Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf

Michael Biebl biebl at debian.org
Tue Sep 27 10:25:30 BST 2016


Am 18.09.2016 um 11:16 schrieb Antonio Ospite:
> After a precious suggestion by Mantas Mikul─Śnas (grawity in
> #debian-systemd) I verified that this is happening because
> /etc/pam.d/systemd-user does not load pam_limits.so.
> 
> The following change fixes the issue:
> -----------------------------------------------------------------------
> --- /etc/pam.d/systemd-user.orig	2016-09-17 17:40:19.787522246 +0200
> +++ /etc/pam.d/systemd-user	2016-09-17 15:13:17.035405264 +0200
> @@ -7,5 +7,6 @@
>  session  required pam_selinux.so close
>  session  required pam_selinux.so nottys open
>  session  required pam_loginuid.so
> +session  required pam_limits.so
>  @include common-session-noninteractive
>  session optional pam_systemd.so
> -----------------------------------------------------------------------
> 
> 
> After adding pam_limits and the settings in limits.conf, the units from
> above have the expected behavior.
> 

...

> I can send a patch for /etc/pam.d/systemd-user against the systemd
> Debian package to address the issue, but I have a doubt: can this also
> be considered a bug in the upstream src/login/systemd-user.m4?
> 
> If so I will send a standalone patch which applies _before_
> debian/Adjust-systemd-user-pam-config-file-for-Debian.patch this way it
> will be easier to have it merged upstream.

The upstream pam config file is Redhat specific in this regard. It
includes /etc/pam.d/system-auth, which in turn has

session     required      pam_limits.so

We do use common-account and common-session-noninteractive in Debian,
which do no include pam_limits.so. So I guess we will have to keep that
as a downstream change.

That said, maybe upstream could document better, which pam modules are
supposed to be included for systemd-user. If you want to file an
upstream bug report for that, this would be appreciated.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20160927/675b29c2/attachment-0002.sig>


More information about the Pkg-systemd-maintainers mailing list