From 7a50d08c6e1fa25a1eaa9f43bdd7f3daf63fba84 Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Mon, 2 Mar 2009 01:16:58 -0800
Subject: 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY may or
 may not be invalid for RLIMIT_NOFILE, but we don't want to set a hard limit
 of 1024 by default; try to set this limit to the value of
 /proc/sys/fs/nr_open if we can, or fall back to RLIM_INFINITY. Closes:
 #515673, LP: #327597.

---
 .../027_pam_limits_better_init_allow_explicit_root | 47 +++++++++++++++++-----
 1 file changed, 38 insertions(+), 9 deletions(-)

(limited to 'debian/patches-applied/027_pam_limits_better_init_allow_explicit_root')

diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
index f89bd256..f12ead7c 100644
--- a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
+++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root
@@ -4,7 +4,18 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
 ===================================================================
 --- pam.deb.orig/modules/pam_limits/pam_limits.c
 +++ pam.deb/modules/pam_limits/pam_limits.c
-@@ -74,6 +74,7 @@
+@@ -55,6 +55,10 @@
+ #define LIMITS_DEF_DEFAULT  4 /* limit was set by an default entry */
+ #define LIMITS_DEF_NONE     5 /* this limit was not set yet */
+ 
++/* file in /proc on Linux that we read to get the total number of open
++   files allowed on the system */
++#define NR_OPEN_FILES "/proc/sys/fs/nr_open"
++
+ static const char *limits_def_names[] = {
+        "USER",
+        "GROUP",
+@@ -74,6 +78,7 @@
  
  /* internal data */
  struct pam_limit_s {
@@ -12,15 +23,33 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
      int login_limit;     /* the max logins limit */
      int login_limit_def; /* which entry set the login limit */
      int flag_numsyslogins; /* whether to limit logins only for a
-@@ -231,6 +232,7 @@
+@@ -228,9 +233,25 @@
+ {
+     int i;
+     int retval = PAM_SUCCESS;
++    static rlim_t nofiles_max = RLIM_INFINITY;
++    static int nofiles_init = 0;
  
      D(("called."));
  
++    if (nofiles_init == 0) {
++	FILE *nr_open;
++	unsigned long long ull_nofiles = 0;
++
++	nofiles_init = 1;
++	nr_open = fopen(NR_OPEN_FILES, "r");
++	if (nr_open != NULL) {
++	    if (fscanf(nr_open, "%Lu", &ull_nofiles) == 1)
++		nofiles_max = ull_nofiles;
++	    fclose(nr_open);
++	}
++    }
++
 +    pl->root = 0;
      for(i = 0; i < RLIM_NLIMITS; i++) {
  	int r = getrlimit(i, &pl->limits[i].limit);
  	if (r == -1) {
-@@ -242,6 +244,41 @@
+@@ -242,6 +263,41 @@
  	    pl->limits[i].supported = 1;
  	    pl->limits[i].src_soft = LIMITS_DEF_NONE;
  	    pl->limits[i].src_hard = LIMITS_DEF_NONE;
@@ -56,13 +85,13 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
 +		    break;
 +		case RLIMIT_NOFILE:
 +		    pl->limits[i].limit.rlim_cur = 1024;
-+		    pl->limits[i].limit.rlim_max = 1024;
++		    pl->limits[i].limit.rlim_max = nofiles_max;
 +		    break;
 +	    }
  	}
      }
  
-@@ -524,7 +561,7 @@
+@@ -524,7 +580,7 @@
  
              if (strcmp(uname, domain) == 0) /* this user have a limit */
                  process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
@@ -71,7 +100,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
  		    if (ctrl & PAM_DEBUG_ARG) {
  			pam_syslog(pamh, LOG_DEBUG,
  				   "checking if %s is in group %s",
-@@ -533,7 +570,7 @@
+@@ -533,7 +589,7 @@
                  if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
                      process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
  				  pl);
@@ -80,7 +109,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
  		    if (ctrl & PAM_DEBUG_ARG) {
  			pam_syslog(pamh, LOG_DEBUG,
  				   "checking if %s is in group %s",
-@@ -547,7 +584,7 @@
+@@ -547,7 +603,7 @@
                      process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
  				  pl);
  		}
@@ -89,7 +118,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
                  process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
  			      pl);
  	} else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
-@@ -582,6 +619,12 @@
+@@ -582,6 +638,12 @@
      int status;
      int retval = LIMITED_OK;
  
@@ -102,7 +131,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c
      for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
  	if (!pl->limits[i].supported) {
  	    /* skip it if its not known to the system */
-@@ -675,6 +718,8 @@
+@@ -675,6 +737,8 @@
          return PAM_ABORT;
      }
  
-- 
cgit v1.2.3