[PATCH] Some ADS fixes + pam_limits problem workaround
Antti Andreimann
Antti.Andreimann at mail.ee
Wed Jul 23 22:25:50 GMT 2003
Andrew Bartlett wrote:
>> Proposed solution:
>> Save the resource limits before calling pam modules and restore them
>> afterwards.
>
> Should we then re-apply them every time we change user?
I don't think it will be necessary. The limits get changed only when we make
a PAM session call (during the user authentication phase when obey pam
restrictions = yes). If an external program (like lpr or pre-connect
script) sets it's own limits then they will apply only to that program, not
the daemon. The problem with pam_limits is that it's a dynamically loadable
library and thus it gets executed in smbd process space and it's limits
will apply to the daemon process that called it. Of course similar threat
lies in executing any PAM module, but I haven't seen an account or password
module that messes with resource limits. It's a user session related thingy
;)
--
Antti Andreimann
Using Linux since 1993
Member of ELUG since 29.01.2000
More information about the samba-technical
mailing list