search

flatcar / Flatcar

Flatcar project repository for issue tracking, project documentation, etc.
https://www.flatcar.org/
Apache License 2.0
653 stars 27 forks source link

Unable to modify pam module configuration using files in /etc/security #1474

Closed markafarrell closed 3 days ago

markafarrell commented 1 week ago

Description

I am unable to modify pam configuration by using files in /etc/security/

For example, if i set

*        soft        nofile          512
*        hard       nofile          512

in /etc/security/limits.conf it is not respected

d384492@localhost ~ $ ulimit -Hn
524288
d384492@localhost ~ $ ulimit -Sn
1024

When I add debug to the pam_limits.so entry in /etc/pam.d/system-auth

session         required        pam_limits.so debug

I can see that the module is attempting to read the limits file from /usr/lib/pam/limits.conf

Jun 19 23:24:47 localhost sshd[6375]: pam_limits(sshd:session): reading settings from '/usr/lib/pam//limits.conf'

Impact

This means a user is unable to modify pam module configuration

Environment and steps to reproduce

d384492@localhost ~ $ cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=3815.2.3
VERSION_ID=3815.2.3
BUILD_ID=2024-05-21-1124
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 3815.2.3 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:3815.2.3:*:*:*:*:*:*:*"
  1. Set-up: Deploy flatcar as normal
  2. Remove link in /etc/security/limits.conf
  3. Create limits.conf with new configuration
  4. Restart sshd.socket
  5. Login
  6. Check ulimits for logged in user

Expected behavior

We should be able to modifiy pam module configuration using the configuration files in /etc/security/

Additional information

Please add any information here that does not fit the above format.

markafarrell commented 1 week ago

It appears that the path is set here:

https://github.com/linux-pam/linux-pam/blob/master/modules/pam_limits/pam_limits.c#L128

So presumably linux-pam is being compiled with SCONFIGDIR=/usr/lib/pam instead of SCONFIGDIR=/etc/security

markafarrell commented 1 week ago

I believe this is set here

https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild#L84

markafarrell commented 1 week ago

I believe we can maintain the current behavior by making the following changes.

  1. Update https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild#L84 to --enable-vendordir="/usr/lib/pam/"

  2. Update links in https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf from ../usr/lib/pam to ../usr/lib/pam/security

markafarrell commented 1 week ago

It appears that using vendorsconfdir is only supported in linux-pam >= 1.5.3 So we would also need to update from linux-pam=1.5.1 to at least linux-pam=1.5.3

tormath1 commented 3 days ago

Thanks for the report and the contribution! This change will be available in the next Alpha :partying_face: