Re: Where to implement user limit settings ?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, 29 Nov 2018, Pavel Troller wrote:

> Hello,
>   I'm trying to implement setting of user limits (ulimit) in sshd. I'm
> not using PAM so I need it in the sshd itself. The task is very simple -
> just to put one line calling setup_limits(pw); and link with -lshadow.
>   But the problem is, where to put this line. I did it in session.c,
> in do_child(), like this:
> 
> #ifdef HAVE_OSF_SIA
>         session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
>         if (!check_quietlogin(s, command))
>                 do_motd();
> #else /* HAVE_OSF_SIA */
>         /* When PAM is enabled we rely on it to do the nologin check */
>         if (!options.use_pam) {
>                 do_nologin(pw);
>                 setup_limits(pw);  /* Setting up user limits */
>         }
>         do_setusercontext(pw);
>         /*
>          * PAM session modules in do_setusercontext may have
>          * generated messages, so if this in an interactive
>          * login then display them too.
>          */
>         if (!check_quietlogin(s, command))
>                 display_loginmsg();
> 
>   But I found a problem - in this place the code is already running with
> the user privileges, so the limits file (/etc/limits) is unreadable for
> it (normaly it's owned by root with privs 600). If I chmod to 644
> or chown to the user trying to log in, it can be read and the limits are
> set. To be honest I don't understand, why it's happening before calling
> do_setusercontext(pw), but it is.
>   I would need a better place, where to put this call, already in the child
> process but still running with root privs.

You should read the file in ssh.c:privsep_postauth() just after
the /* child */ comment (sshd still has root privs there) but
actually apply the limits where you have them in do_child().

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux