diff options
| author | Sam Hartman <hartmans@debian.org> | 2025-01-16 15:48:03 -0700 |
|---|---|---|
| committer | Sam Hartman <hartmans@debian.org> | 2025-01-16 15:48:03 -0700 |
| commit | 3415c2576db1bab32bdea1750cf6e02920f1f43b (patch) | |
| tree | 589065f561351041c880520920fafd5e39cc3dc8 | |
| parent | dd5ca6dda1bbdbaa6e32bc451068837ee616bf64 (diff) | |
| download | pam-3415c2576db1bab32bdea1750cf6e02920f1f43b.tar.gz pam-3415c2576db1bab32bdea1750cf6e02920f1f43b.tar.bz2 pam-3415c2576db1bab32bdea1750cf6e02920f1f43b.zip | |
pam_limits: do not override systemd's limits by default; add the
set_all option to restore previous behavior, Closes: #995236
Factor out the pam_limits patch that requires explicit root from the part of the patch that sets explicit defaults.
Drop the part of the patch that treats set_all as if it is always set.
| -rw-r--r-- | debian/patches/008_modules_pam_limits_chroot | 6 | ||||
| -rw-r--r-- | debian/patches/027_pam_limits_better_init_allow_explicit_root | 231 | ||||
| -rw-r--r-- | debian/patches/032_pam_limits_EPERM_NOT_FATAL | 2 | ||||
| -rw-r--r-- | debian/patches/040_pam_limits_log_failure | 2 | ||||
| -rw-r--r-- | debian/patches/pam-limits-nofile-fd-setsize-cap | 4 | ||||
| -rw-r--r-- | debian/patches/pam_limits_explicit_root | 117 | ||||
| -rw-r--r-- | debian/patches/pam_limits_fallback_defaults | 129 | ||||
| -rw-r--r-- | debian/patches/series | 4 |
8 files changed, 255 insertions, 240 deletions
diff --git a/debian/patches/008_modules_pam_limits_chroot b/debian/patches/008_modules_pam_limits_chroot index e25debec..8ce46a77 100644 --- a/debian/patches/008_modules_pam_limits_chroot +++ b/debian/patches/008_modules_pam_limits_chroot @@ -47,10 +47,10 @@ index 803cb4e..348758a 100644 </listitem> </varlistentry> diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index be0b637..5c9cdc8 100644 +index 51fbe02..71e3c9e 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c -@@ -109,6 +109,7 @@ struct pam_limit_s { +@@ -108,6 +108,7 @@ struct pam_limit_s { specific user or to count all logins */ int priority; /* the priority to run user process with */ int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */ @@ -58,7 +58,7 @@ index be0b637..5c9cdc8 100644 struct user_limits_struct limits[RLIM_NLIMITS]; const char *conf_file; int utmp_after_pam_call; -@@ -117,9 +118,9 @@ struct pam_limit_s { +@@ -116,9 +117,9 @@ struct pam_limit_s { #define LIMIT_LOGIN (RLIM_NLIMITS+1) #define LIMIT_NUMSYSLOGINS (RLIM_NLIMITS+2) diff --git a/debian/patches/027_pam_limits_better_init_allow_explicit_root b/debian/patches/027_pam_limits_better_init_allow_explicit_root deleted file mode 100644 index a0975548..00000000 --- a/debian/patches/027_pam_limits_better_init_allow_explicit_root +++ /dev/null @@ -1,231 +0,0 @@ -From: Peter Paluch <peterp@frcatel.fri.utc.sk> -Date: Mon, 11 Sep 2023 14:00:42 -0600 -Subject: Allow explicit limits for root and reset limits on each session - -Bug-Debian: http://bugs.debian.org/63230 - -When crossing session boundaries (such as when su'ing from one user to -another), if the target account has no limit specified in limits.conf we -want to use the default, not the current value configured for the -source account. - -If /proc/1/limits is unavailable, fall back to a set of hard-coded values -that shadow the currently known defaults on Linux. - -Also, don't apply wildcard limits to the root account; only apply limits to -root that reference root by name. -=================================================================== ---- - modules/pam_limits/limits.conf | 4 ++ - modules/pam_limits/limits.conf.5.xml | 6 +++ - modules/pam_limits/pam_limits.c | 89 ++++++++++++++++++++++++++++++++---- - 3 files changed, 90 insertions(+), 9 deletions(-) - -diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf -index e8a746c..c6b058a 100644 ---- a/modules/pam_limits/limits.conf -+++ b/modules/pam_limits/limits.conf -@@ -22,6 +22,9 @@ - # - the wildcard *, for default entry - # - the wildcard %, can be also used with %group syntax, - # for maxlogin limit -+# - NOTE: group and wildcard limits are not applied to root. -+# To apply a limit to the root user, <domain> must be -+# the literal username root. - # - #<type> can have the two values: - # - "soft" for enforcing the soft limits -@@ -51,6 +54,7 @@ - # - - #* soft core 0 -+#root hard core 100000 - #* hard rss 10000 - #@student hard nproc 20 - #@faculty soft nproc 20 -diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml -index dd8d68b..803cb4e 100644 ---- a/modules/pam_limits/limits.conf.5.xml -+++ b/modules/pam_limits/limits.conf.5.xml -@@ -89,6 +89,11 @@ - </para> - </listitem> - </itemizedlist> -+ <para> -+ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not -+ applied to the root user. To set a limit for the root user, this field -+ must contain the literal username <emphasis remap='B'>root</emphasis>. -+ </para> - </listitem> - </varlistentry> - -@@ -320,6 +325,7 @@ - </para> - <programlisting> - * soft core 0 -+root hard core 100000 - * hard nofile 512 - @student hard nproc 20 - @faculty soft nproc 20 -diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index 1e4dfa3..7e2d93d 100644 ---- a/modules/pam_limits/pam_limits.c -+++ b/modules/pam_limits/pam_limits.c -@@ -54,10 +54,19 @@ - #include <libaudit.h> - #endif - -+ - #ifndef PR_SET_NO_NEW_PRIVS - # define PR_SET_NO_NEW_PRIVS 38 /* from <linux/prctl.h> */ - #endif - -+#ifndef MLOCK_LIMIT -+#ifdef __FreeBSD_kernel__ -+#define MLOCK_LIMIT RLIM_INFINITY -+#else -+#define MLOCK_LIMIT (64*1024) -+#endif -+#endif -+ - /* Module defines */ - #define LIMITS_DEF_USER 0 /* limit was set by a user entry */ - #define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */ -@@ -93,6 +102,7 @@ struct user_limits_struct { - - /* internal data */ - struct pam_limit_s { -+ int root; /* running as root? */ - int login_limit; /* the max logins limit */ - int login_limit_def; /* which entry set the login limit */ - int flag_numsyslogins; /* whether to limit logins only for a -@@ -536,9 +546,18 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) - { - int i; - int retval = PAM_SUCCESS; -+ static int mlock_limit = 0; - - D(("called.")); - -+ pl->root = 0; -+ -+ if (mlock_limit == 0) { -+ mlock_limit = sysconf(_SC_PAGESIZE); -+ if (mlock_limit < MLOCK_LIMIT) -+ mlock_limit = MLOCK_LIMIT; -+ } -+ - for(i = 0; i < RLIM_NLIMITS; i++) { - int r = getrlimit(i, &pl->limits[i].limit); - if (r == -1) { -@@ -554,18 +573,68 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) - } - - #ifdef __linux__ -- if (ctrl & PAM_SET_ALL) { -- parse_kernel_limits(pamh, pl, ctrl); -+ parse_kernel_limits(pamh, pl, ctrl); -+#endif - -- for(i = 0; i < RLIM_NLIMITS; i++) { -+ for(i = 0; i < RLIM_NLIMITS; i++) { - if (pl->limits[i].supported && - (pl->limits[i].src_soft == LIMITS_DEF_NONE || - pl->limits[i].src_hard == LIMITS_DEF_NONE)) { -- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); -+#ifdef __linux__ -+ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); -+#endif -+ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; -+ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; -+ switch(i) { -+ case RLIMIT_CPU: -+ case RLIMIT_FSIZE: -+ case RLIMIT_DATA: -+ case RLIMIT_RSS: -+ case RLIMIT_NPROC: -+#ifdef RLIMIT_AS -+ case RLIMIT_AS: -+#endif -+#ifdef RLIMIT_LOCKS -+ case RLIMIT_LOCKS: -+#endif -+ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; -+ pl->limits[i].limit.rlim_max = RLIM_INFINITY; -+ break; -+ case RLIMIT_MEMLOCK: -+ pl->limits[i].limit.rlim_cur = mlock_limit; -+ pl->limits[i].limit.rlim_max = mlock_limit; -+ break; -+#ifdef RLIMIT_SIGPENDING -+ case RLIMIT_SIGPENDING: -+ pl->limits[i].limit.rlim_cur = 16382; -+ pl->limits[i].limit.rlim_max = 16382; -+ break; -+#endif -+#ifdef RLIMIT_MSGQUEUE -+ case RLIMIT_MSGQUEUE: -+ pl->limits[i].limit.rlim_cur = 819200; -+ pl->limits[i].limit.rlim_max = 819200; -+ break; -+#endif -+ case RLIMIT_CORE: -+ pl->limits[i].limit.rlim_cur = 0; -+ pl->limits[i].limit.rlim_max = RLIM_INFINITY; -+ break; -+ case RLIMIT_STACK: -+ pl->limits[i].limit.rlim_cur = 8192*1024; -+ pl->limits[i].limit.rlim_max = RLIM_INFINITY; -+ break; -+ case RLIMIT_NOFILE: -+ pl->limits[i].limit.rlim_cur = 1024; -+ pl->limits[i].limit.rlim_max = 1024; -+ break; -+ default: -+ pl->limits[i].src_soft = LIMITS_DEF_NONE; -+ pl->limits[i].src_hard = LIMITS_DEF_NONE; -+ break; -+ } - } -- } - } --#endif - - errno = 0; - pl->priority = getpriority (PRIO_PROCESS, 0); -@@ -1020,7 +1089,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, - - if (strcmp(uname, domain) == 0) /* this user has a limit */ - process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); -- else if (domain[0]=='@') { -+ else if (domain[0]=='@' && !pl->root) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "checking if %s is in group %s", -@@ -1046,7 +1115,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, - process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, - pl); - } -- } else if (domain[0]=='%') { -+ } else if (domain[0]=='%' && !pl->root) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "checking if %s is in group %s", -@@ -1081,7 +1150,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, - } else { - switch(rngtype) { - case LIMIT_RANGE_NONE: -- if (strcmp(domain, "*") == 0) -+ if (strcmp(domain, "*") == 0 && !pl->root) - process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, - pl); - break; -@@ -1372,6 +1441,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, - return PAM_ABORT; - } - -+ if (pwd->pw_uid == 0) -+ pl->root = 1; - retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, - ctrl, pl, conf_file_set_by_user); - if (retval == PAM_IGNORE) { diff --git a/debian/patches/032_pam_limits_EPERM_NOT_FATAL b/debian/patches/032_pam_limits_EPERM_NOT_FATAL index e4d35418..90fb3684 100644 --- a/debian/patches/032_pam_limits_EPERM_NOT_FATAL +++ b/debian/patches/032_pam_limits_EPERM_NOT_FATAL @@ -15,7 +15,7 @@ Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> 1 file changed, 2 insertions(+) diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index 2603028..be0b637 100644 +index 2f3934b..51fbe02 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -1263,6 +1263,8 @@ static int setup_limits(pam_handle_t *pamh, diff --git a/debian/patches/040_pam_limits_log_failure b/debian/patches/040_pam_limits_log_failure index c0848c27..a3910b2b 100644 --- a/debian/patches/040_pam_limits_log_failure +++ b/debian/patches/040_pam_limits_log_failure @@ -15,7 +15,7 @@ Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index 5c9cdc8..47f59ef 100644 +index 71e3c9e..80bcca4 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -1269,9 +1269,19 @@ static int setup_limits(pam_handle_t *pamh, diff --git a/debian/patches/pam-limits-nofile-fd-setsize-cap b/debian/patches/pam-limits-nofile-fd-setsize-cap index d75fec95..7506b8a9 100644 --- a/debian/patches/pam-limits-nofile-fd-setsize-cap +++ b/debian/patches/pam-limits-nofile-fd-setsize-cap @@ -45,10 +45,10 @@ Last-Update: 2015-04-22 1 file changed, 8 insertions(+) diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index 7e2d93d..2603028 100644 +index 749750f..2f3934b 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c -@@ -539,6 +539,14 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int +@@ -538,6 +538,14 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int } free(line); fclose(limitsfile); diff --git a/debian/patches/pam_limits_explicit_root b/debian/patches/pam_limits_explicit_root new file mode 100644 index 00000000..1c6ef5c8 --- /dev/null +++ b/debian/patches/pam_limits_explicit_root @@ -0,0 +1,117 @@ +From: Peter Paluch <peterp@frcatel.fri.utc.sk> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: Root limits must be explicit + +Bug-Debian: http://bugs.debian.org/63230 +Don't apply wildcard limits to the root account; only apply limits to +root that reference root by name. +=================================================================== +--- + modules/pam_limits/limits.conf | 4 ++++ + modules/pam_limits/limits.conf.5.xml | 6 ++++++ + modules/pam_limits/pam_limits.c | 11 ++++++++--- + 3 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf +index e8a746c..c6b058a 100644 +--- a/modules/pam_limits/limits.conf ++++ b/modules/pam_limits/limits.conf +@@ -22,6 +22,9 @@ + # - the wildcard *, for default entry + # - the wildcard %, can be also used with %group syntax, + # for maxlogin limit ++# - NOTE: group and wildcard limits are not applied to root. ++# To apply a limit to the root user, <domain> must be ++# the literal username root. + # + #<type> can have the two values: + # - "soft" for enforcing the soft limits +@@ -51,6 +54,7 @@ + # + + #* soft core 0 ++#root hard core 100000 + #* hard rss 10000 + #@student hard nproc 20 + #@faculty soft nproc 20 +diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml +index dd8d68b..803cb4e 100644 +--- a/modules/pam_limits/limits.conf.5.xml ++++ b/modules/pam_limits/limits.conf.5.xml +@@ -89,6 +89,11 @@ + </para> + </listitem> + </itemizedlist> ++ <para> ++ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not ++ applied to the root user. To set a limit for the root user, this field ++ must contain the literal username <emphasis remap='B'>root</emphasis>. ++ </para> + </listitem> + </varlistentry> + +@@ -320,6 +325,7 @@ + </para> + <programlisting> + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 1e4dfa3..7eb93c0 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -93,6 +93,7 @@ struct user_limits_struct { + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -539,6 +540,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + + D(("called.")); + ++ pl->root = 0; ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -1020,7 +1023,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + + if (strcmp(uname, domain) == 0) /* this user has a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -1046,7 +1049,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); + } +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -1081,7 +1084,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + } else { + switch(rngtype) { + case LIMIT_RANGE_NONE: +- if (strcmp(domain, "*") == 0) ++ if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + break; +@@ -1372,6 +1375,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, + ctrl, pl, conf_file_set_by_user); + if (retval == PAM_IGNORE) { diff --git a/debian/patches/pam_limits_fallback_defaults b/debian/patches/pam_limits_fallback_defaults new file mode 100644 index 00000000..f9e1b9c5 --- /dev/null +++ b/debian/patches/pam_limits_fallback_defaults @@ -0,0 +1,129 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Thu, 16 Jan 2025 15:40:56 -0700 +Subject: pam_limits: Defaults if kernel limits unavailable + +When set_all is set in pam_limits control, if we are not on linux, or +if parsing kernel limits fails, set explicit defaults that are similar +to linux defaults. + +This patch is not particularly important to Debian on linux now that +set_all is no longer the default; kept mainly for non-linux ports. + +based on patch by Peter Paluch <peterp@frcatel.fri.utc.sk> +--- + modules/pam_limits/pam_limits.c | 74 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 70 insertions(+), 4 deletions(-) + +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 7eb93c0..749750f 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -58,6 +58,14 @@ + # define PR_SET_NO_NEW_PRIVS 38 /* from <linux/prctl.h> */ + #endif + ++#ifndef MLOCK_LIMIT ++#ifdef __FreeBSD_kernel__ ++#define MLOCK_LIMIT RLIM_INFINITY ++#else ++#define MLOCK_LIMIT (64*1024) ++#endif ++#endif ++ + /* Module defines */ + #define LIMITS_DEF_USER 0 /* limit was set by a user entry */ + #define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */ +@@ -537,11 +545,18 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + { + int i; + int retval = PAM_SUCCESS; ++ static int mlock_limit = 0; + + D(("called.")); + + pl->root = 0; + ++ if (mlock_limit == 0) { ++ mlock_limit = sysconf(_SC_PAGESIZE); ++ if (mlock_limit < MLOCK_LIMIT) ++ mlock_limit = MLOCK_LIMIT; ++ } ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -556,19 +571,70 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + } + } + +-#ifdef __linux__ + if (ctrl & PAM_SET_ALL) { ++#ifdef __linux__ + parse_kernel_limits(pamh, pl, ctrl); ++#endif + + for(i = 0; i < RLIM_NLIMITS; i++) { + if (pl->limits[i].supported && + (pl->limits[i].src_soft == LIMITS_DEF_NONE || + pl->limits[i].src_hard == LIMITS_DEF_NONE)) { +- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#ifdef __linux__ ++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using default", rlimit2str(i)); ++#endif ++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; ++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_MEMLOCK: ++ pl->limits[i].limit.rlim_cur = mlock_limit; ++ pl->limits[i].limit.rlim_max = mlock_limit; ++ break; ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++ pl->limits[i].limit.rlim_cur = 16382; ++ pl->limits[i].limit.rlim_max = 16382; ++ break; ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++ pl->limits[i].limit.rlim_cur = 819200; ++ pl->limits[i].limit.rlim_max = 819200; ++ break; ++#endif ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_NOFILE: ++ pl->limits[i].limit.rlim_cur = 1024; ++ pl->limits[i].limit.rlim_max = 1024; ++ break; ++ default: ++ pl->limits[i].src_soft = LIMITS_DEF_NONE; ++ pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ break; ++ } + } +- } + } +-#endif + + errno = 0; + pl->priority = getpriority (PRIO_PROCESS, 0); diff --git a/debian/patches/series b/debian/patches/series index 17e9bdca..da4ae103 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,7 +3,8 @@ make_documentation_reproducible.patch 022_pam_unix_group_time_miscfixes 031_pam_include 036_pam_wheel_getlogin_considered_harmful -027_pam_limits_better_init_allow_explicit_root +pam_limits_explicit_root +pam_limits_fallback_defaults pam-limits-nofile-fd-setsize-cap 032_pam_limits_EPERM_NOT_FATAL 008_modules_pam_limits_chroot @@ -16,4 +17,3 @@ lib_security_multiarch_compat nullok_secure-compat.patch pam_mkhomedir_stat_before_opendir 0018-Libpam-is-both-shared-and-static.patch - |