Unable to modify pam module configuration using files in /etc/security

[markafarrell]

Description

I am unable to modify pam configuration by using files in /etc/security/

For example, if i set

*        soft        nofile          512
*        hard       nofile          512

in /etc/security/limits.conf it is not respected

d384492@localhost ~ $ ulimit -Hn
524288
d384492@localhost ~ $ ulimit -Sn
1024

When I add debug to the pam_limits.so entry in /etc/pam.d/system-auth

session         required        pam_limits.so debug

I can see that the module is attempting to read the limits file from /usr/lib/pam/limits.conf

Jun 19 23:24:47 localhost sshd[6375]: pam_limits(sshd:session): reading settings from '/usr/lib/pam//limits.conf'

Impact

This means a user is unable to modify pam module configuration

Environment and steps to reproduce

d384492@localhost ~ $ cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=3815.2.3
VERSION_ID=3815.2.3
BUILD_ID=2024-05-21-1124
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 3815.2.3 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:3815.2.3:*:*:*:*:*:*:*"

1. Set-up: Deploy flatcar as normal
2. Remove link in /etc/security/limits.conf
3. Create limits.conf with new configuration
4. Restart sshd.socket
5. Login
6. Check ulimits for logged in user

Expected behavior

We should be able to modifiy pam module configuration using the configuration files in /etc/security/

Additional information

Please add any information here that does not fit the above format.

[markafarrell]

It appears that the path is set here:

https://github.com/linux-pam/linux-pam/blob/master/modules/pam_limits/pam_limits.c#L128

So presumably linux-pam is being compiled with SCONFIGDIR=/usr/lib/pam instead of SCONFIGDIR=/etc/security

[markafarrell]

I believe this is set here

https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild#L84

[markafarrell]

I believe we can maintain the current behavior by making the following changes.

1. Update https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/pam-1.5.1_p20210622-r1.ebuild#L84 to --enable-vendordir="/usr/lib/pam/"

2. Update links in https://github.com/flatcar/scripts/blob/main/sdk_container/src/third_party/coreos-overlay/sys-libs/pam/files/tmpfiles.d/pam.conf from ../usr/lib/pam to ../usr/lib/pam/security

[markafarrell]

It appears that using vendorsconfdir is only supported in linux-pam >= 1.5.3
So we would also need to update from linux-pam=1.5.1 to at least linux-pam=1.5.3

[tormath1]

Thanks for the report and the contribution! This change will be available in the next Alpha 🥳