PIM-PAM SC sesu ulimit limitation of 1024

book

Article ID: 142175

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

While testing with sesu operations we found that sesu was not using the system defined ulimit for that user. When restarting services with the account the program would inherit the original; users ulimit causing process failures.

 

Ulimit setting with sesu # 1024

Exampleserver:

$ whoami

user1

$ ulimit -n

1024

$ sesu - user2

Exampleserver:/home/user2$ whoami

user2

Exampleserver:/home/user2$ ulimit -n

1024

 

Ulimit setting with sudo # 65000

 

$ whoami

user1

$ ulimit -n

1024

$ sudo -u user2 /bin/ksh

Enter Windows password for user1:

Exampleserver:/home/user1 $ ulimit -n

65000

Cause

There are 2 methods we can use for sesu. The "old_sesu" employs our original method for replicating su functionality. This method did not replicate all features of su. Using this method can be useful for some implementations. The new sesu mechanism calls the native su program to ensure consistency between su and sesu.

Environment

CA PIM / CA PAM SC

Release : any

Component : endpoint

Resolution

To use the new sesu,you need to modify the old_sesu value in the seos.ini and restart seosd.

[sesu]

old_sesu = no

 

Note:  using the new sesu methodolgy may result in the user being requested for their passwd since that is the default behavior in su. To change this and not require a password request set the following value along with old_sesu in the seos.ini

 request_target_password = no