Index: pam.debian/modules/pam_limits/pam_limits.c
===================================================================
--- pam.debian.orig/modules/pam_limits/pam_limits.c
+++ pam.debian/modules/pam_limits/pam_limits.c
@@ -75,6 +75,7 @@
int flag_numsyslogins; /* whether to limit logins only for a
specific user or to count all logins */
int priority; /* the priority to run user process with */
+ char chroot_dir[8092]; /* directory to chroot into */
struct user_limits_struct limits[RLIM_NLIMITS];
const char *conf_file;
int utmp_after_pam_call;
@@ -85,6 +86,7 @@
#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
#define LIMIT_PRI RLIM_NLIMITS+3
+#define LIMIT_CHROOT RLIM_NLIMITS+4
#define LIMIT_SOFT 1
#define LIMIT_HARD 2
@@ -243,6 +245,8 @@
pl->login_limit = -2;
pl->login_limit_def = LIMITS_DEF_NONE;
+ pl->chroot_dir[0] = '\0';
+
return retval;
}
@@ -313,6 +317,8 @@
pl->flag_numsyslogins = 1;
} else if (strcmp(lim_item, "priority") == 0) {
limit_item = LIMIT_PRI;
+ } else if (strcmp(lim_item, "chroot") == 0) {
+ limit_item = LIMIT_CHROOT;
} else {
pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
return;
@@ -350,9 +356,9 @@
pam_syslog(pamh, LOG_DEBUG,
"wrong limit value '%s' for limit type '%s'",
lim_value, lim_type);
- return;
+ return;
}
- } else {
+ } else if (limit_item != LIMIT_CHROOT) {
#ifdef __USE_FILE_OFFSET64
rlimit_value = strtoull (lim_value, &endptr, 10);
#else
@@ -413,7 +419,9 @@
break;
}
- if ( (limit_item != LIMIT_LOGIN)
+ if (limit_item == LIMIT_CHROOT)
+ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir));
+ else if ( (limit_item != LIMIT_LOGIN)
&& (limit_item != LIMIT_NUMSYSLOGINS)
&& (limit_item != LIMIT_PRI) ) {
if (limit_type & LIMIT_SOFT) {
@@ -601,6 +609,13 @@
retval |= LOGIN_ERR;
}
+ if (!retval && pl->chroot_dir[0]) {
+ i = chdir(pl->chroot_dir);
+ if (i == 0)
+ i = chroot(pl->chroot_dir);
+ if (i != 0)
+ retval = LIMIT_ERR;
+ }
return retval;
}
Index: pam.debian/modules/pam_limits/limits.conf.5.xml
===================================================================
--- pam.debian.orig/modules/pam_limits/limits.conf.5.xml
+++ pam.debian/modules/pam_limits/limits.conf.5.xml
@@ -224,6 +224,12 @@
(Linux 2.6.12 and higher)
+
+
+
+ the directory to chroot the user to
+
+
Index: pam.debian/modules/pam_limits/limits.conf.5
===================================================================
--- pam.debian.orig/modules/pam_limits/limits.conf.5
+++ pam.debian/modules/pam_limits/limits.conf.5
@@ -1,17 +1,17 @@
.\" Title: limits.conf
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.72.0
-.\" Date: 08/30/2007
+.\" Generator: DocBook XSL Stylesheets v1.73.2
+.\" Date: 07/22/2008
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\"
-.TH "LIMITS.CONF" "5" "08/30/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "LIMITS\.CONF" "5" "07/22/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-limits.conf \- configuration file for the pam_limits module
+limits.conf - configuration file for the pam_limits module
.SH "DESCRIPTION"
.PP
The syntax of the lines is as follows:
@@ -26,46 +26,49 @@
.PP
\fB\fR
.RS 4
+.sp
.RS 4
\h'-04'\(bu\h'+03'a username
.RE
+.sp
.RS 4
\h'-04'\(bu\h'+03'a groupname, with
\fB@group\fR
-syntax. This should not be confused with netgroups.
+syntax\. This should not be confused with netgroups\.
.RE
+.sp
.RS 4
\h'-04'\(bu\h'+03'the wildcard
-\fB*\fR, for default entry.
+\fB*\fR, for default entry\.
.RE
+.sp
.RS 4
\h'-04'\(bu\h'+03'the wildcard
\fB%\fR, for maxlogins limit only, can also be used with
\fI%group\fR
-syntax.
+syntax\.
.RE
.RE
.PP
\fB\fR
.RS 4
-.RS 4
.PP
\fBhard\fR
.RS 4
for enforcing
\fBhard\fR
-resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values.
+resource limits\. These limits are set by the superuser and enforced by the Kernel\. The user cannot raise his requirement of system resources above such values\.
.RE
.PP
\fBsoft\fR
.RS 4
for enforcing
\fBsoft\fR
-resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting
+resource limits\. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting
\fBhard\fR
-limits. The values specified with this token can be thought of as
+limits\. The values specified with this token can be thought of as
\fIdefault\fR
-values, for normal system usage.
+values, for normal system usage\.
.RE
.PP
\fB\-\fR
@@ -74,16 +77,14 @@
\fBsoft\fR
and
\fBhard\fR
-resource limits together.
+resource limits together\.
.sp
-Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. .
-.RE
+Note, if you specify a type of \'\-\' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc\. \.
.RE
.RE
.PP
\fB\fR
.RS 4
-.RS 4
.PP
\fBcore\fR
.RS 4
@@ -153,48 +154,52 @@
.PP
\fBlocks\fR
.RS 4
-maximum locked files (Linux 2.4 and higher)
+maximum locked files (Linux 2\.4 and higher)
.RE
.PP
\fBsigpending\fR
.RS 4
-maximum number of pending signals (Linux 2.6 and higher)
+maximum number of pending signals (Linux 2\.6 and higher)
.RE
.PP
\fBmsqqueue\fR
.RS 4
-maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)
+maximum memory used by POSIX message queues (bytes) (Linux 2\.6 and higher)
.RE
.PP
\fBnice\fR
.RS 4
-maximum nice priority allowed to raise to (Linux 2.6.12 and higher)
+maximum nice priority allowed to raise to (Linux 2\.6\.12 and higher)
.RE
.PP
\fBrtprio\fR
.RS 4
-maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher)
+maximum realtime priority allowed for non\-privileged processes (Linux 2\.6\.12 and higher)
.RE
+.PP
+\fBchroot\fR
+.RS 4
+the directory to chroot the user to
.RE
.RE
.PP
In general, individual limits have priority over group limits, so if you impose no limits for
\fIadmin\fR
-group, but one of the members in this group have a limits line, the user will have its limits set according to this line.
+group, but one of the members in this group have a limits line, the user will have its limits set according to this line\.
.PP
Also, please note that all limit settings are set
-\fIper login\fR. They are not global, nor are they permanent; existing only for the duration of the session.
+\fIper login\fR\. They are not global, nor are they permanent; existing only for the duration of the session\.
.PP
In the
\fIlimits\fR
-configuration file, the '\fB#\fR' character introduces a comment \- after which the rest of the line is ignored.
+configuration file, the \'\fB#\fR\' character introduces a comment \- after which the rest of the line is ignored\.
.PP
The pam_limits module does its best to report configuration problems found in its configuration file via
-\fBsyslog\fR(3).
+\fBsyslog\fR(3)\.
.SH "EXAMPLES"
.PP
These are some example lines which might be specified in
-\fI/etc/security/limits.conf\fR.
+\fI/etc/security/limits\.conf\fR\.
.sp
.RS 4
.nf
@@ -216,4 +221,4 @@
\fBpam\fR(8)
.SH "AUTHOR"
.PP
-pam_limits was initially written by Cristian Gafton
+pam_limits was initially written by Cristian Gafton
Index: pam.debian/modules/pam_limits/limits.conf
===================================================================
--- pam.debian.orig/modules/pam_limits/limits.conf
+++ pam.debian/modules/pam_limits/limits.conf
@@ -35,6 +35,7 @@
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to
# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
#
#
#
@@ -45,6 +46,7 @@
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
+#ftp - chroot /ftp
#@student - maxlogins 4
# End of file