summaryrefslogtreecommitdiff
path: root/modules/pam_limits
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_limits')
-rw-r--r--modules/pam_limits/limits.conf.5.xml14
-rw-r--r--modules/pam_limits/pam_limits.c80
2 files changed, 88 insertions, 6 deletions
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
index aabcf2cc..a9757a7f 100644
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -230,11 +230,18 @@
</variablelist>
<para>
- All items support the values <emphasis>-1</emphasis>,
+ All items support the values <emphasis>-1</emphasis>,
<emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
except for <emphasis remap='B'>priority</emphasis> and <emphasis remap='B'>nice</emphasis>.
</para>
<para>
+ If a hard limit or soft limit of a resource is set to a valid value,
+ but outside of the supported range of the local system, the system
+ may reject the new limit or unexpected behavior may occur. If the
+ control value <emphasis>required</emphasis> is used, the module will
+ reject the login if a limit could not be set.
+ </para>
+ <para>
In general, individual limits have priority over group limits, so if
you impose no limits for <emphasis>admin</emphasis> group, but one of
the members in this group have a limits line, the user will have its
@@ -251,8 +258,8 @@
- after which the rest of the line is ignored.
</para>
<para>
- The pam_limits module does its best to report configuration problems
- found in its configuration file via <citerefentry>
+ The pam_limits module does report configuration problems
+ found in its configuration file and errors via <citerefentry>
<refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
</para>
</refsect1>
@@ -281,6 +288,7 @@ ftp hard nproc 0
<citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>getrlimit</refentrytitle><manvolnum>3p</manvolnum></citerefentry>
</para>
</refsect1>
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index f1e29b85..f446f9e3 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -42,7 +42,7 @@
#include <locale.h>
#ifdef HAVE_LIBAUDIT
-#include <libaudit.h>
+#include <libaudit.h>
#endif
/* Module defines */
@@ -141,6 +141,73 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
return ctrl;
}
+static const char *
+rlimit2str (int i)
+{
+ switch (i) {
+ case RLIMIT_CPU:
+ return "cpu";
+ break;
+ case RLIMIT_FSIZE:
+ return "fsize";
+ break;
+ case RLIMIT_DATA:
+ return "data";
+ break;
+ case RLIMIT_STACK:
+ return "stack";
+ break;
+ case RLIMIT_CORE:
+ return "core";
+ break;
+ case RLIMIT_RSS:
+ return "rss";
+ break;
+ case RLIMIT_NPROC:
+ return "nproc";
+ break;
+ case RLIMIT_NOFILE:
+ return "nofile";
+ break;
+ case RLIMIT_MEMLOCK:
+ return "memlock";
+ break;
+#ifdef RLIMIT_AS
+ case RLIMIT_AS:
+ return "as";
+ break;
+#endif
+#ifdef RLIMIT_LOCKS
+ case RLIMIT_LOCKS:
+ return "locks";
+ break;
+#endif
+#ifdef RLIMIT_SIGPENDING
+ case RLIMIT_SIGPENDING:
+ return "sigpending";
+ break;
+#endif
+#ifdef RLIMIT_MSGQUEUE
+ case RLIMIT_MSGQUEUE:
+ return "msgqueue";
+ break;
+#endif
+#ifdef RLIMIT_NICE
+ case RLIMIT_NICE:
+ return "nice";
+ break;
+#endif
+#ifdef RLIMIT_RTPRIO
+ case RLIMIT_RTPRIO:
+ return "rtprio";
+ break;
+#endif
+ default:
+ return "UNKNOWN";
+ break;
+ }
+}
+
#define LIMITED_OK 0 /* limit setting appeared to work */
#define LIMIT_ERR 1 /* error setting a limit */
@@ -416,8 +483,8 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
if (int_value < -20)
int_value = -20;
rlimit_value = 20 - int_value;
-#endif
break;
+#endif
}
if ( (limit_item != LIMIT_LOGIN)
@@ -575,6 +642,8 @@ static int setup_limits(pam_handle_t *pamh,
int retval = LIMITED_OK;
for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
+ int res;
+
if (!pl->limits[i].supported) {
/* skip it if its not known to the system */
continue;
@@ -586,7 +655,11 @@ static int setup_limits(pam_handle_t *pamh,
}
if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
- status |= setrlimit(i, &pl->limits[i].limit);
+ res = setrlimit(i, &pl->limits[i].limit);
+ if (res != 0)
+ pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+ rlimit2str(i));
+ status |= res;
}
if (status) {
@@ -595,6 +668,7 @@ static int setup_limits(pam_handle_t *pamh,
status = setpriority(PRIO_PROCESS, 0, pl->priority);
if (status != 0) {
+ pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m");
retval = LIMIT_ERR;
}