Unable to modify pam module configuration using files in /etc/security

Question

Unable to modify pam module configuration using files in /etc/security

markafarrell opened this issue a month ago · comments

Description

I am unable to modify pam configuration by using files in /etc/security/

For example, if i set

*        soft        nofile          512
*        hard       nofile          512

in /etc/security/limits.conf it is not respected

d384492@localhost ~ $ ulimit -Hn
524288
d384492@localhost ~ $ ulimit -Sn
1024

When I add debug to the pam_limits.so entry in /etc/pam.d/system-auth

session         required        pam_limits.so debug

I can see that the module is attempting to read the limits file from /usr/lib/pam/limits.conf

Jun 19 23:24:47 localhost sshd[6375]: pam_limits(sshd:session): reading settings from '/usr/lib/pam//limits.conf'

Impact

This means a user is unable to modify pam module configuration

Environment and steps to reproduce

d384492@localhost ~ $ cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=3815.2.3
VERSION_ID=3815.2.3
BUILD_ID=2024-05-21-1124
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 3815.2.3 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:3815.2.3:*:*:*:*:*:*:*"

Set-up: Deploy flatcar as normal
Remove link in /etc/security/limits.conf
Create limits.conf with new configuration
Restart sshd.socket
Login
Check ulimits for logged in user

Expected behavior

We should be able to modifiy pam module configuration using the configuration files in /etc/security/

Additional information

Please add any information here that does not fit the above format.

markafarrell · Answer 1 · Thu Jun 20 2024 07:48:54 GMT+0800 (China Standard Time)

It appears that the path is set here:

https://github.com/linux-pam/linux-pam/blob/master/modules/pam_limits/pam_limits.c#L128

So presumably linux-pam is being compiled with SCONFIGDIR=/usr/lib/pam instead of SCONFIGDIR=/etc/security

markafarrell · Answer 2 · Thu Jun 20 2024 07:57:14 GMT+0800 (China Standard Time)

I believe this is set here

https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild#L84

markafarrell · Answer 3 · Thu Jun 20 2024 08:22:50 GMT+0800 (China Standard Time)

I believe we can maintain the current behavior by making the following changes.

Update https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild#L84 to --enable-vendordir="/usr/lib/pam/"
Update links in https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf from ../usr/lib/pam to ../usr/lib/pam/security

markafarrell · Answer 4 · Thu Jun 20 2024 10:09:32 GMT+0800 (China Standard Time)

It appears that using vendorsconfdir is only supported in linux-pam >= 1.5.3
So we would also need to update from linux-pam=1.5.1 to at least linux-pam=1.5.3

Mathieu Tortuyaux · Answer 5 · Fri Jun 28 2024 15:40:05 GMT+0800 (China Standard Time)

Thanks for the report and the contribution! This change will be available in the next Alpha 🥳