diff options
author | Steve Langasek <vorlon@debian.org> | 2009-03-02 02:49:53 -0800 |
---|---|---|
committer | Steve Langasek <vorlon@debian.org> | 2019-01-08 17:27:14 -0800 |
commit | 987fbc2a1b293b576408535446aac8d2573744ec (patch) | |
tree | bd4b460ed065bdeef1f821a5934ae9b565574c1d /debian/patches-applied | |
parent | 819aa33df8bd97e7adba17f4c2d549e17981bf47 (diff) |
shadow the finite kernel defaults for RLIMIT_SIGPENDING and
RLIMIT_MSGQUEUE as well, so that the preceding changes don't suddenly
expose systems to DoS or other issues.
Diffstat (limited to 'debian/patches-applied')
-rw-r--r-- | debian/patches-applied/027_pam_limits_better_init_allow_explicit_root | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root index 9f6304f3..c3854d8e 100644 --- a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root +++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -49,7 +49,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { -@@ -240,8 +261,47 @@ +@@ -240,8 +261,53 @@ } } else { pl->limits[i].supported = 1; @@ -70,15 +70,21 @@ Index: pam.deb/modules/pam_limits/pam_limits.c +#ifdef RLIMIT_LOCKS + case RLIMIT_LOCKS: +#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; +#ifdef RLIMIT_SIGPENDING + case RLIMIT_SIGPENDING: ++ pl->limits[i].limit.rlim_cur = 16382; ++ pl->limits[i].limit.rlim_max = 16382; ++ break; +#endif +#ifdef RLIMIT_MSGQUEUE + case RLIMIT_MSGQUEUE: -+#endif -+ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; -+ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_cur = 819200; ++ pl->limits[i].limit.rlim_max = 819200; + break; ++#endif + case RLIMIT_CORE: + pl->limits[i].limit.rlim_cur = 0; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; @@ -99,7 +105,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c } } -@@ -524,7 +584,7 @@ +@@ -524,7 +590,7 @@ if (strcmp(uname, domain) == 0) /* this user have a limit */ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); @@ -108,7 +114,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -533,7 +593,7 @@ +@@ -533,7 +599,7 @@ if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); @@ -117,7 +123,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -547,7 +607,7 @@ +@@ -547,7 +613,7 @@ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, pl); } @@ -126,7 +132,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ -@@ -582,6 +642,12 @@ +@@ -582,6 +648,12 @@ int status; int retval = LIMITED_OK; @@ -139,7 +145,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) { if (!pl->limits[i].supported) { /* skip it if its not known to the system */ -@@ -675,6 +741,8 @@ +@@ -675,6 +747,8 @@ return PAM_ABORT; } |