Re: [Jailkit-users] Prevent Fork Bombs on Jailed Python Interpreter

[dev]

Olivier Sessink writes: 

> > > So I tried adding this to limits.conf:
> > > jailtest        hard    nproc   1 
> > >
> > > But I'm still allowed to start the 6 processes. 
> >
> > Ok, here's the latest.  I think limits.conf only works for logged in
> > users, not for my special jail user.
>
> I might be 100% wrong here: but it might be that 'bash' is the program
> that actually sets the limits. So if you use another shell (jk_chrootsh)
> the limits are not set. That could at least explain the behavior found.
> But how do we find out which program sets the limits?

It is PAM that uses /etc/security/limits.conf. Important (check on your own 
system): Is the line containing limits.conf commented out in 
/etc/pam.d/login? If so, you should probably activate it. Also see the 
comment about /etc/security/limits.conf replacing /etc/limits, just in case 
you've configured the wrong file. 

--- snip from /etc/pam.d/login ---
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so
--- snip --- 

There might still be a few oddities and uncertainties I can think of 
(without exploring them any further at the moment):
- Is your openssh daemon set to use PAM authentication - check the ssh 
config file. If not, chances are limits.conf won't get used.
- Does /pam.d/login also apply to non-interactive logins - and if so there 
might be a second configuration option for PAM to set non-interactive login 
limits. Your system might see "jailkit sessions" as non-interactive 
sessions. 

Cheers,
Stephen