Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot run sudo: policy plugin fails to initialize session #10

Closed
fusion809 opened this issue Mar 31, 2016 · 5 comments

Comments

@fusion809
Copy link

commented Mar 31, 2016

Hi,

I have noticed that running sudo (after su-ing into a useraccount in the wheel group with the %wheel lines uncommented in my /etc/sudoers file) in an openSUSE Tumbleweed container always returns:

sudo: policy plugin failed session initialization

this prevents me from building packages with the OBS.

NOTE: This issue was originally about SSL issues with OSC checkout, but I seem to be rid of this error. This fix occurred after upgrading my docker container with # zypper up && zypper in -t pattern base console devel_rpm_build.

Thanks for your time,
Brenton

@fusion809 fusion809 changed the title Cannot checkout repo with OSC due to SSL issue Cannot run sudo: policy plugin fails to initialize session Mar 31, 2016

@fusion809

This comment has been minimized.

Copy link
Author

commented Mar 31, 2016

Further details can be found here at the openSUSE Forums. This error does not occur in the openSUSE Leap container.

@boombatower

This comment has been minimized.

Copy link

commented Apr 7, 2016

Could be related to #11 .

I was seeing weird behavior which seems to be a result of libraries from leap and factory. In fact looking at your title change mine was related to openSSL as well. :)

@flavio

This comment has been minimized.

Copy link
Member

commented Apr 8, 2016

This is not related with issue #11, the bug can be triggered also with the fixed image.

The problem seems to be caused by pam 1.2.1 which now has the following limits inside of /etc/security/limits.conf:

# harden against fork-bombs
*               hard    nproc           1700
*               soft    nproc           1200
root            hard    nproc           3000
root            soft    nproc           1850

None of these entries is available inside of pam 1.1.8, which is the version shipped with the 42.1 docker image.

It turns out this line is the offender:

*               hard    nproc           1700

By commenting this line sudo will work properly, all the other lines can stay.

That really puzzles me, I don't see how we could be exceeding this value.

@cyphar do you have any idea?

@tboerger

This comment has been minimized.

Copy link

commented Dec 21, 2016

Looks like this have been resolved?

bash-4.4# gpasswd -a ftp wheel
Adding user ftp to group wheel
bash-4.4# su - ftp
-bash-4.4$ id
uid=40(ftp) gid=49(ftp) groups=49(ftp),10(wheel)
-bash-4.4$ sudo -i
-bash-4.4# id
uid=0(root) gid=0(root) groups=0(root)
-bash-4.4#

@tboerger tboerger closed this Dec 21, 2016

@davidcassany

This comment has been minimized.

Copy link
Contributor

commented Dec 15, 2017

@flavio, just for the record

That really puzzles me, I don't see how we could be exceeding this value.

We are having a similar issue in leap 42.3 here openSUSE/docker-containers#82 and apparently sudo fails when pam tries to apply the rules from /etc/security/limits.conf which exceeds the default docker values for the container's PID 1. Since Leap 42.3 if limits.conf has higher values to the default (or set with --ulimit) docker values pam fails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.