Skip to content

RESPONDER: fix responder_set_fd_limit()#8371

Merged
alexey-tikhonov merged 1 commit intoSSSD:masterfrom
alexey-tikhonov:fd-limits
Jan 30, 2026
Merged

RESPONDER: fix responder_set_fd_limit()#8371
alexey-tikhonov merged 1 commit intoSSSD:masterfrom
alexey-tikhonov:fd-limits

Conversation

@alexey-tikhonov
Copy link
Member

@alexey-tikhonov alexey-tikhonov commented Jan 16, 2026

to not even try setting hard limit as SSSD never has CAP_SYS_RESOURCE

@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Jan 16, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 16, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors responder_set_fd_limit() to avoid attempting to set the hard limit for file descriptors, as SSSD responders typically lack the necessary CAP_SYS_RESOURCE capability. The change correctly removes the initial setrlimit() call that was likely to fail or behave incorrectly, and instead directly queries the current hard limit to safely adjust the soft limit. The corresponding documentation in sssd.conf.5.xml has been updated to reflect this behavior, and a helpful debug message has been added for cases where the requested limit exceeds the hard limit. The changes are correct, improve efficiency by removing an unnecessary system call, and make the code's intent clearer. I have no further suggestions.

@alexey-tikhonov alexey-tikhonov added non-privileged backport-to-sssd-2-12 and removed no-backport This should go to target branch only. labels Jan 16, 2026
@alexey-tikhonov alexey-tikhonov marked this pull request as ready for review January 16, 2026 17:46
@alexey-tikhonov alexey-tikhonov added Waiting for review coverity Trigger a coverity scan labels Jan 16, 2026
@alexey-tikhonov
Copy link
Member Author

alexey-tikhonov commented Jan 16, 2026

Note: Covscan is green.

@alexey-tikhonov alexey-tikhonov removed the coverity Trigger a coverity scan label Jan 16, 2026
sumit-bose
sumit-bose reviewed Jan 23, 2026
View reviewed changes
src/man/sssd.conf.5.xml Outdated
capability, the resulting value will be the lower
value of this or the limits.conf "hard" limit.
SSSD process. Note this value will be capped by
limits.conf "hard" limit.
Copy link
Contributor

@sumit-bose sumit-bose Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

I would suggest to rephrase this a bit because limits.conf is the configuration file for pam_limits.so and even if we would add a configuration for the sssd user it would only apply if we would switch to the sssd user via a new PAM session. Additionally systemd ignores those settings.

What about "Note this value will be capped by the limits set by the init system at the startup of SSSD, see e.g. man systemd.exec for details."

bye,
Sumit

Copy link
Member Author

@alexey-tikhonov alexey-tikhonov Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fixed.

sumit-bose
sumit-bose approved these changes Jan 23, 2026
View reviewed changes
Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

thank you for the update, ACK.

bye,
Sumit

@alexey-tikhonov @sssd-bot
RESPONDER: fix responder_set_fd_limit()
3be8232 
to not even try setting hard limit as SSSD never has CAP_SYS_RESOURCE

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
@sssd-bot
Copy link
Contributor

sssd-bot commented Jan 30, 2026

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🔴 ci / system (fedora-44) (failure)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@alexey-tikhonov alexey-tikhonov merged commit 498974b into SSSD:master Jan 30, 2026
10 of 14 checks passed
@sssd-bot sssd-bot mentioned this pull request Jan 30, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sumit-bose sumit-bose sumit-bose approved these changes

@pbrezina pbrezina pbrezina approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@sumit-bose sumit-bose

@pbrezina pbrezina

Labels

Accepted backport-to-sssd-2-12 non-privileged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alexey-tikhonov @sssd-bot @sumit-bose @pbrezina