[squeak-dev] x86 linux/ubuntu and security limit squeak.conf
Bruce O'Neel
bruce.oneel at pckswarms.ch
Mon Jan 9 07:44:53 UTC 2023
Hi,
So by the time that the shell is started, and whether or not it is a
login shell is determined, pam has finished all of her work.
A bit of probably pointless background.
pam was designed so that there were pluggable ways of expanding how
authentication and authorisation is done at login. This way you can
authenticate with a password and authorise with /etc/passwd and
/etc/groups like we old timers do. Or you can authenticate with ldap
and authorise with a local set of groups, or use Active Directory for
authentication and then ldap for authorisation, etc.
The limits setting is in the authorisation step. A quick look on my
ubuntu based system shows that limits is called fo:
* cron
* lightdm - the GUI login manger.
* sshd - for ssh
* su
* sudo
Where on my PI it is called for
* cron
* lightdm
* login
* sshd
* su
* vncserver.
Now I use xrdp and it is not called in that case and I have tested
that limits are not set.
I'm guessing if one added in the line
session optional pam_limits.so
to which ever file is the vnc server file in /etc/pam.d on your ubuntu
it would work.
cheers
bruce
On 2023-01-09T03:09:14.000+01:00, tim Rowledge <tim at rowledge.org>
wrote:
> The only additional suggestion I've received that might possibly make some sense is "is this an issue of login vs non-login shell?" Does that trigger any ideas for anyone?
>
> And possibly of some value, I note that the config of Raspberry Pi OS does not have this problem; connecting via VNC results in an environment where the ulimit -r value is what we need. I tried poking around at the assorted directories but the limits and pam stuff are sufficiently different that it makes no sense to me.
>
>> On 2023-01-04, at 3:02 PM, tim Rowledge <tim at rowledge.org> wrote:
>>
>> After looking at various file in the /etc/pam.d directory, I also
>> tried adding the
>> session required pam_limits.so [http://limits.so]
>> line into the
>> - /etc/pam.d/common-session
>> - /etc/pam.d/tigervnc file
>>
>> ... with no visible effect.
>>
>> And between each attempt I actually rebooted the machine, so it's
>> definitely getting it's chance.
>>
>> So the current status is that
>> - if I log in via ssh from my iMac, the ulimit -r result is what
>> we want
>> - if I try from a terminal running via the VNC desktop, it is not
>> what we want.
>> - if Squeak is run within a systemd file, it works by virtue of
>> the LimitRTPRIO=2 command
>>
>> The system is x64 xubuntu with tigerVNC added. It may be of note
>> that tigerVNC is running from a systemd file and that it seems to
>> stop occasionally and require a manual restart.
>>
>> tim
>> --
>> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
>> Useful random insult:- Full of wisdumb.
>
> tim
> --
> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
> Strange OpCodes: SEOB: Set Every Other Bit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20230109/519652db/attachment-0001.html>
More information about the Squeak-dev
mailing list
|