summaryrefslogtreecommitdiff
path: root/modules/pam_limits
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2014-01-14 19:48:51 -0800
committerSteve Langasek <vorlon@debian.org>2014-01-15 09:53:26 -0800
commitfbc65c39d6853af268c9a093923afc876d0b138e (patch)
tree3243b091a0432f4d503558ca6ddf2e4d7c4908f3 /modules/pam_limits
parent24f3a88e7de52fbfcb7b8a1ebdae0cdbef420edf (diff)
pam_namespace: don't use bashisms in default namespace.init script
* modules/pam_namespace/pam_namespace.c: call setuid() before execing the namespace init script, so that scripts run with maximum privilege regardless of the shell implementation. * modules/pam_namespace/namespace.init: drop the '-p' bashism from the shebang line This is not a POSIX standard option, it's a bashism. The bash manpage says that it's used to prevent the effective user id from being reset to the real user id on startup, and to ignore certain unsafe variables from the environment. In the case of pam_namespace, the -p is not necessary for environment sanitizing because the PAM module (properly) sanitizes the environment before execing the script. The stated reason given in CVS history for passing -p is to "preserve euid when called from setuid apps (su, newrole)." This should be done more portably, by calling setuid() before spawning the shell. Signed-off-by: Steve Langasek <vorlon@debian.org> Bug-Debian: http://bugs.debian.org/624842 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
Diffstat (limited to 'modules/pam_limits')
0 files changed, 0 insertions, 0 deletions