[squeak-dev] x86 linux/ubuntu and security limit squeak.conf
tim Rowledge
tim at rowledge.org
Mon Jan 9 19:46:36 UTC 2023
Thanks for the explanations - unfortunately adding that line didn't make any difference at all!
I tried adding a nonsense line to see if anything would be reported in the auth.log (or indeed the system lg, the dmesg, anything I could find) and... nothing.
I did find one online report of the inverse problem - the user could set ulimits when logged in via VNC but *not* when ssh loggedin . That didn't help either :-(
This really is weird...
Are there no other listers using ubuntu via VNC?
> On 2023-01-08, at 11:44 PM, Bruce O'Neel <bruce.oneel at pckswarms.ch> wrote:
>
> Hi,
>
> So by the time that the shell is started, and whether or not it is a login shell is determined, pam has finished all of her work.
>
> A bit of probably pointless background.
>
> pam was designed so that there were pluggable ways of expanding how authentication and authorisation is done at login. This way you can authenticate with a password and authorise with /etc/passwd and /etc/groups like we old timers do. Or you can authenticate with ldap and authorise with a local set of groups, or use Active Directory for authentication and then ldap for authorisation, etc.
>
> The limits setting is in the authorisation step. A quick look on my ubuntu based system shows that limits is called fo:
>
> * cron
> * lightdm - the GUI login manger.
> * sshd - for ssh
> * su
> * sudo
>
> Where on my PI it is called for
>
> * cron
> * lightdm
> * login
> * sshd
> * su
> * vncserver.
>
> Now I use xrdp and it is not called in that case and I have tested that limits are not set.
>
> I'm guessing if one added in the line
>
> session optional pam_limits.so
>
> to which ever file is the vnc server file in /etc/pam.d on your ubuntu it would work.
>
> cheers
> bruce
> On 2023-01-09T03:09:14.000+01:00, tim Rowledge <tim at rowledge.org> wrote:
> The only additional suggestion I've received that might possibly make some sense is "is this an issue of login vs non-login shell?" Does that trigger any ideas for anyone?
>
> And possibly of some value, I note that the config of Raspberry Pi OS does not have this problem; connecting via VNC results in an environment where the ulimit -r value is what we need. I tried poking around at the assorted directories but the limits and pam stuff are sufficiently different that it makes no sense to me.
>
> On 2023-01-04, at 3:02 PM, tim Rowledge <tim at rowledge.org> wrote:
>
> After looking at various file in the /etc/pam.d directory, I also tried adding the
> session required pam_limits.so
> line into the
> - /etc/pam.d/common-session
> - /etc/pam.d/tigervnc file
>
> ... with no visible effect.
>
> And between each attempt I actually rebooted the machine, so it's definitely getting it's chance.
>
> So the current status is that
> - if I log in via ssh from my iMac, the ulimit -r result is what we want
> - if I try from a terminal running via the VNC desktop, it is not what we want.
> - if Squeak is run within a systemd file, it works by virtue of the LimitRTPRIO=2 command
>
> The system is x64 xubuntu with tigerVNC added. It may be of note that tigerVNC is running from a systemd file and that it seems to stop occasionally and require a manual restart.
>
> tim
> --
> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
> Useful random insult:- Full of wisdumb.
>
>
>
>
>
>
> tim
> --
> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
> Strange OpCodes: SEOB: Set Every Other Bit
tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
boutique - a startling hardwood
More information about the Squeak-dev
mailing list
|