summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2009-03-02 15:10:49 -0800
committerSteve Langasek <vorlon@debian.org>2019-01-08 17:27:15 -0800
commitd981293e1a045b4e94a6f168f959a1e9e1cf8057 (patch)
treed3588e20731006c3c6f04f98f3adc4db6784e794
parent6e7d2d658dfbbb84f6c7727c3bcf56efe6872a9e (diff)
revert the 'fix' for bug #515673, since this isn't really a bug at all.
-rw-r--r--debian/changelog13
-rw-r--r--debian/patches-applied/027_pam_limits_better_init_allow_explicit_root47
2 files changed, 13 insertions, 47 deletions
diff --git a/debian/changelog b/debian/changelog
index 1bd70490..cd803d0e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,16 +1,11 @@
pam (1.0.1-7) UNRELEASED; urgency=low
* 027_pam_limits_better_init_allow_explicit_root:
- - RLIM_INFINITY may or may not be invalid for RLIMIT_NOFILE, but we
- don't want to set a hard limit of 1024 by default; try to set this
- limit to the value of /proc/sys/fs/nr_open if we can, or fall back
- to RLIM_INFINITY. Closes: #515673, LP: #327597.
- - also fix the patch so that our limit resets are actually
- *applied*, which has apparently been broken for who knows how
- long!
+ - fix the patch so that our limit resets are actually *applied*,
+ which has apparently been broken for who knows how long!
- shadow the finite kernel defaults for RLIMIT_SIGPENDING and
- RLIMIT_MSGQUEUE as well, so that the preceding changes don't suddenly
- expose systems to DoS or other issues.
+ RLIMIT_MSGQUEUE as well, so that the preceding change doesn't
+ suddenly expose systems to DoS or other issues.
-- Steve Langasek <vorlon@debian.org> Mon, 02 Mar 2009 01:07:43 -0800
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
index c3854d8e..d6d55c22 100644
--- a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
+++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
@@ -4,18 +4,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
===================================================================
--- pam.deb.orig/modules/pam_limits/pam_limits.c
+++ pam.deb/modules/pam_limits/pam_limits.c
-@@ -55,6 +55,10 @@
- #define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */
- #define LIMITS_DEF_NONE 5 /* this limit was not set yet */
-
-+/* file in /proc on Linux that we read to get the total number of open
-+ files allowed on the system */
-+#define NR_OPEN_FILES "/proc/sys/fs/nr_open"
-+
- static const char *limits_def_names[] = {
- "USER",
- "GROUP",
-@@ -74,6 +78,7 @@
+@@ -74,6 +74,7 @@
/* internal data */
struct pam_limit_s {
@@ -23,33 +12,15 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
int login_limit; /* the max logins limit */
int login_limit_def; /* which entry set the login limit */
int flag_numsyslogins; /* whether to limit logins only for a
-@@ -228,9 +233,25 @@
- {
- int i;
- int retval = PAM_SUCCESS;
-+ static rlim_t nofiles_max = RLIM_INFINITY;
-+ static int nofiles_init = 0;
+@@ -231,6 +232,7 @@
D(("called."));
-+ if (nofiles_init == 0) {
-+ FILE *nr_open;
-+ unsigned long long ull_nofiles = 0;
-+
-+ nofiles_init = 1;
-+ nr_open = fopen(NR_OPEN_FILES, "r");
-+ if (nr_open != NULL) {
-+ if (fscanf(nr_open, "%Lu", &ull_nofiles) == 1)
-+ nofiles_max = ull_nofiles;
-+ fclose(nr_open);
-+ }
-+ }
-+
+ pl->root = 0;
for(i = 0; i < RLIM_NLIMITS; i++) {
int r = getrlimit(i, &pl->limits[i].limit);
if (r == -1) {
-@@ -240,8 +261,53 @@
+@@ -240,8 +242,53 @@
}
} else {
pl->limits[i].supported = 1;
@@ -95,7 +66,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
+ break;
+ case RLIMIT_NOFILE:
+ pl->limits[i].limit.rlim_cur = 1024;
-+ pl->limits[i].limit.rlim_max = nofiles_max;
++ pl->limits[i].limit.rlim_max = 1024;
+ break;
+ default:
+ pl->limits[i].src_soft = LIMITS_DEF_NONE;
@@ -105,7 +76,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
}
}
-@@ -524,7 +590,7 @@
+@@ -524,7 +571,7 @@
if (strcmp(uname, domain) == 0) /* this user have a limit */
process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
@@ -114,7 +85,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
-@@ -533,7 +599,7 @@
+@@ -533,7 +580,7 @@
if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
pl);
@@ -123,7 +94,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
-@@ -547,7 +613,7 @@
+@@ -547,7 +594,7 @@
process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
pl);
}
@@ -132,7 +103,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
pl);
} else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
-@@ -582,6 +648,12 @@
+@@ -582,6 +629,12 @@
int status;
int retval = LIMITED_OK;
@@ -145,7 +116,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
if (!pl->limits[i].supported) {
/* skip it if its not known to the system */
-@@ -675,6 +747,8 @@
+@@ -675,6 +728,8 @@
return PAM_ABORT;
}