[systemd-devel] pam_limits: Could not set limit for ...: Operation not permitted

Kai Krakow hurikhan77 at gmail.com
Mon Feb 9 23:42:02 PST 2015 

Lennart Poettering <lennart at poettering.net> schrieb:

> On Mon, 15.12.14 22:42, Kai Krakow (hurikhan77 at gmail.com) wrote:
> 
>> Hello!
>> 
>> I'm seeing the following errors in systemd's journal:
>> 
>> Dez 15 22:33:57 jupiter systemd[1515]: pam_limits(systemd-user:session):
>> Could not set limit for 'memlock': Operation not permitted
>> Dez 15 22:33:57 jupiter systemd[1515]: pam_limits(systemd-user:session):
>> Could not set limit for 'nice': Operation not permitted
>> Dez 15 22:33:57 jupiter systemd[1515]: pam_limits(systemd-user:session):
>> Could not set limit for 'rtprio': Operation not permitted
>> Dez 15 22:33:57 jupiter systemd[1515]: PAM audit_log_acct_message()
>> failed: Operation not permitted
>> Dez 15 22:33:57 jupiter systemd[1515]: Failed at step PAM spawning
>> /usr/lib/systemd/systemd: Operation not permitted
>> 
>> Is it meaningless? Do I have to worry? Or which configuration do I miss?
> 
> Hmm, this is certainly weird. It indicates some issue with your PAM
> setup maybe? Do you have SELinux enabled? Is this in some container or so?

This is a Gentoo box, plain hardware. My pam configuration looks right. When 
I run "systemd --user" manually through strace, I see missing permissions on 
cgroups. But I almost guess this is intended if running from an already 
existing user session.

I don't use SELinux or similar security policies, just plain Linux security 
policy as it is default in Gentoo. But strangely systemd gives me on boot:

systemd 218 running in system mode. (+PAM -AUDIT -SELINUX +IMA -APPARMOR 
+SMACK -SYSVINIT +UTMP -LIBCRYPTSETUP -GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP 
+BLKID +ELFUTILS +KMOD +IDN)

I don't know why smack is enabled... It's not in my kernel and isn't set as 
a feature to compile in the ebuild. But I'm not sure if it would make a 
difference for this problem.

I suppose for the same reason, rtkit-daemon cannot give RT priority to 
itself...

$ journalctl -b -p err
-- Logs begin at So 2014-05-25 21:33:33 CEST, end at Di 2015-02-10 08:35:24 
CET. --
Feb 08 19:42:24 jupiter bluetoothd[714]: Sap driver initialization failed.
Feb 08 19:42:24 jupiter bluetoothd[714]: sap-server: Operation not permitted 
(1)
Feb 08 19:42:26 jupiter systemd[843]: pam_limits(systemd-user:session): 
Could not set limit for 'memlock': Operation not permitted
Feb 08 19:42:26 jupiter systemd[843]: pam_limits(systemd-user:session): 
Could not set limit for 'rtprio': Operation not permitted
Feb 08 19:42:26 jupiter systemd[843]: Failed at step PAM spawning 
/usr/lib/systemd/systemd: Operation not permitted
Feb 08 19:42:41 jupiter rtkit-daemon[1636]: Failed to make ourselves RT: 
Operation not permitted
Feb 08 19:42:41 jupiter rtkit-daemon[1636]: Failed to make ourselves RT: 
Operation not permitted
Feb 08 19:42:41 jupiter rtkit-daemon[1636]: Failed to make ourselves RT: 
Operation not permitted
Feb 08 19:42:41 jupiter rtkit-daemon[1636]: Failed to make ourselves RT: 
Operation not permitted
Feb 08 19:42:41 jupiter rtkit-daemon[1636]: Failed to make ourselves RT: 
Operation not permitted
[...many iterations of the same message...]

Maybe my kernel config is wrong although I'm pretty sure I set all the 
recommended options. If you point me to which kernel options come into play 
here, I'd be happy to dump those and/or try again with another set of 
options.

My pam config is plain Gentoo with the recommended systemd settings (which 
are default since many iterations of the ebuild package):

$ cat /etc/pam.d/systemd-user
# This file is part of systemd.
#
# Used by systemd --user instances.
account  include system-auth
session  include system-auth

$ cat /etc/pam.d/system-auth  ## lines reindented for readability
auth            required        pam_env.so
auth            sufficient      pam_ssh.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so
account         required        pam_unix.so
account         optional        pam_permit.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2
                                                ocredit=2 retry=3
password        required        pam_unix.so try_first_pass use_authtok
                                            nullok sha512 shadow
password        optional        pam_permit.so
session         optional        pam_ssh.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so
-session        optional        pam_systemd.so

Thanks for investigating...

-- 
Replies to list only preferred.

More information about the systemd-devel mailing list