Re: pam_limits broken in CVS...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 15 Mar 2002, Andrew Morgan wrote:

> I believe I may be to blame for this. (I'm also willing to take the
> blame.)
> 
> Here is the changelog entry:
> 
> * pam_limits can handle negative priority limits now (which can apply
>   to the superuser too) - based on patch from Nalin. Also cleanup the
>   error handling that was very sloppy before. Also, courtesy of Berend
>   De Schouwe get the math right on login counting (Bug 476990, 476987,
>   493294 - agmorgan)
> 
> It was Berend that got me to realize the basic problem:
> 
> http://sourceforge.net/tracker/index.php?func=detail&aid=493294&group_id=6663&atid=106663
> 
> The brief explanation is that some applications make a utmp entry before
> calling pam and others only after the user session has started. In this
> case the single definition in the system-wide limits file is ambiguous.
> 
> The solution I adopted was to change the default to be what I would like
> to see (no utmp entry before the session has started) and provide a
> 'utmp_early' module argument to provide with pam_limits.so . Does this
> help explain the reason for the change? (This is a fail-secure as
> opposed to a fail-open change.)

Login count for those 'smart' apps is ok, the problem is not 'off by
one'. The thing that kicked me was chnged behaviour of the
DEFAULT setting of max logins. '*' for login limit always meant 'every
user', now it's 'all users' which is a no-no.

*               hard    maxlogins       2

The above always meant 'each user can login twice', in current cvs it's
'only two logins allowed for the entire luserhood'.

> In the light of this, what do you want to do? (Without looking over the
> code again, I'm not clear on the priority setting patch. If you believe
> it is correct, and doesn't interfere with the -ve limits thing then file
> a bug report and commit the change.)

I fixed the priority setting in CVS, it was simple mistake
(missing assignment)

As for the max logins thing I'd like you and/or Nalin to check if the
fix is ok before applying it (it works for me :)

Jan
-- 
Jan Rękorajski            |  ALL SUSPECTS ARE GUILTY. PERIOD!
baggins<at>mimuw.edu.pl   |  OTHERWISE THEY WOULDN'T BE SUSPECTS, WOULD THEY?
BOFH, MANIAC              |                   -- TROOPS by Kevin Rubio





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux