 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Someone asked about ways to do this not too long ago... I don't
remember who it was. This message on bugtraq described a couple of
interesting ways to do it. I thought I'd share it with you all.
FYI, this issue arose because someone pointed out that if you use ssh
to start a command directly, rather than just logging in so that a pty
is allocated, sshd does not call pam_session_start(), which presents a
few problems. For example, on my own systems, I ran this:
[ddm at sol ddm]
$ ssh mail w
16:56:43 up 27 days, 18:29, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
[ddm at sol ddm]
$
Note that it doesn't show me logged in, and obviously therefore
doesn't show what I'm running. It also doesn't set per-process
limits, if you're using pam_limits.so to control that. It also does
not update utmp.
As the poster points out, you can start a shell on the remote host
with all these features, by simply running something like this:
ssh remotehost /bin/sh
It works strangely, but it does work. Anyway, see below for some
ulimit tips. :)
----- Forwarded message from Jim Breton <jamesb-bugtraq at alongtheway.com> -----
On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote:
> This is espacially anoying if you
> use pam_limits.so to set rlimits. Every user could
> cirrcumvent them easily by calling ssh in this way:
> ssh user at server /bin/sh
True. Fwiw you can work around this by putting ulimit calls in your
sshd invocation script. For example:
#!/bin/sh
ulimit -d <#>
ulimit -f <#>
ulimit -l <#>
ulimit -m <#>
ulimit -n <#>
ulimit -s <#>
[etc.]
Also most Linux distributions' 'init' packages support an
/etc/initscript which will be used for invoking all children of init.
man initscript:
DESCRIPTION
When the shell script /etc/initscript is present, init
will use it to execute the commands from inittab. This
script can be used to set things like ulimit and umask
default values for every process.
which is a good "safety net" for unforeseen issues like this one, as
well as for protecting against resource exhaustion via cron jobs, etc..
I imagine you could do the same thing on other *nixes by putting the
call somewhere early in the bootscripts.
P.S. I see this issue you raised is now being discussed on the
openssh-unix-dev list.
http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2&b=200106
----- End forwarded message -----
--
---------------------------------------------------
Derek Martin | Unix/Linux geek
ddm at pizzashack.org | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
