pam_limits.so not applied when configured in /etc/pam.d/emptty, can't set ulimit

tvrzna / emptty

Dead simple CLI Display Manager on TTY

MIT License

696 stars 25 forks source link

pam_limits.so not applied when configured in /etc/pam.d/emptty, can't set ulimit #97

Closed xinoip closed 10 months ago

xinoip commented 10 months ago

While configuring the /etc/security/limits.conf to increase file descriptor limit, we need to add required PAM configuration to display manager as well.

Adding the following line to /etc/pam.d/login or /etc/pam.d/lightdm works fine for those but adding this line to /etc/pam.d/emptty has no effect and the file descriptor limit doesn't change.

session required pam_limits.so

I am using emptty v0.11.0 on Void Linux.

Reproduction

In order to reproduce, configure file descriptor limit in /etc/security/limits.conf by adding these lines to end of file (you could change * to your username, this changes the limit for all users on the system):

* soft nofile 500000
* hard nofile 500000

Test against another display manager. Add following line to /etc/pam.d/login or /etc/pam.d/lightdm or any other display manager:

session required pam_limits.so

Reboot and login. Run ulimit -Hn to see that the limit is changed. Currently, with emptty, limit doesn't change.

edmonds commented 10 months ago

I'm using this /etc/pam.d/emptty: https://sources.debian.org/src/emptty/0.11.0-1/debian/emptty.pam/

# PAM configuration for emptty

auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_env.so envfile=/etc/default/locale

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

session required pam_loginuid.so

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

session required pam_limits.so

@include common-auth
@include common-account
@include common-session
@include common-password

And I have the default pipewire limits.d override:

$ grep ^@ /etc/security/limits.d/25-pw-rlimits.conf
@pipewire   - rtprio  95
@pipewire   - nice    -19
@pipewire   - memlock 4194304

And my user is in the pipewire group, and I see those limits being applied:

$ ulimit -ler
-l: locked-in-memory size (kbytes)  4194304
-e: max nice                        39
-r: max rt priority                 95

So it seems to me that emptty's pam implementation is working correctly.

tvrzna commented 10 months ago

Hello, I'm sorry for late response. Emptty is not able to choose, which PAM rule will or will not take an effect. Show us, please, your complete /etc/pam.d/emptty file.

xinoip commented 10 months ago

Here is my /etc/pam.d/emptty:

#%PAM-1.0
auth            sufficient      pam_succeed_if.so user ingroup nopasswdlogin
auth            include         system-login
-auth           optional        pam_gnome_keyring.so
-auth           optional        pam_kwallet5.so
account         include         system-login
password        include         system-login
session         include         system-login
-session        optional        pam_gnome_keyring.so auto_start
-session        optional        pam_kwallet5.so auto_start force_ru
session required pam_limits.so

I am not really familiar with how PAM works so I am still not sure if it's related to emptty or not but based on my experimentation with other display managers, this kind of configuration works with them while it does not with emptty. For example, here is the lightdms file (/etc/pam.d/lightdm):

#%PAM-1.0

# Block login if they are globally disabled
auth      required pam_nologin.so

# Load environment from /etc/environment and ~/.pam_environment
auth      required pam_env.so

# Use /etc/passwd and /etc/shadow for passwords
auth      required pam_unix.so

# Check account is active, change password if required
account   required pam_unix.so

# Allow password to be changed
password  required pam_unix.so

# Setup session
session   required pam_unix.so
-session   optional pam_elogind.so
-session optional pam_ck_connector.so nox11

session required pam_limits.so

I only added the session required pam_limits.so to both files. Rest of the files are untouched and default.

tvrzna commented 10 months ago

I've been looking into that and here's my findigs:

system-login already contains pam_limits.so on Void Linux.
It works correctly on Arch and Debian.
It's not applied on Void even if it uses same PAM config as lightdm.
Manual page for pam_limits(8) says The module must not be called by a multithreaded application. So I hope it's not this case since the code for authentication and starting the desktop is not done in multithreaded way.
Emptty has applied limits on its main- and sub-processes. Here's a thing a I suspect to be a problem; golang's exec.Cmd does not inherit limits.

So I'm trying to find out, why it doesn't work on Void and what can I change to force the inheritation of limits.

tvrzna commented 10 months ago

My yesterday's thought was right, Golang does not provide resource limit inheritance into child processes by default, but it could be defined. So after the PAM session is opened and before desktop session is started, emptty gets all own resource limits and sets them for following child processes.