Bugtraq mailing list archives
Re: pam session
From: Jim Breton <jamesb-bugtraq () alongtheway com>
Date: Sat, 23 Jun 2001 18:49:31 +0000
On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
This is espacially anoying if you use pam_limits.so to set rlimits. Every user could cirrcumvent them easily by calling ssh in this way: ssh user@server /bin/sh
True. Fwiw you can work around this by putting ulimit calls in your sshd invocation script. For example: #!/bin/sh ulimit -d <#> ulimit -f <#> ulimit -l <#> ulimit -m <#> ulimit -n <#> ulimit -s <#> [etc.] Also most Linux distributions' 'init' packages support an /etc/initscript which will be used for invoking all children of init. man initscript: DESCRIPTION When the shell script /etc/initscript is present, init will use it to execute the commands from inittab. This script can be used to set things like ulimit and umask default values for every process. which is a good "safety net" for unforeseen issues like this one, as well as for protecting against resource exhaustion via cron jobs, etc.. I imagine you could do the same thing on other *nixes by putting the call somewhere early in the bootscripts. P.S. I see this issue you raised is now being discussed on the openssh-unix-dev list. http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2&b=200106
Current thread:
- pam session Christian Kraemer (Jun 22)
- Re: pam session Pawel Krawczyk (Jun 24)
- Re: pam session Greg Woods (Jun 24)
- Re: pam session Jim Breton (Jun 24)