diff options
Diffstat (limited to 'debian/patches/pam_limits_explicit_root')
| -rw-r--r-- | debian/patches/pam_limits_explicit_root | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/debian/patches/pam_limits_explicit_root b/debian/patches/pam_limits_explicit_root new file mode 100644 index 00000000..1c6ef5c8 --- /dev/null +++ b/debian/patches/pam_limits_explicit_root @@ -0,0 +1,117 @@ +From: Peter Paluch <peterp@frcatel.fri.utc.sk> +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: Root limits must be explicit + +Bug-Debian: http://bugs.debian.org/63230 +Don't apply wildcard limits to the root account; only apply limits to +root that reference root by name. +=================================================================== +--- + modules/pam_limits/limits.conf | 4 ++++ + modules/pam_limits/limits.conf.5.xml | 6 ++++++ + modules/pam_limits/pam_limits.c | 11 ++++++++--- + 3 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf +index e8a746c..c6b058a 100644 +--- a/modules/pam_limits/limits.conf ++++ b/modules/pam_limits/limits.conf +@@ -22,6 +22,9 @@ + # - the wildcard *, for default entry + # - the wildcard %, can be also used with %group syntax, + # for maxlogin limit ++# - NOTE: group and wildcard limits are not applied to root. ++# To apply a limit to the root user, <domain> must be ++# the literal username root. + # + #<type> can have the two values: + # - "soft" for enforcing the soft limits +@@ -51,6 +54,7 @@ + # + + #* soft core 0 ++#root hard core 100000 + #* hard rss 10000 + #@student hard nproc 20 + #@faculty soft nproc 20 +diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml +index dd8d68b..803cb4e 100644 +--- a/modules/pam_limits/limits.conf.5.xml ++++ b/modules/pam_limits/limits.conf.5.xml +@@ -89,6 +89,11 @@ + </para> + </listitem> + </itemizedlist> ++ <para> ++ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not ++ applied to the root user. To set a limit for the root user, this field ++ must contain the literal username <emphasis remap='B'>root</emphasis>. ++ </para> + </listitem> + </varlistentry> + +@@ -320,6 +325,7 @@ + </para> + <programlisting> + * soft core 0 ++root hard core 100000 + * hard nofile 512 + @student hard nproc 20 + @faculty soft nproc 20 +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 1e4dfa3..7eb93c0 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -93,6 +93,7 @@ struct user_limits_struct { + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -539,6 +540,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + + D(("called.")); + ++ pl->root = 0; ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -1020,7 +1023,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + + if (strcmp(uname, domain) == 0) /* this user has a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -1046,7 +1049,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); + } +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -1081,7 +1084,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, + } else { + switch(rngtype) { + case LIMIT_RANGE_NONE: +- if (strcmp(domain, "*") == 0) ++ if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + break; +@@ -1372,6 +1375,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl->root = 1; + retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, + ctrl, pl, conf_file_set_by_user); + if (retval == PAM_IGNORE) { |