4

We allow users to execute scripts on our servers. Our security model involves chrooting them. We want to be able to apply ulimit restrictions to them, and the best way to do it would seem to be in /etc/security/limits.conf

But, it doesn't seem to work. Here's what we set in limits.conf:

@registered_users    -    priority   7
@registered_users    -    nice       7
*                    -    priority   9
*                    -    nice       9

And it works in some cases:

sudo -u testuser python

Will give a python process with niceness 9 (not 7, annoyingly)

BUT

sudo chroot --userspec=testuser:registered_users python

gives a python process with niceness 0.

any clues?

We've tried adding session required pam_limits.so to /etc/pam.d/common-session, to no avail.

hwjp
  • 146

1 Answers1

1

The settings in /etc/security/limits.conf are not working inside the chroot because there is no program using pam_limits to set them. They work when you use sudo, because sudo's PAM configuration does call pam_limits.

The obvious answer is to call something inside the chroot that uses pam_limits, like "su", as they say here: https://lists.debian.org/debian-user/2010/09/msg01398.html (though you have to uncomment the line that uses pam_limits in /etc/pam.d/su, because it comes commented by default).

I.e., assuming your chroot directory is /srv/chroot, and you want to execute /usr/bin/python, you could try something like this:

sudo chroot /srv/chroot su testuser /usr/bin/python

I think sudo will do the trick, too:

sudo chroot /srv/chroot sudo -u testuser /usr/bin/python

But I can only speak for "su", which is what I use in a case like this. Please, try it and tell if it worked for you.

rsuarez
  • 126
  • 2