limits in /etc/passwd, and maybe a bug in processing /etc/limits? :)

[Jim B]

OK.  As a continuation of my previous ramblings on resource limits, I'm
running into two more similar issues on my slink machine.

According to /etc/login.defs, I should be able to employ resource limits
by editing users' passwd entries.  I have QUOTAS_ENAB in login.defs:

# Enable setting of ulimit, umask, and niceness from passwd gecos field.
#
QUOTAS_ENAB yes


If I look at man 5 passwd, I see the following:


   The  comment  field  is  used by various system utilities,
   such as finger(1).  Three additional values may be present
   in the comment field.  They are

pri= - set initial value of nice
umask= - set initial value of umask
ulimit= - set initial value of ulimit

   These  fields  are  separated from each other and from any
   other comment field by a comma.


I tried to set the umask to 022 this way with a test account, and I can't
get it to do anything at all.

I have tried adding extra comment entries by adding commas in
/etc/passwd, and I've also tried using the pre-existing comment
entries.  None of it works.  I end up with the default umask of 002 no
matter what... and yes I have commented-out the umask field in
/etc/profile, and there is none in the test user's .bash_profile,
.profile, and .bashrc.  :)

Anyone know the right way to do it?


My second problem... well, it looks like it may be a bug.  Note the
following text in /etc/limits:

# Valid flags are:
# A: max address space (KB)
# C: max core file size (KB)
# D: max data size (KB)

... and so on.


But any time I use the A limit, the whole line becomes useless.  See the
following in man 5 limits:

A invalid limits string will be rejected (not considered) by the login
program.

If I take out the A limit, the rest of the line functions again.  So
there seems to be some kind of problem reading or enforcing this limit.


So a line like this:

* L2 D12288 M32768 R2048 S2048 U64 N256 F16384 T60 C0

works fine.


But one like this:

* A32768 L2 D12288 M32768 R2048 S2048 U64 N256 F16384 T60 C0

breaks the whole line and NO limits are enforced.


Is this a bug or am I doing something wrong (again)?  :)

Re: /etc/limits

[Ethan Benson]

On 10/1/2000 Jim B wrote:



Then (in /etc/limits) I set no limits on my own accounts:

user -


I would actually want to keep at least some of the limits on my own 
account as well, just to prevent a runaway process from causing 
problems, that is why i am interested in limits so reasonable no one 
would likely ever notice. (while still protecting against system from 
becoming crippled)




Also: I still don't know of any way to set the Virtual Mem usage of a
shell without using ulimit (bash) or limit (csh)!  Note that it does not
appear to be an option in /etc/limits or in pam's limits.conf.  Anyone
know how to do it?  There must be a way.


ulimit does not really protect at all against someone malicious since 
they are perfectly free to un-ulimit themselves, this is where 
pam_limits is helpful, it enforces the hard limit and it cannot be 
ulimited past that.



--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Re: /etc/limits

[Jim B]

On Mon, 10 Jan 2000, Ethan Benson wrote:

 ulimit does not really protect at all against someone malicious since 
 they are perfectly free to un-ulimit themselves, this is where 
 pam_limits is helpful, it enforces the hard limit and it cannot be 
 ulimited past that.

Hmmm.  How would a user unlimit himself without changing his shell?  If
he stays in a single bash or csh shell, I don't know how he could do that.

$ ulimit -v
unlimited
$ ulimit -v 32767
$ ulimit -v
32767
$ ulimit -v 32768
bash: ulimit: cannot modify limit: Operation not permitted


OTOH if you're talking about someone who switches his shell to get around
the limits, that's my whole point.  I need to know how to set
shell-independent limits.  Yes you can do that with PAM, but I still don't
see a PAM limit on virtual memory.  Is there one there?

Re: /etc/limits

[Ethan Benson]

On 10/1/2000 Jim B wrote:



$ ulimit -v
unlimited
$ ulimit -v 32767
$ ulimit -v
32767
$ ulimit -v 32768
bash: ulimit: cannot modify limit: Operation not permitted


OTOH if you're talking about someone who switches his shell to get around
the limits, that's my whole point.  I need to know how to set
shell-independent limits.  Yes you can do that with PAM, but I still don't
see a PAM limit on virtual memory.  Is there one there?


oh, i see some limits are enforced once set, I tried a few other 
limits and the user can set and unset them at will.  correction noted 
:)



--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Re: /etc/limits

[Marek Habersack]

* Ethan Benson said:

 
 Also: I still don't know of any way to set the Virtual Mem usage of a
 shell without using ulimit (bash) or limit (csh)!  Note that it does not
 appear to be an option in /etc/limits or in pam's limits.conf.  Anyone
 know how to do it?  There must be a way.
 
 ulimit does not really protect at all against someone malicious since 
 they are perfectly free to un-ulimit themselves, this is where 
 pam_limits is helpful, it enforces the hard limit and it cannot be 
 ulimited past that.
Not only pam_limits is useful. You can use the capabilities of the shadow
package to put the ULIMIT system value in the user's entry in the
passwd/shadow database. 

marek


pgpJDVkItpcDt.pgp
Description: PGP signature

Re: /etc/limits

[Marek Habersack]

* Jim B said:
 On Mon, 10 Jan 2000, Ethan Benson wrote:
 
  ulimit does not really protect at all against someone malicious since 
  they are perfectly free to un-ulimit themselves, this is where 
  pam_limits is helpful, it enforces the hard limit and it cannot be 
  ulimited past that.
 
 Hmmm.  How would a user unlimit himself without changing his shell?  If
 he stays in a single bash or csh shell, I don't know how he could do that.
He can't, true. But shell-based limits aren't particularily good way of setting
limits. They are by definition bound to one kind of shell - csh or bash or
whatever. In case you, or the user, decideds to change his shell, you loose
all the limits. PAM and/or shadow utilities (or lshell) are much better.

[snip]
 OTOH if you're talking about someone who switches his shell to get around
 the limits, that's my whole point.  I need to know how to set
 shell-independent limits.  Yes you can do that with PAM, but I still don't
 see a PAM limit on virtual memory.  Is there one there?
Compute the ULIMIT value and put it in the commen't field of the user's
record in the password database (ulimit=ULIMIT_VALUE). Then the login
process will set the limits regardless of the shell. And if you worry about
the user changing shell during the session - don't. The child process
whether spawned or executed, will inherit the limits from its parent.

marek


pgpobnffszbRZ.pgp
Description: PGP signature

Re: /etc/limits

[Jim B]

On Tue, 11 Jan 2000, Marek Habersack wrote:

 He can't, true. But shell-based limits aren't particularily good way of 
 setting
 limits. They are by definition bound to one kind of shell - csh or bash or
 whatever. In case you, or the user, decideds to change his shell, you loose
 all the limits. PAM and/or shadow utilities (or lshell) are much better.

Correct.  But this is the crux of this whole thread.  I don't see any way,
*other than* shell limits, of setting max Virtual Memory usage.  The other
resources yes, VMem no

Re: /etc/limits

[Marek Habersack]

* Jim B said:
 On Tue, 11 Jan 2000, Marek Habersack wrote:
 
  He can't, true. But shell-based limits aren't particularily good way of 
  setting
  limits. They are by definition bound to one kind of shell - csh or bash or
  whatever. In case you, or the user, decideds to change his shell, you loose
  all the limits. PAM and/or shadow utilities (or lshell) are much better.
 
 Correct.  But this is the crux of this whole thread.  I don't see any way,
 *other than* shell limits, of setting max Virtual Memory usage.  The other
 resources yes, VMem no
And the pam_limits 'as' + 'rss' + 'data' + 'memlock' + 'stack' parameters?
They all give you fine-grained control over the user's memory.

marek



pgpkS8gsSzPfY.pgp
Description: PGP signature

Re: /etc/limits

[Jim B]

On Tue, 11 Jan 2000, Marek Habersack wrote:

 And the pam_limits 'as' + 'rss' + 'data' + 'memlock' + 'stack' parameters?
 They all give you fine-grained control over the user's memory.

OK, you're right.  I had tried some of the PAM limits previously (one at a
time) and none of them alone was sufficient to restrict an account's
memory usage from devouring the machine using a particular exploit I'd
gotten hold of.  At the same time, restricting the user's virtual memory
(ulimit -v) was able to stop the exploit, while none of the other ulimit
options did.  Therefore I thought I was unable to limit the max vmem using
PAM.  Thank you for pointing out to me that I can.  :)


One last thing... the original question also was, how do slackware and
RedHat set the max vmem usage without using ulimit, /etc/limits, or PAM?  
Would you happen to know this off-hand?  I thought maybe it was compiled
into the login binary but I downloaded the source and their patches and
didn't see any reference to it.  Friends of mine have a slack 7 and an RH6
box, RH has PAM enabled but no limits configured, while the slackware
machine has no /etc/limits, /etc/pam.d, or /etc/security.  Yet when I log
in, my virtual memory limit is set to 2105343 KB.  Is that something
imposed by the kernel due to its maximum address space?  My kernel
(2.2.14) is compiled the same way AFAICT yet my vmem limit is unlimited
unless I set it using one of the aforementioned methods.

Thanks again.

Re: /etc/limits

[Marek Habersack]

* Jim B said:
 On Tue, 11 Jan 2000, Marek Habersack wrote:
 
  And the pam_limits 'as' + 'rss' + 'data' + 'memlock' + 'stack' parameters?
  They all give you fine-grained control over the user's memory.
 
 OK, you're right.  I had tried some of the PAM limits previously (one at a
 time) and none of them alone was sufficient to restrict an account's
 memory usage from devouring the machine using a particular exploit I'd
 gotten hold of.  At the same time, restricting the user's virtual memory
The 'virtual memory' is a quite broad term as you can see :

 (ulimit -v) was able to stop the exploit, while none of the other ulimit
 options did.  Therefore I thought I was unable to limit the max vmem using
 PAM.  Thank you for pointing out to me that I can.  :)
My pleasure :)
 
 One last thing... the original question also was, how do slackware and
 RedHat set the max vmem usage without using ulimit, /etc/limits, or PAM?  
 Would you happen to know this off-hand?  I thought maybe it was compiled
 into the login binary but I downloaded the source and their patches and
 didn't see any reference to it.  Friends of mine have a slack 7 and an RH6
 box, RH has PAM enabled but no limits configured, while the slackware
 machine has no /etc/limits, /etc/pam.d, or /etc/security.  Yet when I log
 in, my virtual memory limit is set to 2105343 KB.  Is that something
From a quick look, it's in the bash shell for those distributions. When I
changed my shell on one RH 6.1 server I got unlimited memory.

marek


pgp3ovjkk7d8V.pgp
Description: PGP signature

Re: /etc/limits

[Onno Ebbinge]

At 06:34 PM 1/9/00 -0500, Jim B wrote:
OK another issue I'm having with setting resource limits.  How can I
[snip]
I look in my /etc/limits and see a way to restrict just about all those
[snip]

Where can I find more info on /etc/limits ?

Regards,

Onno

Re: /etc/limits

[Jim B]

Should be in your limits man page.

If you're running potato then you'd probably want to use PAM and
/etc/security/limits.conf instead.

Look at the files themselves to see how they are set up.


On Mon, 10 Jan 2000, Onno Ebbinge wrote:

 At 06:34 PM 1/9/00 -0500, Jim B wrote:
 OK another issue I'm having with setting resource limits.  How can I
 [snip]
 I look in my /etc/limits and see a way to restrict just about all those
 [snip]
 
 Where can I find more info on /etc/limits ?
 
 Regards,
 
 Onno

Re: /etc/limits

[Ethan Benson]

On 10/1/2000 Jim B wrote:


If you're running potato then you'd probably want to use PAM and
/etc/security/limits.conf instead.

Look at the files themselves to see how they are set up.


I have figured out how to set these limits up well enough, but I have 
a related question, how can i set reasonable limits?  what I mean is 
how can i set reasonable limits for a user that they will never even 
notice are there unless 1) they are intentionally trying to crash the 
machine or 2) unintentionally have a process go out of control.  sort 
of analogous to the 5% limit on ext2fs reserved for root.



--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

Re: /etc/limits

[Wayne Topa]

Subject: Re: /etc/limits
Date: Mon, Jan 10, 2000 at 07:26:19AM +0100

In reply to:Onno Ebbinge

Quoting Onno Ebbinge([EMAIL PROTECTED]):
| At 06:34 PM 1/9/00 -0500, Jim B wrote:
| OK another issue I'm having with setting resource limits.  How can I
| [snip]
| I look in my /etc/limits and see a way to restrict just about all those
| [snip]
| 
| Where can I find more info on /etc/limits ?
| 

apropos limits  ?

-- 
Nobody said computers were going to be polite.
___

Re: /etc/limits

[Jim B]

I asked myself the same question, so I logged into my shell account at a
local ISP and took a look at what they use on their FreeBSD machine with
512 MB of RAM:


core file size (blocks) unlimited
data seg size (kbytes)  22528
file size (blocks)  unlimited
max locked memory (kbytes)  10240
max memory size (kbytes)30720
open files  64
pipe size (512 bytes)   1
stack size (kbytes) 8192
cpu time (seconds)  unlimited
max user processes  64
virtual memory (kbytes) 30720


On my machine (96 MB) I am using something between the optional default
in /etc/limits, and what I found from the aforementioned machine.  The
defaults in /etc/limits are:

#* L2 D6144 R2048 S2048 U32 N32 F16384 T5 C0


However I set the max CPU time to 60 minutes (T60) and max open files to
64 (N64).  I figured that any process spawned by a shell that burned up 60
mins of CPU time (note that CPU time does not accumulate while a process
is idle) might be up to no good, but that's on my machine where I only
have a few remote users, and an occasional console user, playing around
with things.  On a true full-time multi-user machine you may want to
increase this slightly.


I also set (in /etc/profile):

ulimit -v 32768

which is apparently more than enough to run X and Netscape (4.6).  I
originally had tried about 16 MB and X started but Netscape would
segfault.


Then (in /etc/limits) I set no limits on my own accounts:

user -


As I only started experimenting with this yesterday, don't take any of my
setup without some judgment.  :)  I'm probably making some unreasonable
choices which I will have to fine-tune over time.  But they seem to have
been decent preliminary defaults.


Also: I still don't know of any way to set the Virtual Mem usage of a
shell without using ulimit (bash) or limit (csh)!  Note that it does not
appear to be an option in /etc/limits or in pam's limits.conf.  Anyone
know how to do it?  There must be a way.



On Mon, 10 Jan 2000, Ethan Benson wrote:

 I have figured out how to set these limits up well enough, but I have 
 a related question, how can i set reasonable limits?  what I mean is 
 how can i set reasonable limits for a user that they will never even 
 notice are there unless 1) they are intentionally trying to crash the 
 machine or 2) unintentionally have a process go out of control.  sort 
 of analogous to the 5% limit on ext2fs reserved for root.
 
 
 -- 
 Ethan Benson
 To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

/etc/limits

[Jim B]

OK another issue I'm having with setting resource limits.  How can I
restrict a user's max virtual memory usage?  Not sure if anyone else has
seen it, but there's a DoS exploit around (which will actually eat up just
about any *nix box AFAICT, if there are no resource limits in
effect) which eats up virtual memory.

I've noticed that on my friends' slackware 7 and RedHat 6.0 machines, the
default resource limits are basically the same as on my slink box *except*
they have the virtual memory max at 2105343 while the Debian machine is
set to unlimited.  Yet, I can't figure out how those distros set the
limits.  Is it a compile-time option for /bin/login?

I look in my /etc/limits and see a way to restrict just about all those
resources *except* max virtual memory.  How can I enforce this
restriction?  I know I could use limit in csh and ulimit in bash, but what
about for shells that don't have built-in restrictions?  Is there any way
to do this other than force everyone to use one of those shells?

slink bug(?): /etc/limits permissions

[Jim B]

Hi all, please see this excerpt from the man page for /etc/limits:

LIMITS(5)   LIMITS(5)

NAME
   limits - Resource limits definition

DESCRIPTION
   The  limits  file  (/etc/limits  by default or LIMITS_FILE
   defined config.h) describes the resource limits  you  wish
   to  impose.   It  should  be owned by root and readable by
   root account only.


However, the current permissions on this file are NOT in accordance with the
recommendation in the manual pages:

ls -l /etc/limits:
-rw-r--r--   1 root root  725 Jul 17  1998 /etc/limits

I have not modified this file or its permissions, and Linux was not on this
machine on July 1998.  :)

Isn't this a distribution bug?

(FWIW, the same condition exists on my friend's potato machine.)