[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python Interpreter

From: Gregory Piñero
Subject: Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python Interpreter
Date: Sat, 27 Oct 2007 12:54:08 -0400

On 10/27/07, address@hidden <address@hidden> wrote:
> It is PAM that uses /etc/security/limits.conf. Important (check on your own
> system): Is the line containing limits.conf commented out in
> /etc/pam.d/login? If so, you should probably activate it. Also see the
> comment about /etc/security/limits.conf replacing /etc/limits, just in case
> you've configured the wrong file.
>  --- snip from /etc/pam.d/login ---
> # Sets up user limits according to /etc/security/limits.conf
> # (Replaces the use of /etc/limits in old login)
> session    required   pam_limits.so
>  --- snip ---
> There might still be a few oddities and uncertainties I can think of
> (without exploring them any further at the moment):
>  - Is your openssh daemon set to use PAM authentication - check the ssh
> config file. If not, chances are limits.conf won't get used.
>  - Does /pam.d/login also apply to non-interactive logins - and if so there
> might be a second configuration option for PAM to set non-interactive login
> limits. Your system might see "jailkit sessions" as non-interactive
> sessions.

softlimit is working great for me
(http://cr.yp.to/daemontools/softlimit.html) and it's a lot easier to
understand and configure :-)

So I don't think I'll pursue limits.conf.  But for jailed SSH
sessions, etc, limits.conf is probably the way to go.  But when
jk_chrootlaunch launches a program as a different user, is that
considered a non-interactive login?  Or does no login happen at all
for that user?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]