diff options
Diffstat (limited to 'debian/patches-applied/027_pam_limits_better_init_allow_explicit_root')
| -rw-r--r-- | debian/patches-applied/027_pam_limits_better_init_allow_explicit_root | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root new file mode 100644 index 00000000..0145201d --- /dev/null +++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -0,0 +1,110 @@ +Allow explicit limits for root. +Also, remove limits on su. +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +--- Linux-PAM/modules/pam_limits/pam_limits.c.orig ++++ Linux-PAM/modules/pam_limits/pam_limits.c +@@ -69,6 +69,7 @@ + + /* internal data */ + struct pam_limit_s { ++ int root; /* running as root? */ + int login_limit; /* the max logins limit */ + int login_limit_def; /* which entry set the login limit */ + int flag_numsyslogins; /* whether to limit logins only for a +@@ -219,6 +220,7 @@ + + D(("called.")); + ++ pl->root = 0; + for(i = 0; i < RLIM_NLIMITS; i++) { + int r = getrlimit(i, &pl->limits[i].limit); + if (r == -1) { +@@ -230,6 +232,38 @@ + pl->limits[i].supported = 1; + pl->limits[i].src_soft = LIMITS_DEF_NONE; + pl->limits[i].src_hard = LIMITS_DEF_NONE; ++ switch(i) { ++ case RLIMIT_CPU: ++ case RLIMIT_FSIZE: ++ case RLIMIT_DATA: ++ case RLIMIT_RSS: ++ case RLIMIT_NPROC: ++ case RLIMIT_NOFILE: ++ case RLIMIT_MEMLOCK: ++#ifdef RLIMIT_AS ++ case RLIMIT_AS: ++#endif ++#ifdef RLIMIT_LOCKS ++ case RLIMIT_LOCKS: ++#endif ++#ifdef RLIMIT_SIGPENDING ++ case RLIMIT_SIGPENDING: ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ case RLIMIT_MSGQUEUE: ++#endif ++ pl->limits[i].limit.rlim_cur = RLIM_INFINITY; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_CORE: ++ pl->limits[i].limit.rlim_cur = 0; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ case RLIMIT_STACK: ++ pl->limits[i].limit.rlim_cur = 8192*1024; ++ pl->limits[i].limit.rlim_max = RLIM_INFINITY; ++ break; ++ } + } + } + +@@ -510,7 +544,7 @@ + if (i == 4) { /* a complete line */ + if (strcmp(uname, domain) == 0) /* this user have a limit */ + process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); +- else if (domain[0]=='@') { ++ else if (domain[0]=='@' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -519,7 +553,7 @@ + if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) + process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, + pl); +- } else if (domain[0]=='%') { ++ } else if (domain[0]=='%' && !pl->root) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, + "checking if %s is in group %s", +@@ -533,7 +567,7 @@ + process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, + pl); + } +- } else if (strcmp(domain, "*") == 0) ++ } else if (strcmp(domain, "*") == 0 && !pl->root) + process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, + pl); + } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ +@@ -568,6 +602,12 @@ + int status; + int retval = LIMITED_OK; + ++ if (uid == 0) { ++ /* do not impose +ve priority limits on the superuser */ ++ if (pl->priority > 0) ++ pl->priority = 0; ++ } ++ + for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) { + if (!pl->limits[i].supported) { + /* skip it if its not known to the system */ +@@ -648,6 +688,8 @@ + return PAM_ABORT; + } + ++ if (pwd->pw_uid == 0) ++ pl.root = 1; + retval = parse_config_file(pamh, pwd->pw_name, ctrl, &pl); + if (retval == PAM_IGNORE) { + D(("the configuration file has an applicable '<domain> -' entry")); |