[PATCH] Some ADS fixes + pam_limits problem workaround

Antti Andreimann Antti.Andreimann at mail.ee
Wed Jul 23 22:25:50 GMT 2003


Andrew Bartlett wrote:

>> Proposed solution:
>> Save the resource limits before calling pam modules and restore them
>> afterwards.
> 
> Should we then re-apply them every time we change user?

I don't think it will be necessary. The limits get changed only when we make
a PAM session call (during the user authentication phase when obey pam
restrictions = yes). If an external program (like lpr or pre-connect
script) sets it's own limits then they will apply only to that program, not
the daemon. The problem with pam_limits is that it's a dynamically loadable
library and thus it gets executed in smbd process space and it's limits
will apply to the daemon process that called it. Of course similar threat
lies in executing any PAM module, but I haven't seen an account or password
module that messes with resource limits. It's a user session related thingy
;)

-- 
          Antti Andreimann
      Using Linux since 1993
  Member of ELUG since 29.01.2000




More information about the samba-technical mailing list