Hello! Here is an improved variant of patch. It allows system administrator to configure RLIMIT_RTPRIO RLIMIT_NICE via "rt_priority" and "nice" entries in /etc/security/limits.conf
Best regards, Alexei. -- All science is either physics or stamp collecting.
Index: pam-0.79/Linux-PAM/modules/pam_limits/pam_limits.c =================================================================== --- pam-0.79.orig/Linux-PAM/modules/pam_limits/pam_limits.c 2006-09-22 22:16:10.000000000 +0400 +++ pam-0.79/Linux-PAM/modules/pam_limits/pam_limits.c 2006-09-22 22:17:46.000000000 +0400 @@ -257,8 +257,38 @@ pl->supported[i] = 1; pl->limits[i].src_soft = LIMITS_DEF_NONE; pl->limits[i].src_hard = LIMITS_DEF_NONE; - pl->limits[i].limit.rlim_cur = RLIM_INFINITY; - pl->limits[i].limit.rlim_max = RLIM_INFINITY; + switch (i) { + case RLIMIT_CPU: + case RLIMIT_FSIZE: + case RLIMIT_DATA: + case RLIMIT_STACK: + case RLIMIT_CORE: + case RLIMIT_RSS: + case RLIMIT_NPROC: + case RLIMIT_NOFILE: + case RLIMIT_MEMLOCK: +#ifdef RLIMIT_AS + case RLIMIT_AS: +#endif +#ifdef RLIMIT_LOCKS + case RLIMIT_LOCKS: +#endif +#ifdef RLIMIT_SIGPENDING + case RLIMIT_SIGPENDING: +#endif +#ifdef RLIMIT_MSGQUEUE + case RLIMIT_MSGQUEUE: +#endif + pl->limits[i].limit.rlim_cur = RLIM_INFINITY; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; + default: + /* Dont touch unknown/unsupported rlimit values --- + * RLIM_INFINITY might be a bad choice for them and + * even open up security holes (for example, the latter + * is true for RLIM_RTPRIO in newer Linux kernels). */ + break; + } } } @@ -327,6 +357,14 @@ else if (strcmp(lim_item, "msgqueue") == 0) limit_item = RLIMIT_MSGQUEUE; #endif +#ifdef RLIMIT_RTPRIO + else if (strcmp(lim_item, "rt_priority") == 0) + limit_item = RLIMIT_RTPRIO; +#endif +#ifdef RLIMIT_NICE + else if (strcmp(lim_item, "nice") == 0) + limit_item = RLIMIT_NICE; +#endif else if (strcmp(lim_item, "maxlogins") == 0) { limit_item = LIMIT_LOGIN; pl->flag_numsyslogins = 0; @@ -399,6 +437,22 @@ #endif limit_value *= 1024; break; +#ifdef RLIMIT_RTPRIO + case RLIMIT_RTPRIO: + if (limit_value > 99) + limit_value = 99; + if (limit_value < 0) + limit_value = 0; + break; +#endif +#ifdef RLIMIT_NICE + case RLIMIT_NICE: + if (limit_value > 39) + limit_value = 39; + if (limit_value < 0) + limit_value = 0; + break; +#endif } if ( (limit_item != LIMIT_LOGIN) Index: pam-0.79/Linux-PAM/modules/pam_limits/README =================================================================== --- pam-0.79.orig/Linux-PAM/modules/pam_limits/README 2005-01-10 13:09:51.000000000 +0300 +++ pam-0.79/Linux-PAM/modules/pam_limits/README 2006-09-22 22:17:46.000000000 +0400 @@ -42,7 +42,11 @@ - sigpending - max number of pending signals (Linux 2.6 and higher) - msgqueue - max memory used by POSIX message queues (bytes) (Linux 2.6 and higher) - + - rt_priority - ceiling on real-time priority which can be set by + this user (Linux 2.6.13 and higher) + - nice - ceiling to which the processes’ nice value can be raised + (Linux 2.6.13 and higher) + Note, if you specify a type of '-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. . Index: pam-0.79/Linux-PAM/modules/pam_limits/limits.skel =================================================================== --- pam-0.79.orig/Linux-PAM/modules/pam_limits/limits.skel 2005-01-10 13:09:51.000000000 +0300 +++ pam-0.79/Linux-PAM/modules/pam_limits/limits.skel 2006-09-22 22:17:46.000000000 +0400 @@ -32,6 +32,8 @@ # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) +# - rt_priority - ceiling on real-time priority which can be set +# - nice - ceiling to which the processes’ nice value can be raised # #<domain> <type> <item> <value> # Index: pam-0.79/debian/rules =================================================================== --- pam-0.79.orig/debian/rules 2006-09-22 22:16:10.000000000 +0400 +++ pam-0.79/debian/rules 2006-09-22 22:18:30.000000000 +0400 @@ -87,7 +87,9 @@ dh_movefiles -i dh_installman -plibpam-runtime $(BUILD_TREE)/doc/man/*.[578] - rm debian/libpam-runtime/usr/share/man/man8/{pam.8,pam.d.8,pam.conf.8} + rm debian/libpam-runtime/usr/share/man/man8/pam.8 + rm debian/libpam-runtime/usr/share/man/man8/pam.d.8 + rm debian/libpam-runtime/usr/share/man/man8/pam.conf.8 dh_installdocs -i dh_installchangelogs -i $(BUILD_TREE)/CHANGELOG dh_compress -i -X.html
signature.asc
Description: Digital signature