[squeak-dev] x86 linux/ubuntu and security limit squeak.conf
Bruce O'Neel
bruce.oneel at pckswarms.ch
Tue Jan 10 12:57:19 UTC 2023
Hi - not to be stupid but you did restart the VNC server when you did
this, right? Rebooting would guarantee this. And then I don't
know.
cheers
bruce
On 2023-01-09T20:46:36.000+01:00, tim Rowledge <tim at rowledge.org>
wrote:
> Thanks for the explanations - unfortunately adding that line didn't make any difference at all!
>
> I tried adding a nonsense line to see if anything would be reported in the auth.log (or indeed the system lg, the dmesg, anything I could find) and... nothing.
>
> I did find one online report of the inverse problem - the user could set ulimits when logged in via VNC but *not* when ssh loggedin . That didn't help either :-(
>
> This really is weird...
>
> Are there no other listers using ubuntu via VNC?
>
>> On 2023-01-08, at 11:44 PM, Bruce O'Neel
>> <bruce.oneel at pckswarms.ch> wrote:
>>
>> Hi,
>>
>> So by the time that the shell is started, and whether or not it is
>> a login shell is determined, pam has finished all of her work.
>>
>> A bit of probably pointless background.
>>
>> pam was designed so that there were pluggable ways of expanding
>> how authentication and authorisation is done at login. This way
>> you can authenticate with a password and authorise with
>> /etc/passwd and /etc/groups like we old timers do. Or you can
>> authenticate with ldap and authorise with a local set of groups,
>> or use Active Directory for authentication and then ldap for
>> authorisation, etc.
>>
>> The limits setting is in the authorisation step. A quick look on
>> my ubuntu based system shows that limits is called fo:
>>
>> * cron
>> * lightdm - the GUI login manger.
>> * sshd - for ssh
>> * su
>> * sudo
>>
>> Where on my PI it is called for
>>
>> * cron
>> * lightdm
>> * login
>> * sshd
>> * su
>> * vncserver.
>>
>> Now I use xrdp and it is not called in that case and I have tested
>> that limits are not set.
>>
>> I'm guessing if one added in the line
>>
>> session optional pam_limits.so [http://limits.so]
>>
>> to which ever file is the vnc server file in /etc/pam.d on your
>> ubuntu it would work.
>>
>> cheers
>> bruce
>> On 2023-01-09T03:09:14.000+01:00, tim Rowledge <tim at rowledge.org>
>> wrote:
>> The only additional suggestion I've received that might possibly
>> make some sense is "is this an issue of login vs non-login shell?"
>> Does that trigger any ideas for anyone?
>>
>> And possibly of some value, I note that the config of Raspberry Pi
>> OS does not have this problem; connecting via VNC results in an
>> environment where the ulimit -r value is what we need. I tried
>> poking around at the assorted directories but the limits and pam
>> stuff are sufficiently different that it makes no sense to me.
>>
>> On 2023-01-04, at 3:02 PM, tim Rowledge <tim at rowledge.org> wrote:
>>
>> After looking at various file in the /etc/pam.d directory, I also
>> tried adding the
>> session required pam_limits.so [http://limits.so]
>> line into the
>> - /etc/pam.d/common-session
>> - /etc/pam.d/tigervnc file
>>
>> ... with no visible effect.
>>
>> And between each attempt I actually rebooted the machine, so it's
>> definitely getting it's chance.
>>
>> So the current status is that
>> - if I log in via ssh from my iMac, the ulimit -r result is what
>> we want
>> - if I try from a terminal running via the VNC desktop, it is not
>> what we want.
>> - if Squeak is run within a systemd file, it works by virtue of
>> the LimitRTPRIO=2 command
>>
>> The system is x64 xubuntu with tigerVNC added. It may be of note
>> that tigerVNC is running from a systemd file and that it seems to
>> stop occasionally and require a manual restart.
>>
>> tim
>> --
>> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
>> Useful random insult:- Full of wisdumb.
>>
>> tim
>> --
>> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
>> Strange OpCodes: SEOB: Set Every Other Bit
>
> tim
> --
> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
> boutique - a startling hardwood
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20230110/012f273b/attachment.html>
More information about the Squeak-dev
mailing list
|