I have a problem with my tomcat servers running on centos 7.
have 7 in all, set up alike. 4 have been patched recently and rebooted, remaining 3 has uptime of approx 2 years.
when I do:
sudo -u tomcat ls /tmp
I get error on the newly patched servers, stating :
sudo: pam_open_session: Permission denied
sudo: policy plugin failed session initialization
on the unpatched servers I get to execute the command.
/etc/security/limits
are identical:
tomcat soft nofile 5000000
tomcat hard nofile 5000000
tomcat soft nproc 5000000
tomcat hard nproc 5000000
I can circumvent the errror by commenting out :
/etc/pam.d/sudo:
session required pam_limits.so
I dont get it ?
Am I looking in the right places ?
strace from both look like:
Failing:
strace -e setrlimit sudo -u tomcat ls /tmp
setrlimit(RLIMIT_NPROC, {rlim_cur=RLIM64_INFINITY, rlim_max=RLIM64_INFINITY}) = 0
setrlimit(RLIMIT_NPROC, {rlim_cur=1031015, rlim_max=1031015}) = 0
setrlimit(RLIMIT_NPROC, {rlim_cur=5000000, rlim_max=5000000}) = 0
setrlimit(RLIMIT_NOFILE, {rlim_cur=5000000, rlim_max=5000000}) = -1 EPERM (Operation not permitted)
sudo: pam_open_session: Permission denied
sudo: policy plugin failed session initialization
+++ exited with 1 +++"
working:
strace -e setrlimit sudo -u tomcat ls /tmp
setrlimit(RLIMIT_NPROC, {rlim_cur=5000000, rlim_max=5000000}) = 0
setrlimit(RLIMIT_NOFILE, {rlim_cur=5000000, rlim_max=5000000}) = -1 EPERM (Operation not permitted)
setrlimit(RLIMIT_NPROC, {rlim_cur=RLIM64_INFINITY, rlim_max=RLIM64_INFINITY}) = 0
hs_err_pid13726.log hsperfdata_cron hsperfdata_tokor hsperfdata_tomcat systemd-private-U8GAP7
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=28963, si_status=0, si_utime=0, si_stime=0} ---
+++ exited with 0 +++
pam
version on working is : pam-1.1.8-12.el7_1.1.x86_64
and on non-working: pam-1.1.8-18.el7.x86_64
Best Answer
This is a bug in the
pam_limits
module, causing authentication to fail. I think it only affects RHEL/Centos 7. It affects sudo users who have an unlimited or very highnofiles
setting (bigger thanfs.nr_open
=1024x1024=1024576).Your options are:
pam_limits
from your sudo PAM rulesnofiles
for the destination user (tomcat) to be something lower thanfs.nr_open
fs.nr_open
(in/etc/sysctl.conf
) to be higher than your ulimit