Re: [PATCH] [request for inclusion] Realtime LSM

From: Lee Revell
Date: Sat Jan 08 2005 - 17:22:22 EST


On Sat, 2005-01-08 at 00:12 -0600, Jack O'Quin wrote:
> I find it hard to understand why some of you think PAM is an adequate
> solution. As currently deployed, it is poorly documented and nearly
> impossible for non-experts to administer securely. On my Debian woody
> system, when I login from the console I get one fairly sensible set of
> ulimit values, but from gdm I get a much more permissive set (with
> ulimited mlocking, BTW). Apparently, this is because the `gdm' PAM
> config includes `session required pam_limits.so' but the system comes
> with an empty /etc/security/limits.conf. I'm just guessing about that
> because I can't find any decent documentation for any of this crap.

Eh, PAM is a perfectly fine solution. Documentation is lacking, but
it's easy to find examples. On my system /etc/security/limits.conf has
this sample config, commented out:

#<domain> <type> <item> <value>
#

#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0

So add your audio users (or cdrecord users, or whoever) to group
realtime and add:

realtime hard memlock 100000
realtime soft prio 100

Problem solved.

Lee


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/