Relevant BUGIDs: 404953

Purpose of commit: bugfix

Commit summary:
---------------
The syntax "<domain> -" was not recognized.

4 files changed, 46 insertions, 23 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 88a931a7..3bf585f2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -27,14 +27,14 @@ Note, as of release 0.73, all checkins should be accompanied with a
 Bug ID. The bug IDs relate to sourceforge IDs.. You can query the
 related bug description with the following URL:
 
- http://sourceforge.net/bugs/?func=detailbug&bug_id=XXXXX&group_id=6663
+ http://sourceforge.net/tracker/index.php?func=detail&aid=XXXXXX&group_id=6663&atid=106663
 
-Where you should replace XXXXX with a bug-id.
+Where you should replace XXXXXX with a bug-id.
 
 If you have found a bug in Linux-PAM, please consider filing such a
 bug report - outstanding bugs are listed here:
 
- http://sourceforge.net/bugs/?group_id=6663
+ http://sourceforge.net/tracker/?atid=106663&group_id=6663&func=browse
 
 (to file another bug see the 'submit bug' button on this page).
 
@@ -50,6 +50,8 @@ libpam. Prior versions were buggy - see bugfix for Bug 129775.
 
                           ** WARNING **
 
+* pam_limits - Richard M. Yumul reported that "<domain> -" didn't
+  work, first fix suggested by Werner Puschitz (Bug 404953 - agmorgan)
 * Nicolay Pelov suggested a simple fix for freebsd support (Bug 407282
   - agmorgan)
 * Michel D'HOOGE submitted documentation fixes (Bug 408961 - agmorgan)
diff --git a/doc/modules/pam_limits.sgml b/doc/modules/pam_limits.sgml
index 00ff532e..52b8771f 100644
--- a/doc/modules/pam_limits.sgml
+++ b/doc/modules/pam_limits.sgml
@@ -109,7 +109,7 @@ The fields listed above should be filled as follows...<newline>
 </itemize>
 
 <p>
-<tt>&lt;type&gt;</tt> can have the two values:
+<tt>&lt;type&gt;</tt> can have the three values:
 <itemize>
 
 <item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits
@@ -122,6 +122,9 @@ by any pre-exisiting <em/hard/ limits. The values specified with this
 token can be thought of as <em/default/ values, for normal system
 usage.
 
+<item> <tt/-/ for enforcing both <em/soft/ and <em/hard/ limits
+together.
+
 </itemize>
 
 <p>
@@ -142,12 +145,18 @@ usage.
 </itemize>
 
 <p>
-To completely disable limits for a user (or a group), a single dash
-(-) will do (Example: ``<tt/bin -/'', ``<tt/@admin -/''). Please
-remember that individual limits have priority over group limits, so if
-you impose no limits for <tt/admin/ group, but one of the members in this
-group have a limits line, the user will have its limits set according
-to this line.
+Note, if you specify a type of ``-'' but neglect to supply the
+<tt/item/ and <tt/value/ fields then the module will never enforce any
+limits on the corresponding user/group-members etc. . Note, the first
+entry of the form which applies to the authenticating user will
+override all other entries in the limits configuration file. In such
+cases, the <tt/pam_limits/ module will always return <tt/PAM_SUCCESS/.
+
+<p>
+In general, individual limits have priority over group limits, so if
+you impose no limits for <tt/admin/ group, but one of the members in
+this group have a limits line, the user will have its limits set
+according to this line.
 
 <p>
 Also, please note that all limit settings are set <em/per login/.
diff --git a/modules/pam_limits/README b/modules/pam_limits/README
index 918e6c91..2398334b 100644
--- a/modules/pam_limits/README
+++ b/modules/pam_limits/README
@@ -4,9 +4,10 @@ pam_limits module:
 
 THEORY OF OPERATION:
 
-First, make a root-only-readable file (/etc/limits by default or LIMITS_FILE
-defined Makefile) that describes the resource limits you wish to impose. No 
-limits are imposed on UID 0 accounts.
+First, make a root-only-readable file (/etc/security/limits.conf by
+default or INSTALLED_CONFILE defined Makefile) that describes the
+resource limits you wish to impose. No limits are imposed on UID 0
+accounts.
 
 Each line describes a limit for a user in the form:
 
@@ -18,9 +19,10 @@ Where:
 	- a group name, with @group syntax
 	- the wildcard *, for default entry
 
-<type> can have the two values:
-	- "soft" for enforcinf the soft limits
+<type> can have the three values:
+	- "soft" for enforcing the soft limits
 	- "hard" for enforcing hard limits
+        - "-" for enforcing both soft and hard limits
 
 <item> can be one of the following:
 	- core - limits the core file size (KB)
@@ -35,15 +37,18 @@ Where:
 	- as - address space limit
 	- maxlogins - max number of logins for this user
 	- maxsyslogins - max number of logins on the system
-		
-To completely disable limits for a user (or a group), a single dash (-)
-will do (Example: 'bin -', '@admin -'). Please remember that individual
-limits have priority over group limits, so if you impose no limits for admin
-group, but one of the members in this group have a limits line, the user
-will have its limits set according to this line.
+
+Note, if you specify a type of '-' but neglect to supply the item and
+value fields then the module will never enforce any limits on the
+specified user/group etc. .
+
+Please remember that individual limits have priority over group
+limits, so if you impose no limits for admin group, but one of the
+members in this group has a limits line, the user will have its limits
+set according to this line.
 
 Also, please note that all limit settings are set PER LOGIN.  They are
-not global, nor are they permanent (the session only)
+not global, nor are they permanent (they apply for the session only).
 
 In the LIMITS_FILE, the # character introduces a comment - the rest of the
 line is ignored.
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 34d76bf5..7a5ec472 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -452,6 +452,9 @@ static int parse_config_file(const char *uname, int ctrl,
         memset(value, 0, sizeof(value));
         
         i = sscanf(buf,"%s%s%s%s", domain, ltype, item, value);
+	D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]",
+	   i, domain, ltype, item, value));
+
         for(j=0; j < strlen(domain); j++)
             domain[j]=tolower(domain[j]);
         for(j=0; j < strlen(ltype); j++)
@@ -483,7 +486,7 @@ static int parse_config_file(const char *uname, int ctrl,
 		return PAM_IGNORE;
 	    }
         } else {
-            _pam_log(LOG_DEBUG,"invalid line '%s'", buf);
+            _pam_log(LOG_DEBUG,"invalid line '%s' - skipped", buf);
 	}
     }
     fclose(fil);
@@ -563,6 +566,10 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
     }
 
     retval = parse_config_file(pwd->pw_name, ctrl, &pl);
+    if (retval == PAM_IGNORE) {
+	D(("the configuration file has an applicable '<domain> -' entry"));
+	return PAM_SUCCESS;
+    }
     if (retval != PAM_SUCCESS) {
         _pam_log(LOG_WARNING, "error parsing the configuration file");
         return PAM_IGNORE;