limits.confの話
/etc/security/limits.conf
プロセスが利用できるリソースを制限する奴。
特にデーモンプロセス(mysqlとか)の利用可能ファイル数などをチューニングする時に使うのだけど
limits.conf が反映されない!
というトラブルが多い。
PAM
linuxの認証周りのモジュールで、難解、且つ、少しでも間違うと二度とログイン出来なくなったりする危険な奴。
出来ればお友達になりたくない(触りたくない)!
が、、limits.confと密接に関わってるのでインフラエンジニアなら仕方なく付き合う事に・・・
ssh
/etc/sshd (抜粋)
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes
SSH認証の時に PAM 使いますよー
/etc/pam.d/sshd
#%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
何となく感じて!(汗
今回大事なのはsession include password-auth
/etc/pam.d/password-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
やっと出てきた!pam_limits.so
$ man pam_limits PAM_LIMITS(8) Linux-PAM Manual PAM_LIMITS(8) NAME pam_limits - PAM module to limit resources SYNOPSIS pam_limits.so [change_uid] [conf=/path/to/limits.conf] [debug] [utmp_early] [noaudit] DESCRIPTION The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of uid=0 are affected by this limits, too. By default limits are taken from the /etc/security/limits.conf config file. Then individual *.conf files from the /etc/security/limits.d/ directory are read. The files are parsed one after another in the order of "C" locale. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing. If a config file is explicitly specified with a module option then the files in the above directory are not parsed. The module must not be called by a multithreaded application. If Linux PAM is compiled with audit support the module will report when it denies access based on limit of maximum number of concurrent login sessions. : :
俺がlimits.conf処理してるんだぜー!!
PAM色々
limits.confでハマるのはssh , su , sudo 辺りじゃないですか?
/etc/pam.d/以下には例えばこんなファイル達が居ます。
まんまなので、何を定義してるのかすぐ解りますねw
- su
- su-l
- sudo
- sudo-i
で、
この行があればlimits.confは処理(反映)される訳です。
session required pam_limits.so