Bugtraq mailing list archives

Re: pam session

From: Jim Breton <jamesb-bugtraq () alongtheway com>
Date: Sat, 23 Jun 2001 18:49:31 +0000

On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:

This is espacially anoying if you
use pam_limits.so to set rlimits. Every user could
cirrcumvent them easily by calling ssh in this way:
ssh user@server /bin/sh


True.  Fwiw you can work around this by putting ulimit calls in your 
sshd invocation script.  For example:

#!/bin/sh

ulimit -d <#>
ulimit -f <#>
ulimit -l <#>
ulimit -m <#>
ulimit -n <#>
ulimit -s <#>

[etc.]

Also most Linux distributions' 'init' packages support an
/etc/initscript which will be used for invoking all children of init.
man initscript:

DESCRIPTION
       When  the  shell  script  /etc/initscript is present, init
       will use it to execute the commands  from  inittab.   This
       script  can  be  used  to set things like ulimit and umask
       default values for every process.

which is a good "safety net" for unforeseen issues like this one, as
well as for protecting against resource exhaustion via cron jobs, etc..

I imagine you could do the same thing on other *nixes by putting the
call somewhere early in the bootscripts.


P.S. I see this issue you raised is now being discussed on the
openssh-unix-dev list.
http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2&b=200106

Current thread:

pam session Christian Kraemer (Jun 22)
- Re: pam session Pawel Krawczyk (Jun 24)
- Re: pam session Greg Woods (Jun 24)
- Re: pam session Jim Breton (Jun 24)