[squeak-dev] x86 linux/ubuntu and security limit squeak.confBruce O'Neel bruce.oneel at pckswarms.chTue Jan 10 12:57:19 UTC 2023
Hi - not to be stupid but you did restart the VNC server when you did this, right? Rebooting would guarantee this. And then I don't know. cheers bruce On 2023-01-09T20:46:36.000+01:00, tim Rowledge <tim at rowledge.org> wrote: > Thanks for the explanations - unfortunately adding that line didn't make any difference at all! > > I tried adding a nonsense line to see if anything would be reported in the auth.log (or indeed the system lg, the dmesg, anything I could find) and... nothing. > > I did find one online report of the inverse problem - the user could set ulimits when logged in via VNC but *not* when ssh loggedin . That didn't help either :-( > > This really is weird... > > Are there no other listers using ubuntu via VNC? > >> On 2023-01-08, at 11:44 PM, Bruce O'Neel >> <bruce.oneel at pckswarms.ch> wrote: >> >> Hi, >> >> So by the time that the shell is started, and whether or not it is >> a login shell is determined, pam has finished all of her work. >> >> A bit of probably pointless background. >> >> pam was designed so that there were pluggable ways of expanding >> how authentication and authorisation is done at login. This way >> you can authenticate with a password and authorise with >> /etc/passwd and /etc/groups like we old timers do. Or you can >> authenticate with ldap and authorise with a local set of groups, >> or use Active Directory for authentication and then ldap for >> authorisation, etc. >> >> The limits setting is in the authorisation step. A quick look on >> my ubuntu based system shows that limits is called fo: >> >> * cron >> * lightdm - the GUI login manger. >> * sshd - for ssh >> * su >> * sudo >> >> Where on my PI it is called for >> >> * cron >> * lightdm >> * login >> * sshd >> * su >> * vncserver. >> >> Now I use xrdp and it is not called in that case and I have tested >> that limits are not set. >> >> I'm guessing if one added in the line >> >> session optional pam_limits.so [http://limits.so] >> >> to which ever file is the vnc server file in /etc/pam.d on your >> ubuntu it would work. >> >> cheers >> bruce >> On 2023-01-09T03:09:14.000+01:00, tim Rowledge <tim at rowledge.org> >> wrote: >> The only additional suggestion I've received that might possibly >> make some sense is "is this an issue of login vs non-login shell?" >> Does that trigger any ideas for anyone? >> >> And possibly of some value, I note that the config of Raspberry Pi >> OS does not have this problem; connecting via VNC results in an >> environment where the ulimit -r value is what we need. I tried >> poking around at the assorted directories but the limits and pam >> stuff are sufficiently different that it makes no sense to me. >> >> On 2023-01-04, at 3:02 PM, tim Rowledge <tim at rowledge.org> wrote: >> >> After looking at various file in the /etc/pam.d directory, I also >> tried adding the >> session required pam_limits.so [http://limits.so] >> line into the >> - /etc/pam.d/common-session >> - /etc/pam.d/tigervnc file >> >> ... with no visible effect. >> >> And between each attempt I actually rebooted the machine, so it's >> definitely getting it's chance. >> >> So the current status is that >> - if I log in via ssh from my iMac, the ulimit -r result is what >> we want >> - if I try from a terminal running via the VNC desktop, it is not >> what we want. >> - if Squeak is run within a systemd file, it works by virtue of >> the LimitRTPRIO=2 command >> >> The system is x64 xubuntu with tigerVNC added. It may be of note >> that tigerVNC is running from a systemd file and that it seems to >> stop occasionally and require a manual restart. >> >> tim >> -- >> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim >> Useful random insult:- Full of wisdumb. >> >> tim >> -- >> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim >> Strange OpCodes: SEOB: Set Every Other Bit > > tim > -- > tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim > boutique - a startling hardwood -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20230110/012f273b/attachment.html>
More information about the Squeak-dev mailing list |