Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261244AbVAHS0N (ORCPT ); Sat, 8 Jan 2005 13:26:13 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261246AbVAHS0N (ORCPT ); Sat, 8 Jan 2005 13:26:13 -0500 Received: from [213.146.154.40] ([213.146.154.40]:46034 "EHLO pentafluge.infradead.org") by vger.kernel.org with ESMTP id S261244AbVAHS0H (ORCPT ); Sat, 8 Jan 2005 13:26:07 -0500 Date: Sat, 8 Jan 2005 18:25:55 +0000 From: Christoph Hellwig To: ross@lug.udel.edu Cc: "Jack O'Quin" , Chris Wright , Andrew Morton , Lee Revell , paul@linuxaudiosystems.com, arjanv@redhat.com, mingo@elte.hu, alan@lxorguk.ukuu.org.uk, linux-kernel@vger.kernel.org Subject: Re: [PATCH] [request for inclusion] Realtime LSM Message-ID: <20050108182555.GA31512@infradead.org> Mail-Followup-To: Christoph Hellwig , ross@lug.udel.edu, Jack O'Quin , Chris Wright , Andrew Morton , Lee Revell , paul@linuxaudiosystems.com, arjanv@redhat.com, mingo@elte.hu, alan@lxorguk.ukuu.org.uk, linux-kernel@vger.kernel.org References: <200501071620.j07GKrIa018718@localhost.localdomain> <1105132348.20278.88.camel@krustophenia.net> <20050107134941.11cecbfc.akpm@osdl.org> <20050107221059.GA17392@infradead.org> <20050107142920.K2357@build.pdx.osdl.net> <87mzvkxxck.fsf@sulphur.joq.us> <20050108165657.GA21760@jose.lug.udel.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050108165657.GA21760@jose.lug.udel.edu> User-Agent: Mutt/1.4.1i X-SRS-Rewrite: SMTP reverse-path rewritten from by pentafluge.infradead.org See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1500 Lines: 26 On Sat, Jan 08, 2005 at 11:56:57AM -0500, ross@lug.udel.edu wrote: > On Sat, Jan 08, 2005 at 12:12:59AM -0600, Jack O'Quin wrote: > > I find it hard to understand why some of you think PAM is an adequate > > solution. As currently deployed, it is poorly documented and nearly > > impossible for non-experts to administer securely. On my Debian woody > > system, when I login from the console I get one fairly sensible set of > > ulimit values, but from gdm I get a much more permissive set (with > > ulimited mlocking, BTW). Apparently, this is because the `gdm' PAM > > config includes `session required pam_limits.so' but the system comes > > with an empty /etc/security/limits.conf. I'm just guessing about that > > because I can't find any decent documentation for any of this crap. > > > > Remember, if something is difficult to administer, it's *not* secure. > > Not to mention that not everyone chooses to use PAM for precisely this > reason. Slackware has never included PAM and probably never will. > My audio workstation has worked swell with the 2.4+caps solution and > the 2.6+LSM solution. PAM would break me ::-( you can set rmlimits as well without pam. it's just more complicated. But hey, it was you who didn't want to use it :) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/