読者です 読者をやめる 読者になる 読者になる

中年engineerの独り言 - crumbjp

LinuxとApacheの憂鬱

limits.confの話

/etc/security/limits.conf

プロセスが利用できるリソースを制限する奴。

特にデーモンプロセス(mysqlとか)の利用可能ファイル数などをチューニングする時に使うのだけど

limits.conf が反映されない!

というトラブルが多い。

PAM

linuxの認証周りのモジュールで、難解、且つ、少しでも間違うと二度とログイン出来なくなったりする危険な奴。

出来ればお友達になりたくない(触りたくない)!

が、、limits.confと密接に関わってるのでインフラエンジニアなら仕方なく付き合う事に・・・

ssh

/etc/sshd (抜粋)
# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

SSH認証の時に PAM 使いますよー

/etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

何となく感じて!(汗

今回大事なのはsession include password-auth

/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

やっと出てきた!pam_limits.so

 $ man pam_limits
PAM_LIMITS(8)                  Linux-PAM Manual                  PAM_LIMITS(8)

NAME
       pam_limits - PAM module to limit resources

SYNOPSIS
       pam_limits.so [change_uid] [conf=/path/to/limits.conf] [debug] [utmp_early] [noaudit]

DESCRIPTION
       The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of
       uid=0 are affected by this limits, too.

       By default limits are taken from the /etc/security/limits.conf config file. Then individual *.conf files from
       the /etc/security/limits.d/ directory are read. The files are parsed one after another in the order of "C"
       locale. The effect of the individual files is the same as if all the files were concatenated together in the
       order of parsing. If a config file is explicitly specified with a module option then the files in the above
       directory are not parsed.

       The module must not be called by a multithreaded application.

       If Linux PAM is compiled with audit support the module will report when it denies access based on limit of
       maximum number of concurrent login sessions.
         :
         :

俺がlimits.conf処理してるんだぜー!!

PAM色々

limits.confでハマるのはssh , su , sudo 辺りじゃないですか?

/etc/pam.d/以下には例えばこんなファイル達が居ます。

まんまなので、何を定義してるのかすぐ解りますねw

  • su
  • su-l
  • sudo
  • sudo-i

で、

この行があればlimits.confは処理(反映)される訳です。

session     required      pam_limits.so