when logging in to an openssh >=3.4p1 sshd (I haven't tested earlier than that, but I have tested up to the snapshot from the 14/7/2002) setrlimit, through the pam session setup, isn't called in the appropriate place to allow specified users to have higher ulimits than the server is started with. This ought to work, as pam limits are allowed to specify arbitrarily high limits for users listed. The problem appears to be that do_pam_session is being called after we drop to the user's uid. Without privsep turned on, this all work, as we drop to the user's uid after do_pam_session. Specifically: with privsep on, do_setusercontext in privsep_postauth (sshd.c) is called before do_pam_session in do_exec_pty (session.c). Without privsep, we only drop root privs in do_child (session.c), which is after we do_exec_pty, since (obviously) the former code/call to do_setusercontext is unreached. A possible (does appear to work, though not properly tested) solution is to simply call do_pam_session in privsep_postauth before the do_setusercontext call, though I am unsure of the ramifications of this.
Alternatively, perhaps sshd could be configured to setrlimit() everything up to RLIM_INFINITY after forking but before giving up root privileges. It could then rely on pam_limits to set limits back down if the administrator wants that, which would work even with session modules run as non-root.
*** This bug has been marked as a duplicate of 83 ***
Mass change of RESOLVED bugs to CLOSED