[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python Interpreter

From: dev
Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python Interpreter
Date: Sat, 27 Oct 2007 09:58:42 +0200

Olivier Sessink writes:
So I tried adding this to limits.conf:
jailtest hard nproc 1 But I'm still allowed to start the 6 processes.

Ok, here's the latest.  I think limits.conf only works for logged in
users, not for my special jail user.

I might be 100% wrong here: but it might be that 'bash' is the program
that actually sets the limits. So if you use another shell (jk_chrootsh)
the limits are not set. That could at least explain the behavior found.
But how do we find out which program sets the limits?

It is PAM that uses /etc/security/limits.conf. Important (check on your own system): Is the line containing limits.conf commented out in /etc/pam.d/login? If so, you should probably activate it. Also see the comment about /etc/security/limits.conf replacing /etc/limits, just in case you've configured the wrong file.
--- snip from /etc/pam.d/login ---
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so
--- snip --- There might still be a few oddities and uncertainties I can think of (without exploring them any further at the moment): - Is your openssh daemon set to use PAM authentication - check the ssh config file. If not, chances are limits.conf won't get used. - Does /pam.d/login also apply to non-interactive logins - and if so there might be a second configuration option for PAM to set non-interactive login limits. Your system might see "jailkit sessions" as non-interactive sessions.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]