diff options
Diffstat (limited to 'debian/patches/008_modules_pam_limits_chroot')
| -rw-r--r-- | debian/patches/008_modules_pam_limits_chroot | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/debian/patches/008_modules_pam_limits_chroot b/debian/patches/008_modules_pam_limits_chroot new file mode 100644 index 00000000..7a86fdd5 --- /dev/null +++ b/debian/patches/008_modules_pam_limits_chroot @@ -0,0 +1,132 @@ +Index: pam/modules/pam_limits/pam_limits.c +=================================================================== +--- pam.orig/modules/pam_limits/pam_limits.c ++++ pam/modules/pam_limits/pam_limits.c +@@ -90,6 +90,7 @@ + specific user or to count all logins */ + int priority; /* the priority to run user process with */ + int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */ ++ char chroot_dir[8092]; /* directory to chroot into */ + struct user_limits_struct limits[RLIM_NLIMITS]; + const char *conf_file; + int utmp_after_pam_call; +@@ -101,6 +102,7 @@ + + #define LIMIT_PRI RLIM_NLIMITS+3 + #define LIMIT_NONEWPRIVS RLIM_NLIMITS+4 ++#define LIMIT_CHROOT RLIM_NLIMITS+5 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -484,6 +486,8 @@ + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -591,6 +595,8 @@ + limit_item = LIMIT_PRI; + } else if (strcmp(lim_item, "nonewprivs") == 0) { + limit_item = LIMIT_NONEWPRIVS; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); + return; +@@ -640,9 +646,9 @@ + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); +- return; ++ return; + } +- } else { ++ } else if (limit_item != LIMIT_CHROOT) { + #ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); + #else +@@ -717,7 +723,11 @@ + break; + } + +- if ( (limit_item != LIMIT_LOGIN) ++ if (limit_item == LIMIT_CHROOT) { ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)-1); ++ pl->chroot_dir[sizeof(pl->chroot_dir)-1]='\0'; ++ } ++ else if ( (limit_item != LIMIT_LOGIN) + && (limit_item != LIMIT_NUMSYSLOGINS) + && (limit_item != LIMIT_PRI) + && (limit_item != LIMIT_NONEWPRIVS) ) { +@@ -1071,6 +1081,15 @@ + } + } + ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i == 0) ++ i = chdir("/"); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + +Index: pam/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf.5.xml ++++ pam/modules/pam_limits/limits.conf.5.xml +@@ -273,6 +273,12 @@ + (Linux 2.6.12 and higher)</para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term><option>chroot</option></term> ++ <listitem> ++ <para>the directory to chroot the user to</para> ++ </listitem> ++ </varlistentry> + </variablelist> + </listitem> + </varlistentry> +Index: pam/modules/pam_limits/limits.conf.5 +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf.5 ++++ pam/modules/pam_limits/limits.conf.5 +@@ -279,6 +279,11 @@ + .RS 4 + maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) + .RE ++.PP ++\fBchroot\fR ++.RS 4 ++the directory to chroot the user to ++.RE + .RE + .PP + All items support the values +Index: pam/modules/pam_limits/limits.conf +=================================================================== +--- pam.orig/modules/pam_limits/limits.conf ++++ pam/modules/pam_limits/limits.conf +@@ -46,6 +46,7 @@ + # - msgqueue - max memory used by POSIX message queues (bytes) + # - nice - max nice priority allowed to raise to values: [-20, 19] + # - rtprio - max realtime priority ++# - chroot - change root to directory (Debian-specific) + # + #<domain> <type> <item> <value> + # +@@ -56,6 +57,7 @@ + #@faculty soft nproc 20 + #@faculty hard nproc 50 + #ftp hard nproc 0 ++#ftp - chroot /ftp + #@student - maxlogins 4 + + # End of file |