From 28f777aa533a436603af78b92e5f75b04193f800 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Sun, 1 May 2011 00:08:23 -0700 Subject: update the existing 027_pam_limits_better_init_allow_explicit_root patch instead of creating a new parse-kernel-rlimits.patch, to keep these changes logically grouped together; and add a DEP3 patch header here since we didn't have one before --- .../027_pam_limits_better_init_allow_explicit_root | 270 ++++++++++++++++++--- debian/patches-applied/parse-kernel-rlimits.patch | 208 ---------------- debian/patches-applied/series | 1 - 3 files changed, 233 insertions(+), 246 deletions(-) delete mode 100644 debian/patches-applied/parse-kernel-rlimits.patch (limited to 'debian/patches-applied') diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root index 07e383ec..fa152c5e 100644 --- a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root +++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -1,10 +1,29 @@ -Allow explicit limits for root. -Also, remove limits on su. -Index: pam.deb/modules/pam_limits/pam_limits.c +Description: Allow explicit limits for root and reset limits on each session + When crossing session boundaries (such as when su'ing from one user to + another), if the target account has no limit specified in limits.conf we + want to use the default, not the current value configured for the + source account. + . + On Linux, we query default limits by parsing /proc/1/limits, so that we + can sanely inherit kernel defaults that vary with system resources (such as + nproc). If /proc/1/limits is unavailable, fall back to a set of + hard-coded values that shadow the currently known defaults on Linux. + . + Also, don't apply wildcard limits to the root account; only apply limits to + root that reference root by name. +Author: Peter Paluch , + Ben Collins , + Steve Langasek , + Kees Cook +Bug-Ubuntu: https://launchpad.net/bugs/746655 +Bug-Debian: http://bugs.debian.org/63230 +Bug-Debian: http://bugs.debian.org/620302 +Forwarded: https://fedorahosted.org/pipermail/pam-developers/2011-March/000017.html +Index: pam.debian/modules/pam_limits/pam_limits.c =================================================================== ---- pam.deb.orig/modules/pam_limits/pam_limits.c -+++ pam.deb/modules/pam_limits/pam_limits.c -@@ -45,6 +45,10 @@ +--- pam.debian.orig/modules/pam_limits/pam_limits.c ++++ pam.debian/modules/pam_limits/pam_limits.c +@@ -45,15 +45,20 @@ #include #endif @@ -15,7 +34,28 @@ Index: pam.deb/modules/pam_limits/pam_limits.c /* Module defines */ #define LINE_LENGTH 1024 -@@ -74,6 +78,7 @@ + #define LIMITS_DEF_USER 0 /* limit was set by an user entry */ + #define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */ + #define LIMITS_DEF_ALLGROUP 2 /* limit was set by a group entry */ +-#define LIMITS_DEF_ALL 3 /* limit was set by an default entry */ +-#define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */ +-#define LIMITS_DEF_NONE 5 /* this limit was not set yet */ ++#define LIMITS_DEF_ALL 3 /* limit was set by an all entry */ ++#define LIMITS_DEF_DEFAULT 4 /* limit was set by an internal default entry */ ++#define LIMITS_DEF_KERNEL 5 /* limit was set from /proc/1/limits */ ++#define LIMITS_DEF_NONE 6 /* this limit was not set yet */ + + static const char *limits_def_names[] = { + "USER", +@@ -61,6 +66,7 @@ + "ALLGROUP", + "ALL", + "DEFAULT", ++ "KERNEL", + "NONE", + NULL + }; +@@ -74,6 +80,7 @@ /* internal data */ struct pam_limit_s { @@ -23,7 +63,144 @@ Index: pam.deb/modules/pam_limits/pam_limits.c int login_limit; /* the max logins limit */ int login_limit_def; /* which entry set the login limit */ int flag_numsyslogins; /* whether to limit logins only for a -@@ -295,9 +300,18 @@ +@@ -291,13 +298,154 @@ + return 0; + } + +-static int init_limits(struct pam_limit_s *pl) ++static const char * lnames[RLIM_NLIMITS] = { ++ [RLIMIT_CPU] = "Max cpu time", ++ [RLIMIT_FSIZE] = "Max file size", ++ [RLIMIT_DATA] = "Max data size", ++ [RLIMIT_STACK] = "Max stack size", ++ [RLIMIT_CORE] = "Max core file size", ++ [RLIMIT_RSS] = "Max resident set", ++ [RLIMIT_NPROC] = "Max processes", ++ [RLIMIT_NOFILE] = "Max open files", ++ [RLIMIT_MEMLOCK] = "Max locked memory", ++#ifdef RLIMIT_AS ++ [RLIMIT_AS] = "Max address space", ++#endif ++#ifdef RLIMIT_LOCKS ++ [RLIMIT_LOCKS] = "Max file locks", ++#endif ++#ifdef RLIMIT_SIGPENDING ++ [RLIMIT_SIGPENDING] = "Max pending signals", ++#endif ++#ifdef RLIMIT_MSGQUEUE ++ [RLIMIT_MSGQUEUE] = "Max msgqueue size", ++#endif ++#ifdef RLIMIT_NICE ++ [RLIMIT_NICE] = "Max nice priority", ++#endif ++#ifdef RLIMIT_RTPRIO ++ [RLIMIT_RTPRIO] = "Max realtime priority", ++#endif ++#ifdef RLIMIT_RTTIME ++ [RLIMIT_RTTIME] = "Max realtime timeout", ++#endif ++}; ++ ++static int str2rlimit(char *name) { ++ int i; ++ if (!name || *name == '\0') ++ return -1; ++ for(i = 0; i < RLIM_NLIMITS; i++) { ++ if (strcmp(name, lnames[i]) == 0) return i; ++ } ++ return -1; ++} ++ ++static rlim_t str2rlim_t(char *value) { ++ unsigned long long rlimit = 0; ++ ++ if (!value) return (rlim_t)rlimit; ++ if (strcmp(value, "unlimited") == 0) { ++ return RLIM_INFINITY; ++ } ++ rlimit = strtoull(value, NULL, 10); ++ return (rlim_t)rlimit; ++} ++ ++#define LIMITS_SKIP_WHITESPACE { \ ++ /* step backwards over spaces */ \ ++ pos--; \ ++ while (pos && line[pos] == ' ') pos--; \ ++ if (!pos) continue; \ ++ line[pos+1] = '\0'; \ ++} ++#define LIMITS_MARK_ITEM(item) { \ ++ /* step backwards over non-spaces */ \ ++ pos--; \ ++ while (pos && line[pos] != ' ') pos--; \ ++ if (!pos) continue; \ ++ item = line + pos + 1; \ ++} ++ ++static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl) ++{ ++ int i, maxlen = 0; ++ FILE *limitsfile; ++ const char *proclimits = "/proc/1/limits"; ++ char line[256]; ++ char *units, *hard, *soft, *name; ++ ++ if (!(limitsfile = fopen(proclimits, "r"))) { ++ pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM internal defaults", proclimits, strerror(errno)); ++ return; ++ } ++ ++ while (fgets(line, 256, limitsfile)) { ++ int pos = strlen(line); ++ if (pos < 2) continue; ++ ++ /* drop trailing newline */ ++ if (line[pos-1] == '\n') { ++ pos--; ++ line[pos] = '\0'; ++ } ++ ++ /* determine formatting boundry of limits report */ ++ if (!maxlen && strncmp(line, "Limit", 5) == 0) { ++ maxlen = pos; ++ continue; ++ } ++ ++ if (pos == maxlen) { ++ /* step backwards over "Units" name */ ++ LIMITS_SKIP_WHITESPACE; ++ LIMITS_MARK_ITEM(units); ++ } ++ else { ++ units = ""; ++ } ++ ++ /* step backwards over "Hard Limit" value */ ++ LIMITS_SKIP_WHITESPACE; ++ LIMITS_MARK_ITEM(hard); ++ ++ /* step backwards over "Soft Limit" value */ ++ LIMITS_SKIP_WHITESPACE; ++ LIMITS_MARK_ITEM(soft); ++ ++ /* step backwards over name of limit */ ++ LIMITS_SKIP_WHITESPACE; ++ name = line; ++ ++ i = str2rlimit(name); ++ if (i < 0 || i >= RLIM_NLIMITS) { ++ pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit '%s' ignored", name); ++ continue; ++ } ++ pl->limits[i].limit.rlim_cur = str2rlim_t(soft); ++ pl->limits[i].limit.rlim_max = str2rlim_t(hard); ++ pl->limits[i].src_soft = LIMITS_DEF_KERNEL; ++ pl->limits[i].src_hard = LIMITS_DEF_KERNEL; ++ } ++ fclose(limitsfile); ++} ++ ++static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl) { int i; int retval = PAM_SUCCESS; @@ -42,12 +219,22 @@ Index: pam.deb/modules/pam_limits/pam_limits.c for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { -@@ -307,8 +321,56 @@ - } - } else { - pl->limits[i].supported = 1; -- pl->limits[i].src_soft = LIMITS_DEF_NONE; -- pl->limits[i].src_hard = LIMITS_DEF_NONE; +@@ -312,6 +460,71 @@ + } + } + ++#ifdef __linux__ ++ parse_kernel_limits(pamh, pl); ++#endif ++ ++ for(i = 0; i < RLIM_NLIMITS; i++) { ++ if (pl->limits[i].supported && ++ (pl->limits[i].src_soft == LIMITS_DEF_NONE || ++ pl->limits[i].src_hard == LIMITS_DEF_NONE)) { ++#ifdef __linux__ ++ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM internal default", rlimit2str(i)); ++#endif ++ + pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; + pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; + switch(i) { @@ -98,10 +285,13 @@ Index: pam.deb/modules/pam_limits/pam_limits.c + pl->limits[i].src_hard = LIMITS_DEF_NONE; + break; + } - } - } - -@@ -591,7 +653,7 @@ ++ } ++ } ++ + errno = 0; + pl->priority = getpriority (PRIO_PROCESS, 0); + if (pl->priority == -1 && errno != 0) +@@ -591,7 +804,7 @@ if (strcmp(uname, domain) == 0) /* this user have a limit */ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); @@ -110,7 +300,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -600,7 +662,7 @@ +@@ -600,7 +813,7 @@ if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); @@ -119,7 +309,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -614,7 +676,7 @@ +@@ -614,7 +827,7 @@ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, pl); } @@ -128,7 +318,7 @@ Index: pam.deb/modules/pam_limits/pam_limits.c process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ -@@ -649,6 +711,12 @@ +@@ -649,6 +862,12 @@ int status; int retval = LIMITED_OK; @@ -141,7 +331,14 @@ Index: pam.deb/modules/pam_limits/pam_limits.c for (i=0, status=LIMITED_OK; ipw_name, ctrl, pl); if (retval == PAM_IGNORE) { D(("the configuration file ('%s') has an applicable ' -' entry", CONF_FILE)); -Index: pam.deb/modules/pam_limits/limits.conf +Index: pam.debian/modules/pam_limits/limits.conf =================================================================== ---- pam.deb.orig/modules/pam_limits/limits.conf -+++ pam.deb/modules/pam_limits/limits.conf +--- pam.debian.orig/modules/pam_limits/limits.conf ++++ pam.debian/modules/pam_limits/limits.conf @@ -11,6 +11,9 @@ # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, @@ -172,10 +369,10 @@ Index: pam.deb/modules/pam_limits/limits.conf #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 -Index: pam.deb/modules/pam_limits/limits.conf.5.xml +Index: pam.debian/modules/pam_limits/limits.conf.5.xml =================================================================== ---- pam.deb.orig/modules/pam_limits/limits.conf.5.xml -+++ pam.deb/modules/pam_limits/limits.conf.5.xml +--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml ++++ pam.debian/modules/pam_limits/limits.conf.5.xml @@ -57,6 +57,11 @@ @@ -196,11 +393,11 @@ Index: pam.deb/modules/pam_limits/limits.conf.5.xml * hard rss 10000 @student hard nproc 20 @faculty soft nproc 20 -Index: pam.deb/modules/pam_limits/limits.conf.5 +Index: pam.debian/modules/pam_limits/limits.conf.5 =================================================================== ---- pam.deb.orig/modules/pam_limits/limits.conf.5 -+++ pam.deb/modules/pam_limits/limits.conf.5 -@@ -84,6 +84,11 @@ +--- pam.debian.orig/modules/pam_limits/limits.conf.5 ++++ pam.debian/modules/pam_limits/limits.conf.5 +@@ -93,6 +93,11 @@ \fI%group\fR syntax\&. .RE @@ -212,7 +409,7 @@ Index: pam.deb/modules/pam_limits/limits.conf.5 .RE .PP \fB\fR -@@ -256,6 +261,7 @@ +@@ -265,6 +270,7 @@ .\} .nf * soft core 0 @@ -220,10 +417,10 @@ Index: pam.deb/modules/pam_limits/limits.conf.5 * hard rss 10000 @student hard nproc 20 @faculty soft nproc 20 -Index: pam.deb/modules/pam_limits/README +Index: pam.debian/modules/pam_limits/README =================================================================== ---- pam.deb.orig/modules/pam_limits/README 2009-08-24 20:18:05 +0000 -+++ pam.deb/modules/pam_limits/README 2009-08-26 00:32:41 +0000 +--- pam.debian.orig/modules/pam_limits/README ++++ pam.debian/modules/pam_limits/README @@ -55,6 +55,7 @@ limits.conf. @@ -232,4 +429,3 @@ Index: pam.deb/modules/pam_limits/README * hard rss 10000 @student hard nproc 20 @faculty soft nproc 20 - diff --git a/debian/patches-applied/parse-kernel-rlimits.patch b/debian/patches-applied/parse-kernel-rlimits.patch deleted file mode 100644 index 77e6f378..00000000 --- a/debian/patches-applied/parse-kernel-rlimits.patch +++ /dev/null @@ -1,208 +0,0 @@ -Description: Since the kernel sets a number of dynamic rlimits based on the - system properities (e.g. physical memory for nproc), these rlimits should - be respected by PAM. Parse /proc/1/limits for the kernel-defined rlimits. -Author: Kees Cook -Bug-Ubuntu: https://launchpad.net/bugs/746655 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620302 -Forwarded: https://fedorahosted.org/pipermail/pam-developers/2011-March/000017.html - -Index: pam-debian/modules/pam_limits/pam_limits.c -=================================================================== ---- pam-debian.orig/modules/pam_limits/pam_limits.c 2011-03-31 14:39:14.296355902 -0700 -+++ pam-debian/modules/pam_limits/pam_limits.c 2011-03-31 14:39:14.906363881 -0700 -@@ -55,9 +55,10 @@ - #define LIMITS_DEF_USER 0 /* limit was set by an user entry */ - #define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */ - #define LIMITS_DEF_ALLGROUP 2 /* limit was set by a group entry */ --#define LIMITS_DEF_ALL 3 /* limit was set by an default entry */ --#define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */ --#define LIMITS_DEF_NONE 5 /* this limit was not set yet */ -+#define LIMITS_DEF_ALL 3 /* limit was set by an all entry */ -+#define LIMITS_DEF_DEFAULT 4 /* limit was set by an internal default entry */ -+#define LIMITS_DEF_KERNEL 5 /* limit was set from /proc/1/limits */ -+#define LIMITS_DEF_NONE 6 /* this limit was not set yet */ - - static const char *limits_def_names[] = { - "USER", -@@ -65,6 +66,7 @@ - "ALLGROUP", - "ALL", - "DEFAULT", -+ "KERNEL", - "NONE", - NULL - }; -@@ -296,7 +298,139 @@ - return 0; - } - --static int init_limits(struct pam_limit_s *pl) -+static const char * lnames[RLIM_NLIMITS] = { -+ [RLIMIT_CPU] = "Max cpu time", -+ [RLIMIT_FSIZE] = "Max file size", -+ [RLIMIT_DATA] = "Max data size", -+ [RLIMIT_STACK] = "Max stack size", -+ [RLIMIT_CORE] = "Max core file size", -+ [RLIMIT_RSS] = "Max resident set", -+ [RLIMIT_NPROC] = "Max processes", -+ [RLIMIT_NOFILE] = "Max open files", -+ [RLIMIT_MEMLOCK] = "Max locked memory", -+#ifdef RLIMIT_AS -+ [RLIMIT_AS] = "Max address space", -+#endif -+#ifdef RLIMIT_LOCKS -+ [RLIMIT_LOCKS] = "Max file locks", -+#endif -+#ifdef RLIMIT_SIGPENDING -+ [RLIMIT_SIGPENDING] = "Max pending signals", -+#endif -+#ifdef RLIMIT_MSGQUEUE -+ [RLIMIT_MSGQUEUE] = "Max msgqueue size", -+#endif -+#ifdef RLIMIT_NICE -+ [RLIMIT_NICE] = "Max nice priority", -+#endif -+#ifdef RLIMIT_RTPRIO -+ [RLIMIT_RTPRIO] = "Max realtime priority", -+#endif -+#ifdef RLIMIT_RTTIME -+ [RLIMIT_RTTIME] = "Max realtime timeout", -+#endif -+}; -+ -+static int str2rlimit(char *name) { -+ int i; -+ if (!name || *name == '\0') -+ return -1; -+ for(i = 0; i < RLIM_NLIMITS; i++) { -+ if (strcmp(name, lnames[i]) == 0) return i; -+ } -+ return -1; -+} -+ -+static rlim_t str2rlim_t(char *value) { -+ unsigned long long rlimit = 0; -+ -+ if (!value) return (rlim_t)rlimit; -+ if (strcmp(value, "unlimited") == 0) { -+ return RLIM_INFINITY; -+ } -+ rlimit = strtoull(value, NULL, 10); -+ return (rlim_t)rlimit; -+} -+ -+#define LIMITS_SKIP_WHITESPACE { \ -+ /* step backwards over spaces */ \ -+ pos--; \ -+ while (pos && line[pos] == ' ') pos--; \ -+ if (!pos) continue; \ -+ line[pos+1] = '\0'; \ -+} -+#define LIMITS_MARK_ITEM(item) { \ -+ /* step backwards over non-spaces */ \ -+ pos--; \ -+ while (pos && line[pos] != ' ') pos--; \ -+ if (!pos) continue; \ -+ item = line + pos + 1; \ -+} -+ -+static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl) -+{ -+ int i, maxlen = 0; -+ FILE *limitsfile; -+ const char *proclimits = "/proc/1/limits"; -+ char line[256]; -+ char *units, *hard, *soft, *name; -+ -+ if (!(limitsfile = fopen(proclimits, "r"))) { -+ pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM internal defaults", proclimits, strerror(errno)); -+ return; -+ } -+ -+ while (fgets(line, 256, limitsfile)) { -+ int pos = strlen(line); -+ if (pos < 2) continue; -+ -+ /* drop trailing newline */ -+ if (line[pos-1] == '\n') { -+ pos--; -+ line[pos] = '\0'; -+ } -+ -+ /* determine formatting boundry of limits report */ -+ if (!maxlen && strncmp(line, "Limit", 5) == 0) { -+ maxlen = pos; -+ continue; -+ } -+ -+ if (pos == maxlen) { -+ /* step backwards over "Units" name */ -+ LIMITS_SKIP_WHITESPACE; -+ LIMITS_MARK_ITEM(units); -+ } -+ else { -+ units = ""; -+ } -+ -+ /* step backwards over "Hard Limit" value */ -+ LIMITS_SKIP_WHITESPACE; -+ LIMITS_MARK_ITEM(hard); -+ -+ /* step backwards over "Soft Limit" value */ -+ LIMITS_SKIP_WHITESPACE; -+ LIMITS_MARK_ITEM(soft); -+ -+ /* step backwards over name of limit */ -+ LIMITS_SKIP_WHITESPACE; -+ name = line; -+ -+ i = str2rlimit(name); -+ if (i < 0 || i >= RLIM_NLIMITS) { -+ pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit '%s' ignored", name); -+ continue; -+ } -+ pl->limits[i].limit.rlim_cur = str2rlim_t(soft); -+ pl->limits[i].limit.rlim_max = str2rlim_t(hard); -+ pl->limits[i].src_soft = LIMITS_DEF_KERNEL; -+ pl->limits[i].src_hard = LIMITS_DEF_KERNEL; -+ } -+ fclose(limitsfile); -+} -+ -+static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl) - { - int i; - int retval = PAM_SUCCESS; -@@ -321,6 +455,23 @@ - } - } else { - pl->limits[i].supported = 1; -+ pl->limits[i].src_soft = LIMITS_DEF_NONE; -+ pl->limits[i].src_hard = LIMITS_DEF_NONE; -+ } -+ } -+ -+#ifdef __linux__ -+ parse_kernel_limits(pamh, pl); -+#endif -+ -+ for(i = 0; i < RLIM_NLIMITS; i++) { -+ if (pl->limits[i].supported && -+ (pl->limits[i].src_soft == LIMITS_DEF_NONE || -+ pl->limits[i].src_hard == LIMITS_DEF_NONE)) { -+#ifdef __linux__ -+ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM internal default", rlimit2str(i)); -+#endif -+ - pl->limits[i].src_soft = LIMITS_DEF_DEFAULT; - pl->limits[i].src_hard = LIMITS_DEF_DEFAULT; - switch(i) { -@@ -823,7 +974,7 @@ - return PAM_USER_UNKNOWN; - } - -- retval = init_limits(pl); -+ retval = init_limits(pamh, pl); - if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_WARNING, "cannot initialize"); - return PAM_ABORT; diff --git a/debian/patches-applied/series b/debian/patches-applied/series index 4229f047..4fdb9cd8 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -21,4 +21,3 @@ update-motd fix-man-crud sys-types-include.patch no_PATH_MAX_on_hurd -parse-kernel-rlimits.patch -- cgit v1.2.3