pam_limits not working with pam_groups
Nicolas Avrutin
nicolasavru at gmail.com
Mon Oct 31 21:16:44 UTC 2011
Greetings
I have a group of workstations which are used for working with USRPs via
gnuradio and matlab. gnuradio requires permissions to increase the thread
priority (granted via pam_limits). Every user who uses these machines does
so via LDAP accounts (which are also used on other workstations). LDAP users
are added to the usrp group via pam_groups. The limit works fine for local
users and for LDAP users manually added to local usrp group (entered in
/etc/group), but does not work for LDAP users who are added to the group
via pam_groups. In addition, adding an LDAP user to
/etc/security/limits.conf directly does not work either. Another issue that
is possibly related is that calling 'id' or 'groups' from an LDAP account
returns all the local groups added via pam_groups, while calling 'id $USER'
or 'groups $USER' only returns the LDAP groups that the user is a member
of. This makes sense, because, with no arguments, id and groups return the
groups of the calling process, while with the username as an argument, it
queries the user database directly.
Is pam_limits and pam_groups not interacting with each other a bug or is
that design intentional? If it is intentional, are there any good
workarounds for this situation?
Relevant files and command outputs:
/etc/security/limits.conf:
@usrp - rtprio 50
/etc/security/group.conf:
*;*;*;Al0000-2400;floppy,video,audio,cdrom,plugdev,users,usrp,wireshark,vboxusers,fuse
output of 'ulimit -l -r' on LDAP user not added to usrp via pam_groups:
max locked memory (kbytes, -l) 64
real-time priority (-r) 0
output of 'ulimit -l -r' on local user or LDAP user added to usrp via
pam_groups:
max locked memory (kbytes, -l) 64
real-time priority (-r) 50
Thank you for any assistance.
--
Nicolas Avrutin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20111031/b176f8f4/attachment.htm>
More information about the Pam-list
mailing list