[rsbac] RSBAC RES Module
Chirag Pandya
cpandya at gmail.com
Tue Jun 14 19:43:22 CEST 2005
I can't get RSBAC RES settings to propagate correctly over su. I
am using pam-0.75. I have the line "session required pam_limits.so"
in /etc/pam.d/su, /etc/pam.d/login and /etc/pam.d/system-auth
I run the script script below to set some RES values for all users and
override default values for some power users.
#!/bin/bash
# Limit User Resources
# default permissions for all users
# limit max datasize to 100M
# attr_set_user RES 4294967292 res_max data 102400
# limit max filesize to 100M
attr_set_user RES 4294967292 res_max fsize 10485760
# limit max number of processes to 100
attr_set_user RES 4294967292 res_max nproc 100
# limit max number of open files to 100
attr_set_user RES 4294967292 res_max nofile 100
# Override settings for "power users" giving them unlimited resources
while read user; do
[[ $user = \#* || $user = "" ]] && continue
echo "Set RES $user: full resources"
attr_set_user RES $user res_max fsize 0
attr_set_user RES $user res_max nproc 0
attr_set_user RES $user res_max nofile 0
done << POWER_USER_LIST
root
fwadmin
POWER_USER_LIST
Here is the output I get when I login and then su to a "Power User"
login as: user1
Password:
Last login: Sat Jun 11 01:21:52 2005 from 172.26.100.42
-sh-2.05b$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) 10240
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 100
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 100
virtual memory (kbytes, -v) unlimited
-sh-2.05b$ su -l fwadmin
Password:
-sh-2.05b$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) 10240
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 100
pipe size (512 bytes, -p) 8
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 100
virtual memory (kbytes, -v) unlimited
As you can see, fwadmin inherits settings for user1. I tried to
create a large file for fwadmin and the limits were enforced.
If I use login and allow fwadmin to login in directly, he does end up
with unlimited resources as configured.
Is this a "su" bug? Has anyone else seen this behaviour?
Chirag Pandya
More information about the rsbac
mailing list