RESPONDERS: Make the fd_limit setting configurable

This code will now attempt first to see if it has privilege to set
the value as specified, and if not it will fall back to the
previous behavior. So on systems with the CAP_SYS_RESOURCE
capability granted to SSSD, it will be able to ignore the
limits.conf hard limit.

https://fedorahosted.org/sssd/ticket/1197

1 files changed, 12 insertions, 1 deletions

diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 2786fe4e..6cb564a7 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -111,6 +111,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     struct pam_ctx *pctx;
     int ret, max_retries;
     int id_timeout;
+    int fd_limit;
 
     pctx = talloc_zero(mem_ctx, struct pam_ctx);
     if (!pctx) {
@@ -186,7 +187,17 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     }
 
     /* Set up file descriptor limits */
-    responder_set_fd_limit(DEFAULT_PAM_FD_LIMIT);
+    ret = confdb_get_int(pctx->rctx->cdb, pctx->rctx,
+                         CONFDB_PAM_CONF_ENTRY,
+                         CONFDB_SERVICE_FD_LIMIT,
+                         DEFAULT_PAM_FD_LIMIT,
+                         &fd_limit);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              ("Failed to set up file descriptor limit\n"));
+        return ret;
+    }
+    responder_set_fd_limit(fd_limit);
 
     ret = EOK;