2 * pam_limits - impose resource limits when opening a user session
4 * 1.6 - modified for PLD (added process priority settings)
5 * by Marcin Korzonek <mkorz@shadow.eu.org>
6 * 1.5 - Elliot Lee's "max system logins patch"
7 * 1.4 - addressed bug in configuration file parser
8 * 1.3 - modified the configuration file format
9 * 1.2 - added 'debug' and 'conf=' arguments
10 * 1.1 - added @group support
11 * 1.0 - initial release - Linux ONLY
13 * See end for Copyright information
16 #if !defined(linux) && !defined(__linux)
17 #warning THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!!
30 #include <sys/types.h>
32 #include <sys/resource.h>
36 #ifndef UT_USER /* some systems have ut_name instead of ut_user */
37 #define UT_USER ut_user
49 #define LINE_LENGTH 1024
51 #define LIMITS_DEF_USER 0 /* limit was set by an user entry */
52 #define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */
53 #define LIMITS_DEF_ALLGROUP 2 /* limit was set by a group entry */
54 #define LIMITS_DEF_ALL 3 /* limit was set by an default entry */
55 #define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */
56 #define LIMITS_DEF_NONE 5 /* this limit was not set yet */
58 static const char *limits_def_names[] = {
68 struct user_limits_struct {
77 int login_limit; /* the max logins limit */
78 int login_limit_def; /* which entry set the login limit */
79 int flag_numsyslogins; /* whether to limit logins only for a
80 specific user or to count all logins */
81 int priority; /* the priority to run user process with */
82 struct user_limits_struct limits[RLIM_NLIMITS];
83 const char *conf_file;
84 int utmp_after_pam_call;
85 char login_group[LINE_LENGTH];
88 #define LIMIT_LOGIN RLIM_NLIMITS+1
89 #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
91 #define LIMIT_PRI RLIM_NLIMITS+3
96 #define PAM_SM_SESSION
98 #include <security/pam_modules.h>
99 #include <security/_pam_macros.h>
100 #include <security/pam_modutil.h>
101 #include <security/pam_ext.h>
103 /* argument parsing */
105 #define PAM_DEBUG_ARG 0x0001
106 #define PAM_DO_SETREUID 0x0002
107 #define PAM_UTMP_EARLY 0x0004
108 #define PAM_NO_AUDIT 0x0008
110 /* Limits from globbed files. */
111 #define LIMITS_CONF_GLOB LIMITS_FILE_DIR
113 #define CONF_FILE (pl->conf_file != NULL)?pl->conf_file:LIMITS_FILE
116 _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
117 struct pam_limit_s *pl)
121 /* step through arguments */
122 for (ctrl=0; argc-- > 0; ++argv) {
124 /* generic options */
126 if (!strcmp(*argv,"debug")) {
127 ctrl |= PAM_DEBUG_ARG;
128 } else if (!strncmp(*argv,"conf=",5)) {
129 pl->conf_file = *argv+5;
130 } else if (!strncmp(*argv,"change_uid",10)) {
131 ctrl |= PAM_DO_SETREUID;
132 } else if (!strcmp(*argv,"utmp_early")) {
133 ctrl |= PAM_UTMP_EARLY;
134 } else if (!strcmp(*argv,"noaudit")) {
135 ctrl |= PAM_NO_AUDIT;
137 pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
185 #ifdef RLIMIT_SIGPENDING
186 case RLIMIT_SIGPENDING:
190 #ifdef RLIMIT_MSGQUEUE
191 case RLIMIT_MSGQUEUE:
212 #define LIMITED_OK 0 /* limit setting appeared to work */
213 #define LIMIT_ERR 1 /* error setting a limit */
214 #define LOGIN_ERR 2 /* too many logins err */
216 /* Counts the number of user logins and check against the limit*/
218 check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
219 struct pam_limit_s *pl)
224 if (ctrl & PAM_DEBUG_ARG) {
225 pam_syslog(pamh, LOG_DEBUG,
226 "checking logins for '%s' (maximum of %d)", name, limit);
230 return 0; /* no limits imposed */
231 if (limit == 0) /* maximum 0 logins ? */ {
232 pam_syslog(pamh, LOG_WARNING, "No logins allowed for '%s'", name);
238 /* Because there is no definition about when an application
239 actually adds a utmp entry, some applications bizarrely do the
240 utmp call before the have PAM authenticate them to the system:
241 you're logged it, sort of...? Anyway, you can use the
242 "utmp_early" module argument in your PAM config file to make
243 allowances for this sort of problem. (There should be a PAM
244 standard for this, since if a module wants to actually map a
245 username then any early utmp entry will be for the unmapped
248 if (ctrl & PAM_UTMP_EARLY) {
254 while((ut = getutent())) {
256 if (ut->ut_type != USER_PROCESS) {
260 if (ut->UT_USER[0] == '\0') {
263 if (!pl->flag_numsyslogins) {
264 if (((pl->login_limit_def == LIMITS_DEF_USER)
265 || (pl->login_limit_def == LIMITS_DEF_GROUP)
266 || (pl->login_limit_def == LIMITS_DEF_DEFAULT))
267 && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
270 if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
271 && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) {
275 if (++count > limit) {
282 pam_syslog(pamh, LOG_WARNING,
283 "Too many logins (max %d) for %s", limit, name);
285 pam_syslog(pamh, LOG_WARNING, "Too many system logins (max %d)", limit);
292 static int init_limits(struct pam_limit_s *pl)
295 int retval = PAM_SUCCESS;
299 for(i = 0; i < RLIM_NLIMITS; i++) {
300 int r = getrlimit(i, &pl->limits[i].limit);
302 pl->limits[i].supported = 0;
303 if (errno != EINVAL) {
304 retval = !PAM_SUCCESS;
307 pl->limits[i].supported = 1;
308 pl->limits[i].src_soft = LIMITS_DEF_NONE;
309 pl->limits[i].src_hard = LIMITS_DEF_NONE;
314 pl->priority = getpriority (PRIO_PROCESS, 0);
315 if (pl->priority == -1 && errno != 0)
316 retval = !PAM_SUCCESS;
317 pl->login_limit = -2;
318 pl->login_limit_def = LIMITS_DEF_NONE;
324 process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
325 const char *lim_item, const char *lim_value,
326 int ctrl, struct pam_limit_s *pl)
331 rlim_t rlimit_value = 0;
333 const char *value_orig = lim_value;
335 if (ctrl & PAM_DEBUG_ARG)
336 pam_syslog(pamh, LOG_DEBUG, "%s: processing %s %s %s for %s",
337 __FUNCTION__, lim_type, lim_item, lim_value,
338 limits_def_names[source]);
340 if (strcmp(lim_item, "cpu") == 0)
341 limit_item = RLIMIT_CPU;
342 else if (strcmp(lim_item, "fsize") == 0)
343 limit_item = RLIMIT_FSIZE;
344 else if (strcmp(lim_item, "data") == 0)
345 limit_item = RLIMIT_DATA;
346 else if (strcmp(lim_item, "stack") == 0)
347 limit_item = RLIMIT_STACK;
348 else if (strcmp(lim_item, "core") == 0)
349 limit_item = RLIMIT_CORE;
350 else if (strcmp(lim_item, "rss") == 0)
351 limit_item = RLIMIT_RSS;
352 else if (strcmp(lim_item, "nproc") == 0)
353 limit_item = RLIMIT_NPROC;
354 else if (strcmp(lim_item, "nofile") == 0)
355 limit_item = RLIMIT_NOFILE;
356 else if (strcmp(lim_item, "memlock") == 0)
357 limit_item = RLIMIT_MEMLOCK;
359 else if (strcmp(lim_item, "as") == 0)
360 limit_item = RLIMIT_AS;
363 else if (strcmp(lim_item, "locks") == 0)
364 limit_item = RLIMIT_LOCKS;
366 #ifdef RLIMIT_SIGPENDING
367 else if (strcmp(lim_item, "sigpending") == 0)
368 limit_item = RLIMIT_SIGPENDING;
370 #ifdef RLIMIT_MSGQUEUE
371 else if (strcmp(lim_item, "msgqueue") == 0)
372 limit_item = RLIMIT_MSGQUEUE;
375 else if (strcmp(lim_item, "nice") == 0)
376 limit_item = RLIMIT_NICE;
379 else if (strcmp(lim_item, "rtprio") == 0)
380 limit_item = RLIMIT_RTPRIO;
382 else if (strcmp(lim_item, "maxlogins") == 0) {
383 limit_item = LIMIT_LOGIN;
384 pl->flag_numsyslogins = 0;
385 } else if (strcmp(lim_item, "maxsyslogins") == 0) {
386 limit_item = LIMIT_NUMSYSLOGINS;
387 pl->flag_numsyslogins = 1;
388 } else if (strcmp(lim_item, "priority") == 0) {
389 limit_item = LIMIT_PRI;
391 pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
395 if (strcmp(lim_type,"soft")==0)
396 limit_type=LIMIT_SOFT;
397 else if (strcmp(lim_type, "hard")==0)
398 limit_type=LIMIT_HARD;
399 else if (strcmp(lim_type,"-")==0)
400 limit_type=LIMIT_SOFT | LIMIT_HARD;
401 else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) {
402 pam_syslog(pamh, LOG_DEBUG, "unknown limit type '%s'", lim_type);
405 if (limit_item != LIMIT_PRI
407 && limit_item != RLIMIT_NICE
409 && (strcmp(lim_value, "-1") == 0
410 || strcmp(lim_value, "-") == 0 || strcmp(lim_value, "unlimited") == 0
411 || strcmp(lim_value, "infinity") == 0)) {
413 rlimit_value = RLIM_INFINITY;
414 } else if (limit_item == LIMIT_PRI || limit_item == LIMIT_LOGIN ||
416 limit_item == RLIMIT_NICE ||
418 limit_item == LIMIT_NUMSYSLOGINS) {
420 temp = strtol (lim_value, &endptr, 10);
421 temp = temp < INT_MAX ? temp : INT_MAX;
422 int_value = temp > INT_MIN ? temp : INT_MIN;
423 if (int_value == 0 && value_orig == endptr) {
424 pam_syslog(pamh, LOG_DEBUG,
425 "wrong limit value '%s' for limit type '%s'",
426 lim_value, lim_type);
430 #ifdef __USE_FILE_OFFSET64
431 rlimit_value = strtoull (lim_value, &endptr, 10);
433 rlimit_value = strtoul (lim_value, &endptr, 10);
435 if (rlimit_value == 0 && value_orig == endptr) {
436 pam_syslog(pamh, LOG_DEBUG,
437 "wrong limit value '%s' for limit type '%s'",
438 lim_value, lim_type);
443 /* one more special case when limiting logins */
444 if ((source == LIMITS_DEF_ALL || source == LIMITS_DEF_ALLGROUP)
445 && (limit_item != LIMIT_LOGIN)) {
446 if (ctrl & PAM_DEBUG_ARG)
447 pam_syslog(pamh, LOG_DEBUG,
448 "'%%' domain valid for maxlogins type only");
454 if (rlimit_value != RLIM_INFINITY)
456 if (rlimit_value >= RLIM_INFINITY/60)
457 rlimit_value = RLIM_INFINITY;
471 if (rlimit_value != RLIM_INFINITY)
473 if (rlimit_value >= RLIM_INFINITY/1024)
474 rlimit_value = RLIM_INFINITY;
476 rlimit_value *= 1024;
485 rlimit_value = 20 - int_value;
490 if ( (limit_item != LIMIT_LOGIN)
491 && (limit_item != LIMIT_NUMSYSLOGINS)
492 && (limit_item != LIMIT_PRI) ) {
493 if (limit_type & LIMIT_SOFT) {
494 if (pl->limits[limit_item].src_soft < source) {
497 pl->limits[limit_item].limit.rlim_cur = rlimit_value;
498 pl->limits[limit_item].src_soft = source;
501 if (limit_type & LIMIT_HARD) {
502 if (pl->limits[limit_item].src_hard < source) {
505 pl->limits[limit_item].limit.rlim_max = rlimit_value;
506 pl->limits[limit_item].src_hard = source;
510 /* recent kernels support negative priority limits (=raise priority) */
512 if (limit_item == LIMIT_PRI) {
513 pl->priority = int_value;
515 if (pl->login_limit_def < source) {
518 pl->login_limit = int_value;
519 pl->login_limit_def = source;
526 static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl,
527 struct pam_limit_s *pl)
530 char buf[LINE_LENGTH];
532 /* check for the LIMITS_FILE */
533 if (ctrl & PAM_DEBUG_ARG)
534 pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
535 fil = fopen(CONF_FILE, "r");
537 pam_syslog (pamh, LOG_WARNING,
538 "cannot read settings from %s: %m", CONF_FILE);
539 return PAM_SERVICE_ERR;
543 while (fgets(buf, LINE_LENGTH, fil) != NULL) {
544 char domain[LINE_LENGTH];
545 char ltype[LINE_LENGTH];
546 char item[LINE_LENGTH];
547 char value[LINE_LENGTH];
553 /* skip the leading white space */
554 while (*line && isspace(*line))
557 /* Rip off the comments */
558 tptr = strchr(line,'#');
561 /* Rip off the newline char */
562 tptr = strchr(line,'\n');
565 /* Anything left ? */
569 domain[0] = ltype[0] = item[0] = value[0] = '\0';
571 i = sscanf(line,"%s%s%s%s", domain, ltype, item, value);
572 D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]",
573 i, domain, ltype, item, value));
575 for(j=0; j < strlen(ltype); j++)
576 ltype[j]=tolower(ltype[j]);
578 if (i == 4) { /* a complete line */
579 for(j=0; j < strlen(item); j++)
580 item[j]=tolower(item[j]);
581 for(j=0; j < strlen(value); j++)
582 value[j]=tolower(value[j]);
584 if (strcmp(uname, domain) == 0) /* this user have a limit */
585 process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
586 else if (domain[0]=='@') {
587 if (ctrl & PAM_DEBUG_ARG) {
588 pam_syslog(pamh, LOG_DEBUG,
589 "checking if %s is in group %s",
592 if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
593 process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
595 } else if (domain[0]=='%') {
596 if (ctrl & PAM_DEBUG_ARG) {
597 pam_syslog(pamh, LOG_DEBUG,
598 "checking if %s is in group %s",
601 if (strcmp(domain,"%") == 0)
602 process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl,
604 else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
605 strcpy(pl->login_group, domain+1);
606 process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
609 } else if (strcmp(domain, "*") == 0)
610 process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
612 } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
613 if (strcmp(uname, domain) == 0) {
614 if (ctrl & PAM_DEBUG_ARG) {
615 pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname);
619 } else if (domain[0] == '@' && pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) {
620 if (ctrl & PAM_DEBUG_ARG) {
621 pam_syslog(pamh, LOG_DEBUG,
622 "no limits for '%s' in group '%s'",
629 pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line);
636 static int setup_limits(pam_handle_t *pamh,
637 const char *uname, uid_t uid, int ctrl,
638 struct pam_limit_s *pl)
642 int retval = LIMITED_OK;
644 for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
647 if (!pl->limits[i].supported) {
648 /* skip it if its not known to the system */
651 if (pl->limits[i].src_soft == LIMITS_DEF_NONE &&
652 pl->limits[i].src_hard == LIMITS_DEF_NONE) {
653 /* skip it if its not initialized */
656 if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
657 pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
658 res = setrlimit(i, &pl->limits[i].limit);
660 pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
669 status = setpriority(PRIO_PROCESS, 0, pl->priority);
671 pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m");
676 D(("skip login limit check for uid=0"));
677 } else if (pl->login_limit > 0) {
678 if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
680 if (!(ctrl & PAM_NO_AUDIT)) {
681 pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
682 "pam_limits", PAM_PERM_DENIED);
683 /* ignore return value as we fail anyway */
688 } else if (pl->login_limit == 0) {
695 /* now the session stuff */
697 pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
698 int argc, const char **argv)
706 struct pam_limit_s plstruct;
707 struct pam_limit_s *pl = &plstruct;
709 const char *oldlocale;
713 memset(pl, 0, sizeof(*pl));
714 memset(&globbuf, 0, sizeof(globbuf));
716 ctrl = _pam_parse(pamh, argc, argv, pl);
717 retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
718 if ( user_name == NULL || retval != PAM_SUCCESS ) {
719 pam_syslog(pamh, LOG_CRIT, "open_session - error recovering username");
720 return PAM_SESSION_ERR;
723 pwd = pam_modutil_getpwnam(pamh, user_name);
725 if (ctrl & PAM_DEBUG_ARG)
726 pam_syslog(pamh, LOG_WARNING,
727 "open_session username '%s' does not exist", user_name);
728 return PAM_USER_UNKNOWN;
731 retval = init_limits(pl);
732 if (retval != PAM_SUCCESS) {
733 pam_syslog(pamh, LOG_WARNING, "cannot initialize");
737 retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl);
738 if (retval == PAM_IGNORE) {
739 D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
742 if (retval != PAM_SUCCESS || pl->conf_file != NULL)
743 /* skip reading limits.d if config file explicitely specified */
746 /* Read subsequent *.conf files, if they exist. */
748 /* set the LC_COLLATE so the sorting order doesn't depend
751 oldlocale = setlocale(LC_COLLATE, "C");
752 glob_rc = glob(LIMITS_CONF_GLOB, GLOB_ERR, NULL, &globbuf);
754 if (oldlocale != NULL)
755 setlocale (LC_COLLATE, oldlocale);
758 /* Parse the *.conf files. */
759 for (i = 0; globbuf.gl_pathv[i] != NULL; i++) {
760 pl->conf_file = globbuf.gl_pathv[i];
761 retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl);
762 if (retval == PAM_IGNORE) {
763 D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file));
767 if (retval != PAM_SUCCESS)
774 if (retval != PAM_SUCCESS)
776 pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file: '%s' ",CONF_FILE);
780 if (ctrl & PAM_DO_SETREUID) {
781 setreuid(pwd->pw_uid, -1);
784 retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl);
785 if (retval & LOGIN_ERR)
786 pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name);
787 if (retval != LIMITED_OK) {
788 return PAM_PERM_DENIED;
795 pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED,
796 int argc UNUSED, const char **argv UNUSED)
804 /* static module data */
806 struct pam_module _pam_limits_modstruct = {
812 pam_sm_close_session,
818 * Copyright (c) Cristian Gafton, 1996-1997, <gafton@redhat.com>
819 * All rights reserved.
821 * Redistribution and use in source and binary forms, with or without
822 * modification, are permitted provided that the following conditions
824 * 1. Redistributions of source code must retain the above copyright
825 * notice, and the entire permission notice in its entirety,
826 * including the disclaimer of warranties.
827 * 2. Redistributions in binary form must reproduce the above copyright
828 * notice, this list of conditions and the following disclaimer in the
829 * documentation and/or other materials provided with the distribution.
830 * 3. The name of the author may not be used to endorse or promote
831 * products derived from this software without specific prior
832 * written permission.
834 * ALTERNATIVELY, this product may be distributed under the terms of
835 * the GNU Public License, in which case the provisions of the GPL are
836 * required INSTEAD OF the above restrictions. (This clause is
837 * necessary due to a potential bad interaction between the GPL and
838 * the restrictions contained in a BSD-style copyright.)
840 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
841 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
842 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
843 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
844 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
845 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
846 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
847 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
848 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
849 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
850 * OF THE POSSIBILITY OF SUCH DAMAGE.