diff options
Diffstat (limited to 'debian/patches-applied/008_modules_pam_limits_chroot')
| -rw-r--r-- | debian/patches-applied/008_modules_pam_limits_chroot | 346 |
1 files changed, 346 insertions, 0 deletions
diff --git a/debian/patches-applied/008_modules_pam_limits_chroot b/debian/patches-applied/008_modules_pam_limits_chroot new file mode 100644 index 00000000..b00ba90f --- /dev/null +++ b/debian/patches-applied/008_modules_pam_limits_chroot @@ -0,0 +1,346 @@ +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM/modules/pam_limits/pam_limits.c.orig ++++ Linux-PAM/modules/pam_limits/pam_limits.c +@@ -74,6 +74,7 @@ + int flag_numsyslogins; /* whether to limit logins only for a + specific user or to count all logins */ + int priority; /* the priority to run user process with */ ++ char chroot_dir[8092]; /* directory to chroot into */ + struct user_limits_struct limits[RLIM_NLIMITS]; + char conf_file[BUFSIZ]; + int utmp_after_pam_call; +@@ -84,6 +85,7 @@ + #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 + + #define LIMIT_PRI RLIM_NLIMITS+3 ++#define LIMIT_CHROOT RLIM_NLIMITS+4 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -238,6 +240,8 @@ + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -306,6 +310,8 @@ + pl->flag_numsyslogins = 1; + } else if (strcmp(lim_item, "priority") == 0) { + limit_item = LIMIT_PRI; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); + return; +@@ -343,9 +349,9 @@ + pam_syslog(pamh, LOG_DEBUG, + "wrong limit value '%s' for limit type '%s'", + lim_value, lim_type); +- return; ++ return; + } +- } else { ++ } else if (limit_item != LIMIT_CHROOT) { + #ifdef __USE_FILE_OFFSET64 + rlimit_value = strtoull (lim_value, &endptr, 10); + #else +@@ -392,7 +398,9 @@ + break; + } + +- if ( (limit_item != LIMIT_LOGIN) ++ if (limit_item == LIMIT_CHROOT) ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)); ++ else if ( (limit_item != LIMIT_LOGIN) + && (limit_item != LIMIT_NUMSYSLOGINS) + && (limit_item != LIMIT_PRI) ) { + if (limit_type & LIMIT_SOFT) { +@@ -590,6 +598,13 @@ + retval |= LOGIN_ERR; + } + ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + +Index: Linux-PAM/modules/pam_limits/limits.conf.5.xml +=================================================================== +--- Linux-PAM/modules/pam_limits/limits.conf.5.xml.orig ++++ Linux-PAM/modules/pam_limits/limits.conf.5.xml +@@ -223,6 +223,12 @@ + (Linux 2.6.12 and higher)</para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term><option>chroot</option></term> ++ <listitem> ++ <para>the directory to chroot the user to</para> ++ </listitem> ++ </varlistentry> + </variablelist> + </listitem> + </varlistentry> +Index: Linux-PAM/modules/pam_limits/limits.conf.5 +=================================================================== +--- Linux-PAM/modules/pam_limits/limits.conf.5.orig ++++ Linux-PAM/modules/pam_limits/limits.conf.5 +@@ -1,11 +1,11 @@ + .\" Title: limits.conf + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +-.\" Date: 06/22/2006 +-.\" Manual: Linux\-PAM Manual +-.\" Source: Linux\-PAM Manual ++.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/> ++.\" Date: 08/19/2007 ++.\" Manual: Linux-PAM Manual ++.\" Source: Linux-PAM Manual + .\" +-.TH "LIMITS.CONF" "5" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" ++.TH "LIMITS.CONF" "5" "08/19/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -23,38 +23,45 @@ + \fI<value>\fR + .PP + The fields listed above should be filled as follows: +-.TP 3n ++.PP + \fB<domain>\fR +-.RS 3n +-.TP 3n +-\(bu +-a username +-.TP 3n +-\(bu +-a groupname, with ++.RS 4 ++.sp ++.RS 4 ++\h'-04'\(bu\h'+03'a username ++.RE ++.sp ++.RS 4 ++\h'-04'\(bu\h'+03'a groupname, with + \fB@group\fR + syntax. This should not be confused with netgroups. +-.TP 3n +-\(bu +-the wildcard ++.RE ++.sp ++.RS 4 ++\h'-04'\(bu\h'+03'the wildcard + \fB*\fR, for default entry. +-.TP 3n +-\(bu +-the wildcard ++.RE ++.sp ++.RS 4 ++\h'-04'\(bu\h'+03'the wildcard + \fB%\fR, for maxlogins limit only, can also be used with + \fI%group\fR + syntax. + .RE +-.TP 3n ++.RE ++.PP + \fB<type>\fR +-.RS 3n +-.TP 3n ++.RS 4 ++.PP + \fBhard\fR ++.RS 4 + for enforcing + \fBhard\fR + resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. +-.TP 3n ++.RE ++.PP + \fBsoft\fR ++.RS 4 + for enforcing + \fBsoft\fR + resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting +@@ -62,8 +69,10 @@ + limits. The values specified with this token can be thought of as + \fIdefault\fR + values, for normal system usage. +-.TP 3n ++.RE ++.PP + \fB\-\fR ++.RS 4 + for enforcing both + \fBsoft\fR + and +@@ -72,65 +81,107 @@ + .sp + Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. . + .RE +-.TP 3n ++.RE ++.PP + \fB<item>\fR +-.RS 3n +-.TP 3n ++.RS 4 ++.PP + \fBcore\fR ++.RS 4 + limits the core file size (KB) +-.TP 3n ++.RE ++.PP + \fBdata\fR ++.RS 4 + maximum data size (KB) +-.TP 3n ++.RE ++.PP + \fBfsize\fR ++.RS 4 + maximum filesize (KB) +-.TP 3n ++.RE ++.PP + \fBmemlock\fR ++.RS 4 + maximum locked\-in\-memory address space (KB) +-.TP 3n ++.RE ++.PP + \fBnofile\fR ++.RS 4 + maximum number of open files +-.TP 3n ++.RE ++.PP + \fBrss\fR ++.RS 4 + maximum resident set size (KB) +-.TP 3n ++.RE ++.PP + \fBstack\fR ++.RS 4 + maximum stack size (KB) +-.TP 3n ++.RE ++.PP + \fBcpu\fR ++.RS 4 + maximum CPU time (minutes) +-.TP 3n ++.RE ++.PP + \fBnproc\fR ++.RS 4 + maximum number of processes +-.TP 3n ++.RE ++.PP + \fBas\fR ++.RS 4 + address space limit +-.TP 3n ++.RE ++.PP + \fBmaxlogins\fR ++.RS 4 + maximum number of logins for this user +-.TP 3n ++.RE ++.PP + \fBmaxsyslogins\fR ++.RS 4 + maximum number of logins on system +-.TP 3n ++.RE ++.PP + \fBpriority\fR ++.RS 4 + the priority to run user process with (negative values boost process priority) +-.TP 3n ++.RE ++.PP + \fBlocks\fR ++.RS 4 + maximum locked files (Linux 2.4 and higher) +-.TP 3n ++.RE ++.PP + \fBsigpending\fR ++.RS 4 + maximum number of pending signals (Linux 2.6 and higher) +-.TP 3n ++.RE ++.PP + \fBmsqqueue\fR ++.RS 4 + maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher) +-.TP 3n ++.RE ++.PP + \fBnice\fR ++.RS 4 + maximum nice priority allowed to raise to (Linux 2.6.12 and higher) +-.TP 3n ++.RE ++.PP + \fBrtprio\fR ++.RS 4 + maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher) + .RE + .PP ++\fBchroot\fR ++.RS 4 ++the directory to chroot the user to ++.RE ++.RE ++.PP + In general, individual limits have priority over group limits, so if you impose no limits for + \fIadmin\fR + group, but one of the members in this group have a limits line, the user will have its limits set according to this line. +@@ -149,7 +200,7 @@ + These are some example lines which might be specified in + \fI/etc/security/limits.conf\fR. + .sp +-.RS 3n ++.RS 4 + .nf + * soft core 0 + * hard rss 10000 +Index: Linux-PAM/modules/pam_limits/limits.conf +=================================================================== +--- Linux-PAM/modules/pam_limits/limits.conf.orig ++++ Linux-PAM/modules/pam_limits/limits.conf +@@ -35,6 +35,7 @@ + # - msgqueue - max memory used by POSIX message queues (bytes) + # - nice - max nice priority allowed to raise to + # - rtprio - max realtime priority ++# - chroot - change root to directory (Debian-specific) + # + #<domain> <type> <item> <value> + # +@@ -45,6 +46,7 @@ + #@faculty soft nproc 20 + #@faculty hard nproc 50 + #ftp hard nproc 0 ++#ftp - chroot /ftp + #@student - maxlogins 4 + + # End of file |