Wednesday, March 28, 2007

su - on sles 9 doesn't respect limits.

This can end up causing some good security holes.

If you put in a ulimit for higher files for a user named oracle (just an example) in /etc/security/limits.conf:

oracle soft nofile 2048
oracle hard nofile 65535


then run ulimit -a >~limits in cron. Your file limit is 1024 (the default on SLES).

Why? I'll tell you.

Crond does a su - to you user. ON SLES SU - DOESN"T RESPECT THE LIMITS IF THEY ARE HIGHER!!! I haven't tried lower yet.

If you login interactively your limits are fine. If you su - oracle as root, your limits are f-d up (back to the system default 1024).

This doesn't happen on RH/Fedora and as far as I can tell Debian/Ubuntu.