Package: libpam-modules
Version: 0.76-22

The support for Linux capabilities in pam_limits.so is broken. The source code for this library, pam_limits.c, contains support for capabilities, but some unrelated code in the same source file prevents it from working.

If I add the following line to /etc/security/limits.conf:

xxx     -       capabilities    CAP_NET_BIND_SERVICE+eip

I get the following error recorded in syslog when logging in as user "xxx":

Jul 15 15:40:32 argon pam_limits[4844]: wrong limit value 'cap_net_bind_service+eip'

The resolution for bug ID 74176 shows that capabilities support was added to pam_limits.so in version 0.72-14, and the syntax I'm using in the limits.conf file appears to be correct.

Looking at pam_limits.c, we see:

    /* special case value when limiting logins */
    if ((limit_item!=LIMIT_CHROOT)&&
(limit_value == 0 && value_orig == *endptr)) { /* no chars read */
        if (strcmp(lim_value,"-") != 0) {
            _pam_log(LOG_DEBUG,"wrong limit value '%s'", lim_value);
            return;

This is what is giving the error. If the item is not LIMIT_CHROOT, then the value must be either a number or the string "-".

For capabilities, the item is LIMIT_CAPS, and the value is a string like "cap_net_bind_service+eip", so we will always get this error when trying to use capabilities.

The capabilities code in the source file appears to be fine, but this check for numeric or "-" means that it is never reached.

I'm using Debian Linux 3.1 ("sarge") with 2.6.12 Kernel on i386 platform.

argon# uname -a
Linux argon 2.6.12.2 #3 Tue Jul 12 13:06:10 BST 2005 i686 GNU/Linux

argon# dpkg -l | grep pam
ii  libpam-modules 0.76-22        Pluggable Authentication Modules for PAM
ii  libpam-runtime 0.76-22        Runtime support for the PAM library
ii  libpam0g       0.76-22        Pluggable Authentication Modules library

Roy Hills



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to