) 10240
max locked memory     (kbytes, -l) 32
max memory size       (kbytes, -m) unlimited
open files                    (-n) 100
pipe size          (512 bytes, -p) 8
stack size            (kbytes, -s) 8192
cpu time             (seconds, -t) unlimited
max user processes            (-u) 100
virtual memory        (kbytes, -v) unlimited

As you can see, fwadmin inherits settings for user1.  I tried to
create a large file for fwadmin and the limits were enforced.

If I use login and allow fwadmin to login in directly, he does end up
with unlimited resources as configured.

Is this a "su" bug?  Has anyone else seen this behaviour?

Chirag Pandya

More information about the rsbac mailing list