opinions on /etc/security/limits.conf

[Russell Coker]

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173902

Currently if you run "su - user" (or several other commands that use pam) then 
the limits for many fields are inherited from the user executing the command.

The main problem I have with this is that it gives inconsistent results, 
particularly in the case of daemons.  I have designed a change to the program 
"runuser" to make it use pam_limits.so so that the limits.conf file will be 
applied to daemons.  But to take advantage of this we need sane values.  
Currently even with my proposed modification to runuser daemons will still 
run inconsistently, a daemon may perform differently dependant on whether it 
was started at system boot or by the action of an administrator.

Also some daemons (such as Oracle) are started by "su" which has the same 
issues.

If a daemon is going to fail then it should fail in every situation so the 
administrator can be aware of the problem and fix it.  Alternately if it 
works in one situation then it should work in others.

To deal with this I believe that the default limits.conf file should have 
entries for every field for every user.  This is a little controversial so 
I'd appreciate feedback on the above bugzilla.  We have two issues to 
resolve, whether to have such a default and what the default should be.  In 
my bug report I have suggested some values taken from default values for 
rawhide and RHEL4.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page