summaryrefslogtreecommitdiff
path: root/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches-applied/027_pam_limits_better_init_allow_explicit_root')
-rw-r--r--debian/patches-applied/027_pam_limits_better_init_allow_explicit_root300
1 files changed, 65 insertions, 235 deletions
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
index 59c0d943..717fdd5c 100644
--- a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
+++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
@@ -4,26 +4,20 @@ Description: Allow explicit limits for root and reset limits on each session
want to use the default, not the current value configured for the
source account.
.
- On Linux, we query default limits by parsing /proc/1/limits, so that we
- can sanely inherit kernel defaults that vary with system resources (such as
- nproc). If /proc/1/limits is unavailable, fall back to a set of
- hard-coded values that shadow the currently known defaults on Linux.
+ If /proc/1/limits is unavailable, fall back to a set of hard-coded values
+ that shadow the currently known defaults on Linux.
.
Also, don't apply wildcard limits to the root account; only apply limits to
root that reference root by name.
Author: Peter Paluch <peterp@frcatel.fri.utc.sk>,
Ben Collins <bcollins@debian.org>,
Steve Langasek <vorlon@debian.org>,
- Kees Cook <kees@ubuntu.com>
-Bug-Ubuntu: https://launchpad.net/bugs/746655
Bug-Debian: http://bugs.debian.org/63230
-Bug-Debian: http://bugs.debian.org/620302
-Forwarded: https://fedorahosted.org/pipermail/pam-developers/2011-March/000017.html
-Index: pam-debian/modules/pam_limits/pam_limits.c
+Index: pam.debian/modules/pam_limits/pam_limits.c
===================================================================
---- pam-debian.orig/modules/pam_limits/pam_limits.c
-+++ pam-debian/modules/pam_limits/pam_limits.c
-@@ -45,15 +45,24 @@
+--- pam.debian.orig/modules/pam_limits/pam_limits.c
++++ pam.debian/modules/pam_limits/pam_limits.c
+@@ -45,6 +45,14 @@
#include <libaudit.h>
#endif
@@ -38,28 +32,7 @@ Index: pam-debian/modules/pam_limits/pam_limits.c
/* Module defines */
#define LINE_LENGTH 1024
- #define LIMITS_DEF_USER 0 /* limit was set by an user entry */
- #define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */
- #define LIMITS_DEF_ALLGROUP 2 /* limit was set by a group entry */
--#define LIMITS_DEF_ALL 3 /* limit was set by an default entry */
--#define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */
--#define LIMITS_DEF_NONE 5 /* this limit was not set yet */
-+#define LIMITS_DEF_ALL 3 /* limit was set by an all entry */
-+#define LIMITS_DEF_DEFAULT 4 /* limit was set by an internal default entry */
-+#define LIMITS_DEF_KERNEL 5 /* limit was set from /proc/1/limits */
-+#define LIMITS_DEF_NONE 6 /* this limit was not set yet */
-
- static const char *limits_def_names[] = {
- "USER",
-@@ -61,6 +70,7 @@
- "ALLGROUP",
- "ALL",
- "DEFAULT",
-+ "KERNEL",
- "NONE",
- NULL
- };
-@@ -74,6 +84,7 @@
+@@ -82,6 +90,7 @@
/* internal data */
struct pam_limit_s {
@@ -67,145 +40,7 @@ Index: pam-debian/modules/pam_limits/pam_limits.c
int login_limit; /* the max logins limit */
int login_limit_def; /* which entry set the login limit */
int flag_numsyslogins; /* whether to limit logins only for a
-@@ -291,13 +302,155 @@
- return 0;
- }
-
--static int init_limits(struct pam_limit_s *pl)
-+static const char * lnames[RLIM_NLIMITS] = {
-+ [RLIMIT_CPU] = "Max cpu time",
-+ [RLIMIT_FSIZE] = "Max file size",
-+ [RLIMIT_DATA] = "Max data size",
-+ [RLIMIT_STACK] = "Max stack size",
-+ [RLIMIT_CORE] = "Max core file size",
-+ [RLIMIT_RSS] = "Max resident set",
-+ [RLIMIT_NPROC] = "Max processes",
-+ [RLIMIT_NOFILE] = "Max open files",
-+ [RLIMIT_MEMLOCK] = "Max locked memory",
-+#ifdef RLIMIT_AS
-+ [RLIMIT_AS] = "Max address space",
-+#endif
-+#ifdef RLIMIT_LOCKS
-+ [RLIMIT_LOCKS] = "Max file locks",
-+#endif
-+#ifdef RLIMIT_SIGPENDING
-+ [RLIMIT_SIGPENDING] = "Max pending signals",
-+#endif
-+#ifdef RLIMIT_MSGQUEUE
-+ [RLIMIT_MSGQUEUE] = "Max msgqueue size",
-+#endif
-+#ifdef RLIMIT_NICE
-+ [RLIMIT_NICE] = "Max nice priority",
-+#endif
-+#ifdef RLIMIT_RTPRIO
-+ [RLIMIT_RTPRIO] = "Max realtime priority",
-+#endif
-+#ifdef RLIMIT_RTTIME
-+ [RLIMIT_RTTIME] = "Max realtime timeout",
-+#endif
-+};
-+
-+static int str2rlimit(char *name) {
-+ int i;
-+ if (!name || *name == '\0')
-+ return -1;
-+ for(i = 0; i < RLIM_NLIMITS; i++) {
-+ if (strcmp(name, lnames[i]) == 0) return i;
-+ }
-+ return -1;
-+}
-+
-+static rlim_t str2rlim_t(char *value) {
-+ unsigned long long rlimit = 0;
-+
-+ if (!value) return (rlim_t)rlimit;
-+ if (strcmp(value, "unlimited") == 0) {
-+ return RLIM_INFINITY;
-+ }
-+ rlimit = strtoull(value, NULL, 10);
-+ return (rlim_t)rlimit;
-+}
-+
-+#define LIMITS_SKIP_WHITESPACE { \
-+ /* step backwards over spaces */ \
-+ pos--; \
-+ while (pos && line[pos] == ' ') pos--; \
-+ if (!pos) continue; \
-+ line[pos+1] = '\0'; \
-+}
-+#define LIMITS_MARK_ITEM(item) { \
-+ /* step backwards over non-spaces */ \
-+ pos--; \
-+ while (pos && line[pos] != ' ') pos--; \
-+ if (!pos) continue; \
-+ item = line + pos + 1; \
-+}
-+
-+static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
-+{
-+ int i, maxlen = 0;
-+ FILE *limitsfile;
-+ const char *proclimits = "/proc/1/limits";
-+ char line[256];
-+ char *units, *hard, *soft, *name;
-+
-+ if (!(limitsfile = fopen(proclimits, "r"))) {
-+ pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM internal defaults", proclimits, strerror(errno));
-+ return;
-+ }
-+
-+ while (fgets(line, 256, limitsfile)) {
-+ int pos = strlen(line);
-+ if (pos < 2) continue;
-+
-+ /* drop trailing newline */
-+ if (line[pos-1] == '\n') {
-+ pos--;
-+ line[pos] = '\0';
-+ }
-+
-+ /* determine formatting boundry of limits report */
-+ if (!maxlen && strncmp(line, "Limit", 5) == 0) {
-+ maxlen = pos;
-+ continue;
-+ }
-+
-+ if (pos == maxlen) {
-+ /* step backwards over "Units" name */
-+ LIMITS_SKIP_WHITESPACE;
-+ LIMITS_MARK_ITEM(units);
-+ }
-+ else {
-+ units = "";
-+ }
-+
-+ /* step backwards over "Hard Limit" value */
-+ LIMITS_SKIP_WHITESPACE;
-+ LIMITS_MARK_ITEM(hard);
-+
-+ /* step backwards over "Soft Limit" value */
-+ LIMITS_SKIP_WHITESPACE;
-+ LIMITS_MARK_ITEM(soft);
-+
-+ /* step backwards over name of limit */
-+ LIMITS_SKIP_WHITESPACE;
-+ name = line;
-+
-+ i = str2rlimit(name);
-+ if (i < 0 || i >= RLIM_NLIMITS) {
-+ if (ctrl & PAM_DEBUG_ARG)
-+ pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit '%s' ignored", name);
-+ continue;
-+ }
-+ pl->limits[i].limit.rlim_cur = str2rlim_t(soft);
-+ pl->limits[i].limit.rlim_max = str2rlim_t(hard);
-+ pl->limits[i].src_soft = LIMITS_DEF_KERNEL;
-+ pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
-+ }
-+ fclose(limitsfile);
-+}
-+
-+static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
+@@ -436,9 +445,18 @@
{
int i;
int retval = PAM_SUCCESS;
@@ -224,22 +59,24 @@ Index: pam-debian/modules/pam_limits/pam_limits.c
for(i = 0; i < RLIM_NLIMITS; i++) {
int r = getrlimit(i, &pl->limits[i].limit);
if (r == -1) {
-@@ -312,6 +465,71 @@
- }
+@@ -454,18 +472,68 @@
}
-+#ifdef __linux__
+ #ifdef __linux__
+- if (ctrl & PAM_SET_ALL) {
+- parse_kernel_limits(pamh, pl, ctrl);
+ parse_kernel_limits(pamh, pl, ctrl);
+#endif
-+
+
+- for(i = 0; i < RLIM_NLIMITS; i++) {
+ for(i = 0; i < RLIM_NLIMITS; i++) {
-+ if (pl->limits[i].supported &&
-+ (pl->limits[i].src_soft == LIMITS_DEF_NONE ||
-+ pl->limits[i].src_hard == LIMITS_DEF_NONE)) {
+ if (pl->limits[i].supported &&
+ (pl->limits[i].src_soft == LIMITS_DEF_NONE ||
+ pl->limits[i].src_hard == LIMITS_DEF_NONE)) {
+- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
+#ifdef __linux__
-+ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM internal default", rlimit2str(i));
++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
+#endif
-+
+ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT;
+ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT;
+ switch(i) {
@@ -290,59 +127,53 @@ Index: pam-debian/modules/pam_limits/pam_limits.c
+ pl->limits[i].src_hard = LIMITS_DEF_NONE;
+ break;
+ }
-+ }
-+ }
-+
+ }
+- }
+ }
+-#endif
+
errno = 0;
pl->priority = getpriority (PRIO_PROCESS, 0);
- if (pl->priority == -1 && errno != 0)
-@@ -591,7 +809,7 @@
+@@ -804,7 +872,7 @@
if (strcmp(uname, domain) == 0) /* this user have a limit */
process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
- else if (domain[0]=='@') {
+ else if (domain[0]=='@' && !pl->root) {
- if (ctrl & PAM_DEBUG_ARG) {
+ if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
-@@ -600,7 +818,7 @@
- if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
- process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
- pl);
+@@ -830,7 +898,7 @@
+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
+ pl);
+ }
- } else if (domain[0]=='%') {
+ } else if (domain[0]=='%' && !pl->root) {
- if (ctrl & PAM_DEBUG_ARG) {
+ if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
-@@ -614,7 +832,7 @@
- process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
- pl);
- }
-- } else if (strcmp(domain, "*") == 0)
-+ } else if (strcmp(domain, "*") == 0 && !pl->root)
- process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
- pl);
- } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
-@@ -743,12 +961,14 @@
- return PAM_USER_UNKNOWN;
- }
-
-- retval = init_limits(pl);
-+ retval = init_limits(pamh, pl, ctrl);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_WARNING, "cannot initialize");
+@@ -864,7 +932,7 @@
+ } else {
+ switch(rngtype) {
+ case LIMIT_RANGE_NONE:
+- if (strcmp(domain, "*") == 0)
++ if (strcmp(domain, "*") == 0 && !pl->root)
+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
+ pl);
+ break;
+@@ -1050,6 +1118,8 @@
return PAM_ABORT;
}
+ if (pwd->pw_uid == 0)
+ pl->root = 1;
- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl);
+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
if (retval == PAM_IGNORE) {
D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
-Index: pam-debian/modules/pam_limits/limits.conf
+Index: pam.debian/modules/pam_limits/limits.conf
===================================================================
---- pam-debian.orig/modules/pam_limits/limits.conf
-+++ pam-debian/modules/pam_limits/limits.conf
+--- pam.debian.orig/modules/pam_limits/limits.conf
++++ pam.debian/modules/pam_limits/limits.conf
@@ -11,6 +11,9 @@
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
@@ -361,11 +192,11 @@ Index: pam-debian/modules/pam_limits/limits.conf
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
-Index: pam-debian/modules/pam_limits/limits.conf.5.xml
+Index: pam.debian/modules/pam_limits/limits.conf.5.xml
===================================================================
---- pam-debian.orig/modules/pam_limits/limits.conf.5.xml
-+++ pam-debian/modules/pam_limits/limits.conf.5.xml
-@@ -57,6 +57,11 @@
+--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml
++++ pam.debian/modules/pam_limits/limits.conf.5.xml
+@@ -88,6 +88,11 @@
</para>
</listitem>
</itemizedlist>
@@ -377,47 +208,46 @@ Index: pam-debian/modules/pam_limits/limits.conf.5.xml
</listitem>
</varlistentry>
-@@ -278,6 +283,7 @@
+@@ -309,6 +314,7 @@
</para>
<programlisting>
* soft core 0
+root hard core 100000
- * hard rss 10000
+ * hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
-Index: pam-debian/modules/pam_limits/limits.conf.5
+Index: pam.debian/modules/pam_limits/limits.conf.5
===================================================================
---- pam-debian.orig/modules/pam_limits/limits.conf.5
-+++ pam-debian/modules/pam_limits/limits.conf.5
-@@ -93,6 +93,11 @@
- \fI%group\fR
- syntax\&.
+--- pam.debian.orig/modules/pam_limits/limits.conf.5
++++ pam.debian/modules/pam_limits/limits.conf.5
+@@ -132,6 +132,10 @@
+ \fB%:\fR\fI<gid>\fR
+ applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&.
.RE
-+.RS 4
-+
++.sp
+\fBNOTE:\fR
+group and wildcard limits are not applied to the root user\&. To set a limit for the root user, this field must contain the literal username
+\fBroot\fR\&.
.RE
.PP
\fB<type>\fR
-@@ -265,6 +270,7 @@
+@@ -304,6 +308,7 @@
.\}
.nf
* soft core 0
+root hard core 100000
- * hard rss 10000
+ * hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
-Index: pam-debian/modules/pam_limits/README
+Index: pam.debian/modules/pam_limits/README
===================================================================
---- pam-debian.orig/modules/pam_limits/README
-+++ pam-debian/modules/pam_limits/README
-@@ -55,6 +55,7 @@
+--- pam.debian.orig/modules/pam_limits/README
++++ pam.debian/modules/pam_limits/README
+@@ -54,6 +54,7 @@
limits.conf.
* soft core 0
+root hard core 100000
- * hard rss 10000
+ * hard nofile 512
@student hard nproc 20
@faculty soft nproc 20