Re: [PATCH] [request for inclusion] Realtime LSM

[Christoph Hellwig]

On Sat, Jan 08, 2005 at 11:56:57AM -0500, ross@xxxxxxxxxxxx wrote:
> On Sat, Jan 08, 2005 at 12:12:59AM -0600, Jack O'Quin wrote:
> > I find it hard to understand why some of you think PAM is an adequate
> > solution.  As currently deployed, it is poorly documented and nearly
> > impossible for non-experts to administer securely.  On my Debian woody
> > system, when I login from the console I get one fairly sensible set of
> > ulimit values, but from gdm I get a much more permissive set (with
> > ulimited mlocking, BTW).  Apparently, this is because the `gdm' PAM
> > config includes `session required pam_limits.so' but the system comes
> > with an empty /etc/security/limits.conf.  I'm just guessing about that
> > because I can't find any decent documentation for any of this crap.
> > 
> > Remember, if something is difficult to administer, it's *not* secure.
> 
> Not to mention that not everyone chooses to use PAM for precisely this
> reason.  Slackware has never included PAM and probably never will.
> My audio workstation has worked swell with the 2.4+caps solution and
> the 2.6+LSM solution.  PAM would break me ::-(

you can set rmlimits as well without pam.  it's just more complicated.
But hey, it was you who didn't want to use it :)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/