diff options
| author | Steve Langasek <vorlon@debian.org> | 2009-03-07 12:54:24 -0800 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2019-01-08 19:41:18 -0800 |
| commit | b8af6bf8dfa1fb83350d7c0e143c5bcfd0b17a08 (patch) | |
| tree | ad594c8411bcfe593d5903793745461ef19a00cc /debian/patches-applied | |
| parent | 9592c8c0662c5df856b6038a0ccc47f8d52467f2 (diff) | |
027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK
limit correctly to match the kernel default, which is not RLIM_INFINITY.
Diffstat (limited to 'debian/patches-applied')
| -rw-r--r-- | debian/patches-applied/027_pam_limits_better_init_allow_explicit_root | 43 |
1 files changed, 34 insertions, 9 deletions
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root index b061152f..574c99b1 100644 --- a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root +++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -4,7 +4,18 @@ Index: pam.deb/modules/pam_limits/pam_limits.c =================================================================== --- pam.deb.orig/modules/pam_limits/pam_limits.c +++ pam.deb/modules/pam_limits/pam_limits.c -@@ -74,6 +74,7 @@ +@@ -45,6 +45,10 @@ + #include <libaudit.h> + #endif + ++#ifndef MLOCK_LIMIT ++#define MLOCK_LIMIT (64*1024) ++#endif ++ + /* Module defines */ + #define LINE_LENGTH 1024 + +@@ -74,6 +78,7 @@ /* internal data */ struct pam_limit_s { @@ -12,15 +23,26 @@ Index: pam.deb/modules/pam_limits/pam_limits.c int login_limit; /* the max logins limit */ int login_limit_def; /* which entry set the login limit */ int flag_numsyslogins; /* whether to limit logins only for a -@@ -231,6 +232,7 @@ +@@ -228,9 +233,18 @@ + { + int i; + int retval = PAM_SUCCESS; ++ static int mlock_limit = 0; D(("called.")); + pl->root = 0; ++ ++ if (mlock_limit == 0) { ++ mlock_limit = sysconf(_SC_PAGESIZE); ++ if (mlock_limit < MLOCK_LIMIT) ++ mlock_limit = MLOCK_LIMIT; ++ } ++ for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { -@@ -240,8 +242,53 @@ +@@ -240,8 +254,56 @@ } } else { pl->limits[i].supported = 1; @@ -34,7 +56,6 @@ Index: pam.deb/modules/pam_limits/pam_limits.c + case RLIMIT_DATA: + case RLIMIT_RSS: + case RLIMIT_NPROC: -+ case RLIMIT_MEMLOCK: +#ifdef RLIMIT_AS + case RLIMIT_AS: +#endif @@ -44,6 +65,10 @@ Index: pam.deb/modules/pam_limits/pam_limits.c + pl->limits[i].limit.rlim_cur = RLIM_INFINITY; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; ++ case RLIMIT_MEMLOCK: ++ pl->limits[i].limit.rlim_cur = mlock_limit; ++ pl->limits[i].limit.rlim_max = mlock_limit; ++ break; +#ifdef RLIMIT_SIGPENDING + case RLIMIT_SIGPENDING: + pl->limits[i].limit.rlim_cur = 16382; @@ -76,7 +101,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c } } -@@ -524,7 +571,7 @@ +@@ -524,7 +586,7 @@ if (strcmp(uname, domain) == 0) /* this user have a limit */ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); @@ -85,7 +110,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -533,7 +580,7 @@ +@@ -533,7 +595,7 @@ if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); @@ -94,7 +119,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -547,7 +594,7 @@ +@@ -547,7 +609,7 @@ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, pl); } @@ -103,7 +128,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ -@@ -582,6 +629,12 @@ +@@ -582,6 +644,12 @@ int status; int retval = LIMITED_OK; @@ -116,7 +141,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) { if (!pl->limits[i].supported) { /* skip it if its not known to the system */ -@@ -675,6 +728,8 @@ +@@ -675,6 +743,8 @@ return PAM_ABORT; } |