1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
From: Peter Paluch <peterp@frcatel.fri.utc.sk>
Date: Mon, 11 Sep 2023 14:00:42 -0600
Subject: Root limits must be explicit
Bug-Debian: http://bugs.debian.org/63230
Don't apply wildcard limits to the root account; only apply limits to
root that reference root by name.
===================================================================
---
modules/pam_limits/limits.conf | 4 ++++
modules/pam_limits/limits.conf.5.xml | 6 ++++++
modules/pam_limits/pam_limits.c | 11 ++++++++---
3 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf
index e8a746c..c6b058a 100644
--- a/modules/pam_limits/limits.conf
+++ b/modules/pam_limits/limits.conf
@@ -22,6 +22,9 @@
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
+# - NOTE: group and wildcard limits are not applied to root.
+# To apply a limit to the root user, <domain> must be
+# the literal username root.
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
@@ -51,6 +54,7 @@
#
#* soft core 0
+#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
index dd8d68b..803cb4e 100644
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -89,6 +89,11 @@
</para>
</listitem>
</itemizedlist>
+ <para>
+ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not
+ applied to the root user. To set a limit for the root user, this field
+ must contain the literal username <emphasis remap='B'>root</emphasis>.
+ </para>
</listitem>
</varlistentry>
@@ -320,6 +325,7 @@
</para>
<programlisting>
* soft core 0
+root hard core 100000
* hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 1e4dfa3..7eb93c0 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -93,6 +93,7 @@ struct user_limits_struct {
/* internal data */
struct pam_limit_s {
+ int root; /* running as root? */
int login_limit; /* the max logins limit */
int login_limit_def; /* which entry set the login limit */
int flag_numsyslogins; /* whether to limit logins only for a
@@ -539,6 +540,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
D(("called."));
+ pl->root = 0;
+
for(i = 0; i < RLIM_NLIMITS; i++) {
int r = getrlimit(i, &pl->limits[i].limit);
if (r == -1) {
@@ -1020,7 +1023,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
if (strcmp(uname, domain) == 0) /* this user has a limit */
process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
- else if (domain[0]=='@') {
+ else if (domain[0]=='@' && !pl->root) {
if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
@@ -1046,7 +1049,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
pl);
}
- } else if (domain[0]=='%') {
+ } else if (domain[0]=='%' && !pl->root) {
if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
@@ -1081,7 +1084,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
} else {
switch(rngtype) {
case LIMIT_RANGE_NONE:
- if (strcmp(domain, "*") == 0)
+ if (strcmp(domain, "*") == 0 && !pl->root)
process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
pl);
break;
@@ -1372,6 +1375,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
return PAM_ABORT;
}
+ if (pwd->pw_uid == 0)
+ pl->root = 1;
retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid,
ctrl, pl, conf_file_set_by_user);
if (retval == PAM_IGNORE) {
|
