Discussion:
Where to implement user limit settings ?
Pavel Troller
2018-11-29 04:59:57 UTC
Permalink
Hello,
I'm trying to implement setting of user limits (ulimit) in sshd. I'm
not using PAM so I need it in the sshd itself. The task is very simple -
just to put one line calling setup_limits(pw); and link with -lshadow.
But the problem is, where to put this line. I did it in session.c,
in do_child(), like this:

#ifdef HAVE_OSF_SIA
session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
if (!check_quietlogin(s, command))
do_motd();
#else /* HAVE_OSF_SIA */
/* When PAM is enabled we rely on it to do the nologin check */
if (!options.use_pam) {
do_nologin(pw);
setup_limits(pw); /* Setting up user limits */
}
do_setusercontext(pw);
/*
* PAM session modules in do_setusercontext may have
* generated messages, so if this in an interactive
* login then display them too.
*/
if (!check_quietlogin(s, command))
display_loginmsg();

But I found a problem - in this place the code is already running with
the user privileges, so the limits file (/etc/limits) is unreadable for
it (normaly it's owned by root with privs 600). If I chmod to 644
or chown to the user trying to log in, it can be read and the limits are
set. To be honest I don't understand, why it's happening before calling
do_setusercontext(pw), but it is.
I would need a better place, where to put this call, already in the child
process but still running with root privs.
With regards,
Pavel
Damien Miller
2018-11-29 08:32:01 UTC
Permalink
Post by Pavel Troller
Hello,
I'm trying to implement setting of user limits (ulimit) in sshd. I'm
not using PAM so I need it in the sshd itself. The task is very simple -
just to put one line calling setup_limits(pw); and link with -lshadow.
But the problem is, where to put this line. I did it in session.c,
#ifdef HAVE_OSF_SIA
session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
if (!check_quietlogin(s, command))
do_motd();
#else /* HAVE_OSF_SIA */
/* When PAM is enabled we rely on it to do the nologin check */
if (!options.use_pam) {
do_nologin(pw);
setup_limits(pw); /* Setting up user limits */
}
do_setusercontext(pw);
/*
* PAM session modules in do_setusercontext may have
* generated messages, so if this in an interactive
* login then display them too.
*/
if (!check_quietlogin(s, command))
display_loginmsg();
But I found a problem - in this place the code is already running with
the user privileges, so the limits file (/etc/limits) is unreadable for
it (normaly it's owned by root with privs 600). If I chmod to 644
or chown to the user trying to log in, it can be read and the limits are
set. To be honest I don't understand, why it's happening before calling
do_setusercontext(pw), but it is.
I would need a better place, where to put this call, already in the child
process but still running with root privs.
You should read the file in ssh.c:privsep_postauth() just after
the /* child */ comment (sshd still has root privs there) but
actually apply the limits where you have them in do_child().

-d

Continue reading on narkive:
Loading...