On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
> This is espacially anoying if you
> use pam_limits.so to set rlimits. Every user could
> cirrcumvent them easily by calling ssh in this way:
> ssh user@server /bin/sh
True. Fwiw you can work around this by putting ulimit calls in your
sshd invocation script. For example:
#!/bin/sh
ulimit -d <#>
ulimit -f <#>
ulimit -l <#>
ulimit -m <#>
ulimit -n <#>
ulimit -s <#>
[etc.]
Also most Linux distributions' 'init' packages support an
/etc/initscript which will be used for invoking all children of init.
man initscript:
DESCRIPTION
When the shell script /etc/initscript is present, init
will use it to execute the commands from inittab. This
script can be used to set things like ulimit and umask
default values for every process.
which is a good "safety net" for unforeseen issues like this one, as
well as for protecting against resource exhaustion via cron jobs, etc..
I imagine you could do the same thing on other *nixes by putting the
call somewhere early in the bootscripts.
P.S. I see this issue you raised is now being discussed on the
openssh-unix-dev list.
http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2&b=200106
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 09:48:43 PDT