Unable to modify pam module configuration using files in /etc/security
markafarrell opened this issue · comments
Description
I am unable to modify pam configuration by using files in /etc/security/
For example, if i set
* soft nofile 512
* hard nofile 512
in /etc/security/limits.conf
it is not respected
d384492@localhost ~ $ ulimit -Hn
524288
d384492@localhost ~ $ ulimit -Sn
1024
When I add debug
to the pam_limits.so entry in /etc/pam.d/system-auth
session required pam_limits.so debug
I can see that the module is attempting to read the limits file from /usr/lib/pam/limits.conf
Jun 19 23:24:47 localhost sshd[6375]: pam_limits(sshd:session): reading settings from '/usr/lib/pam//limits.conf'
Impact
This means a user is unable to modify pam module configuration
Environment and steps to reproduce
d384492@localhost ~ $ cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=3815.2.3
VERSION_ID=3815.2.3
BUILD_ID=2024-05-21-1124
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 3815.2.3 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:3815.2.3:*:*:*:*:*:*:*"
- Set-up: Deploy flatcar as normal
- Remove link in /etc/security/limits.conf
- Create limits.conf with new configuration
- Restart sshd.socket
- Login
- Check ulimits for logged in user
Expected behavior
We should be able to modifiy pam module configuration using the configuration files in /etc/security/
Additional information
Please add any information here that does not fit the above format.
It appears that the path is set here:
https://github.com/linux-pam/linux-pam/blob/master/modules/pam_limits/pam_limits.c#L128
So presumably linux-pam
is being compiled with SCONFIGDIR=/usr/lib/pam
instead of SCONFIGDIR=/etc/security
I believe we can maintain the current behavior by making the following changes.
-
Update https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild#L84 to
--enable-vendordir="/usr/lib/pam/"
-
Update links in https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf from
../usr/lib/pam
to../usr/lib/pam/security
It appears that using vendorsconfdir is only supported in linux-pam >= 1.5.3
So we would also need to update from linux-pam=1.5.1
to at least linux-pam=1.5.3
Thanks for the report and the contribution! This change will be available in the next Alpha 🥳