diff options
Diffstat (limited to 'debian/patches/pam_limits_fallback_defaults')
| -rw-r--r-- | debian/patches/pam_limits_fallback_defaults | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/debian/patches/pam_limits_fallback_defaults b/debian/patches/pam_limits_fallback_defaults new file mode 100644 index 00000000..f9e1b9c5 --- /dev/null +++ b/debian/patches/pam_limits_fallback_defaults @@ -0,0 +1,129 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Thu, 16 Jan 2025 15:40:56 -0700 +Subject: pam_limits: Defaults if kernel limits unavailable + +When set_all is set in pam_limits control, if we are not on linux, or +if parsing kernel limits fails, set explicit defaults that are similar +to linux defaults. + +This patch is not particularly important to Debian on linux now that +set_all is no longer the default; kept mainly for non-linux ports. + +based on patch by Peter Paluch <peterp@frcatel.fri.utc.sk> +--- + modules/pam_limits/pam_limits.c | 74 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 70 insertions(+), 4 deletions(-) + +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 7eb93c0..749750f 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -58,6 +58,14 @@ + # define PR_SET_NO_NEW_PRIVS 38 /* from <linux/prctl.h> */ + #endif + ++#ifndef MLOCK_LIMIT ++#ifdef __FreeBSD_kernel__ ++#define MLOCK_LIMIT RLIM_INFINITY ++#else ++#define MLOCK_LIMIT (64*1024) ++#endif ++#endif ++ + /* Module defines */ + #define LIMITS_DEF_USER 0 /* limit was set by a user entry */ + #define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */ +@@ -537,11 +545,18 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + { + int i; + int retval = PAM_SUCCESS; ++ static int mlock_limit = 0; + + D(("called.")); + + pl->root = 0; + ++ if (mlock_limit == 0) { ++ mlock_limit = sysconf(_SC_PAGESIZE); ++ if (mlock_limit < MLOCK_LIMIT) ++ mlock_limit = MLOCK_LIMIT; ++ } ++ + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -556,19 +571,70 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + } + } + +-#ifdef __linux__ + if (ctrl & PAM_SET_ALL) { ++#ifdef __linux__ + parse_kernel_limits(pamh, pl, ctrl); ++#endif + + for(i = 0; i < RLIM_NLIMITS; i++) { + if (pl->limits[i].supported && + (pl->limits[i].src_soft == LIMITS_DEF_NONE || + pl->limits[i].src_hard == LIMITS_DEF_NONE)) { +- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i)); ++#ifdef __linux__ ++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using default", rlimit2str(i)); ++#endif ++ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; ++ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_MEMLOCK: ++ pl->limits[i].limit.rlim_cur = mlock_limit; ++ pl->limits[i].limit.rlim_max = mlock_limit; ++ break; ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++ pl->limits[i].limit.rlim_cur = 16382; ++ pl->limits[i].limit.rlim_max = 16382; ++ break; ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++ pl->limits[i].limit.rlim_cur = 819200; ++ pl->limits[i].limit.rlim_max = 819200; ++ break; ++#endif ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_NOFILE: ++ pl->limits[i].limit.rlim_cur = 1024; ++ pl->limits[i].limit.rlim_max = 1024; ++ break; ++ default: ++ pl->limits[i].src_soft = LIMITS_DEF_NONE; ++ pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ break; ++ } + } +- } + } +-#endif + + errno = 0; + pl->priority = getpriority (PRIO_PROCESS, 0); |