From: Peter Paluch Date: Mon, 11 Sep 2023 14:00:42 -0600 Subject: Root limits must be explicit Bug-Debian: http://bugs.debian.org/63230 Don't apply wildcard limits to the root account; only apply limits to root that reference root by name. =================================================================== --- modules/pam_limits/limits.conf | 4 ++++ modules/pam_limits/limits.conf.5.xml | 6 ++++++ modules/pam_limits/pam_limits.c | 11 ++++++++--- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf index e8a746c..c6b058a 100644 --- a/modules/pam_limits/limits.conf +++ b/modules/pam_limits/limits.conf @@ -22,6 +22,9 @@ # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, # for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. # # can have the two values: # - "soft" for enforcing the soft limits @@ -51,6 +54,7 @@ # #* soft core 0 +#root hard core 100000 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml index dd8d68b..803cb4e 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -89,6 +89,11 @@ + + NOTE: group and wildcard limits are not + applied to the root user. To set a limit for the root user, this field + must contain the literal username root. + @@ -320,6 +325,7 @@ * soft core 0 +root hard core 100000 * hard nofile 512 @student hard nproc 20 @faculty soft nproc 20 diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index 1e4dfa3..7eb93c0 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -93,6 +93,7 @@ struct user_limits_struct { /* internal data */ struct pam_limit_s { + int root; /* running as root? */ int login_limit; /* the max logins limit */ int login_limit_def; /* which entry set the login limit */ int flag_numsyslogins; /* whether to limit logins only for a @@ -539,6 +540,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) D(("called.")); + pl->root = 0; + for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { @@ -1020,7 +1023,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, if (strcmp(uname, domain) == 0) /* this user has a limit */ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); - else if (domain[0]=='@') { + else if (domain[0]=='@' && !pl->root) { if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", @@ -1046,7 +1049,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); } - } else if (domain[0]=='%') { + } else if (domain[0]=='%' && !pl->root) { if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", @@ -1081,7 +1084,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, } else { switch(rngtype) { case LIMIT_RANGE_NONE: - if (strcmp(domain, "*") == 0) + if (strcmp(domain, "*") == 0 && !pl->root) process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); break; @@ -1372,6 +1375,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return PAM_ABORT; } + if (pwd->pw_uid == 0) + pl->root = 1; retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl, conf_file_set_by_user); if (retval == PAM_IGNORE) {