Hello! Here is an improved variant of patch. It allows system administrator to configure RLIMIT_RTPRIO RLIMIT_NICE via "rt_priority" and "nice" entries in /etc/security/limits.conf
Best regards, Alexei. -- All science is either physics or stamp collecting.
Index: pam-0.79/Linux-PAM/modules/pam_limits/pam_limits.c
===================================================================
--- pam-0.79.orig/Linux-PAM/modules/pam_limits/pam_limits.c 2006-09-22
22:16:10.000000000 +0400
+++ pam-0.79/Linux-PAM/modules/pam_limits/pam_limits.c 2006-09-22
22:17:46.000000000 +0400
@@ -257,8 +257,38 @@
pl->supported[i] = 1;
pl->limits[i].src_soft = LIMITS_DEF_NONE;
pl->limits[i].src_hard = LIMITS_DEF_NONE;
- pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
- pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+ switch (i) {
+ case RLIMIT_CPU:
+ case RLIMIT_FSIZE:
+ case RLIMIT_DATA:
+ case RLIMIT_STACK:
+ case RLIMIT_CORE:
+ case RLIMIT_RSS:
+ case RLIMIT_NPROC:
+ case RLIMIT_NOFILE:
+ case RLIMIT_MEMLOCK:
+#ifdef RLIMIT_AS
+ case RLIMIT_AS:
+#endif
+#ifdef RLIMIT_LOCKS
+ case RLIMIT_LOCKS:
+#endif
+#ifdef RLIMIT_SIGPENDING
+ case RLIMIT_SIGPENDING:
+#endif
+#ifdef RLIMIT_MSGQUEUE
+ case RLIMIT_MSGQUEUE:
+#endif
+ pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
+ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+ break;
+ default:
+ /* Dont touch unknown/unsupported rlimit values ---
+ * RLIM_INFINITY might be a bad choice for them and
+ * even open up security holes (for example, the latter
+ * is true for RLIM_RTPRIO in newer Linux kernels). */
+ break;
+ }
}
}
@@ -327,6 +357,14 @@
else if (strcmp(lim_item, "msgqueue") == 0)
limit_item = RLIMIT_MSGQUEUE;
#endif
+#ifdef RLIMIT_RTPRIO
+ else if (strcmp(lim_item, "rt_priority") == 0)
+ limit_item = RLIMIT_RTPRIO;
+#endif
+#ifdef RLIMIT_NICE
+ else if (strcmp(lim_item, "nice") == 0)
+ limit_item = RLIMIT_NICE;
+#endif
else if (strcmp(lim_item, "maxlogins") == 0) {
limit_item = LIMIT_LOGIN;
pl->flag_numsyslogins = 0;
@@ -399,6 +437,22 @@
#endif
limit_value *= 1024;
break;
+#ifdef RLIMIT_RTPRIO
+ case RLIMIT_RTPRIO:
+ if (limit_value > 99)
+ limit_value = 99;
+ if (limit_value < 0)
+ limit_value = 0;
+ break;
+#endif
+#ifdef RLIMIT_NICE
+ case RLIMIT_NICE:
+ if (limit_value > 39)
+ limit_value = 39;
+ if (limit_value < 0)
+ limit_value = 0;
+ break;
+#endif
}
if ( (limit_item != LIMIT_LOGIN)
Index: pam-0.79/Linux-PAM/modules/pam_limits/README
===================================================================
--- pam-0.79.orig/Linux-PAM/modules/pam_limits/README 2005-01-10
13:09:51.000000000 +0300
+++ pam-0.79/Linux-PAM/modules/pam_limits/README 2006-09-22
22:17:46.000000000 +0400
@@ -42,7 +42,11 @@
- sigpending - max number of pending signals (Linux 2.6 and higher)
- msgqueue - max memory used by POSIX message queues (bytes)
(Linux 2.6 and higher)
-
+ - rt_priority - ceiling on real-time priority which can be set by
+ this user (Linux 2.6.13 and higher)
+ - nice - ceiling to which the processes’ nice value can be raised
+ (Linux 2.6.13 and higher)
+
Note, if you specify a type of '-' but neglect to supply the item and
value fields then the module will never enforce any limits on the
specified user/group etc. .
Index: pam-0.79/Linux-PAM/modules/pam_limits/limits.skel
===================================================================
--- pam-0.79.orig/Linux-PAM/modules/pam_limits/limits.skel 2005-01-10
13:09:51.000000000 +0300
+++ pam-0.79/Linux-PAM/modules/pam_limits/limits.skel 2006-09-22
22:17:46.000000000 +0400
@@ -32,6 +32,8 @@
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
+# - rt_priority - ceiling on real-time priority which can be set
+# - nice - ceiling to which the processes’ nice value can be raised
#
#<domain> <type> <item> <value>
#
Index: pam-0.79/debian/rules
===================================================================
--- pam-0.79.orig/debian/rules 2006-09-22 22:16:10.000000000 +0400
+++ pam-0.79/debian/rules 2006-09-22 22:18:30.000000000 +0400
@@ -87,7 +87,9 @@
dh_movefiles -i
dh_installman -plibpam-runtime $(BUILD_TREE)/doc/man/*.[578]
- rm debian/libpam-runtime/usr/share/man/man8/{pam.8,pam.d.8,pam.conf.8}
+ rm debian/libpam-runtime/usr/share/man/man8/pam.8
+ rm debian/libpam-runtime/usr/share/man/man8/pam.d.8
+ rm debian/libpam-runtime/usr/share/man/man8/pam.conf.8
dh_installdocs -i
dh_installchangelogs -i $(BUILD_TREE)/CHANGELOG
dh_compress -i -X.html
signature.asc
Description: Digital signature
