Index: pam.deb/modules/pam_limits/pam_limits.c
===================================================================
--- pam.deb.orig/modules/pam_limits/pam_limits.c
+++ pam.deb/modules/pam_limits/pam_limits.c
@@ -79,6 +79,7 @@
int flag_numsyslogins; /* whether to limit logins only for a
specific user or to count all logins */
int priority; /* the priority to run user process with */
+ char chroot_dir[8092]; /* directory to chroot into */
struct user_limits_struct limits[RLIM_NLIMITS];
const char *conf_file;
int utmp_after_pam_call;
@@ -89,6 +90,7 @@
#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
#define LIMIT_PRI RLIM_NLIMITS+3
+#define LIMIT_CHROOT RLIM_NLIMITS+4
#define LIMIT_SOFT 1
#define LIMIT_HARD 2
@@ -317,6 +319,8 @@
pl->login_limit = -2;
pl->login_limit_def = LIMITS_DEF_NONE;
+ pl->chroot_dir[0] = '\0';
+
return retval;
}
@@ -387,6 +391,8 @@
pl->flag_numsyslogins = 1;
} else if (strcmp(lim_item, "priority") == 0) {
limit_item = LIMIT_PRI;
+ } else if (strcmp(lim_item, "chroot") == 0) {
+ limit_item = LIMIT_CHROOT;
} else {
pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
return;
@@ -424,9 +430,9 @@
pam_syslog(pamh, LOG_DEBUG,
"wrong limit value '%s' for limit type '%s'",
lim_value, lim_type);
- return;
+ return;
}
- } else {
+ } else if (limit_item != LIMIT_CHROOT) {
#ifdef __USE_FILE_OFFSET64
rlimit_value = strtoull (lim_value, &endptr, 10);
#else
@@ -487,7 +493,9 @@
#endif
}
- if ( (limit_item != LIMIT_LOGIN)
+ if (limit_item == LIMIT_CHROOT)
+ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir));
+ else if ( (limit_item != LIMIT_LOGIN)
&& (limit_item != LIMIT_NUMSYSLOGINS)
&& (limit_item != LIMIT_PRI) ) {
if (limit_type & LIMIT_SOFT) {
@@ -689,6 +697,13 @@
retval |= LOGIN_ERR;
}
+ if (!retval && pl->chroot_dir[0]) {
+ i = chdir(pl->chroot_dir);
+ if (i == 0)
+ i = chroot(pl->chroot_dir);
+ if (i != 0)
+ retval = LIMIT_ERR;
+ }
return retval;
}
Index: pam.deb/modules/pam_limits/limits.conf.5.xml
===================================================================
--- pam.deb.orig/modules/pam_limits/limits.conf.5.xml
+++ pam.deb/modules/pam_limits/limits.conf.5.xml
@@ -224,6 +224,12 @@
(Linux 2.6.12 and higher)
+
+
+
+ the directory to chroot the user to
+
+
Index: pam.deb/modules/pam_limits/limits.conf.5
===================================================================
--- pam.deb.orig/modules/pam_limits/limits.conf.5
+++ pam.deb/modules/pam_limits/limits.conf.5
@@ -1,161 +1,13 @@
+'\" t
.\" Title: limits.conf
.\" Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.74.0
-.\" Date: 03/02/2009
+.\" Generator: DocBook XSL Stylesheets v1.75.2
+.\" Date: 08/24/2009
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
-.TH "LIMITS\&.CONF" "5" "03/02/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
-.\" -----------------------------------------------------------------
-.\" * (re)Define some macros
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" toupper - uppercase a string (locale-aware)
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de toupper
-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
-\\$*
-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" SH-xref - format a cross-reference to an SH section
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de SH-xref
-.ie n \{\
-.\}
-.toupper \\$*
-.el \{\
-\\$*
-.\}
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" SH - level-one heading that works better for non-TTY output
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de1 SH
-.\" put an extra blank line of space above the head in non-TTY output
-.if t \{\
-.sp 1
-.\}
-.sp \\n[PD]u
-.nr an-level 1
-.set-an-margin
-.nr an-prevailing-indent \\n[IN]
-.fi
-.in \\n[an-margin]u
-.ti 0
-.HTML-TAG ".NH \\n[an-level]"
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-\." make the size of the head bigger
-.ps +3
-.ft B
-.ne (2v + 1u)
-.ie n \{\
-.\" if n (TTY output), use uppercase
-.toupper \\$*
-.\}
-.el \{\
-.nr an-break-flag 0
-.\" if not n (not TTY), use normal case (not uppercase)
-\\$1
-.in \\n[an-margin]u
-.ti 0
-.\" if not n (not TTY), put a border/line under subheading
-.sp -.6
-\l'\n(.lu'
-.\}
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" SS - level-two heading that works better for non-TTY output
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de1 SS
-.sp \\n[PD]u
-.nr an-level 1
-.set-an-margin
-.nr an-prevailing-indent \\n[IN]
-.fi
-.in \\n[IN]u
-.ti \\n[SN]u
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.ps \\n[PS-SS]u
-\." make the size of the head bigger
-.ps +2
-.ft B
-.ne (2v + 1u)
-.if \\n[.$] \&\\$*
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" BB/BE - put background/screen (filled box) around block of text
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de BB
-.if t \{\
-.sp -.5
-.br
-.in +2n
-.ll -2n
-.gcolor red
-.di BX
-.\}
-..
-.de EB
-.if t \{\
-.if "\\$2"adjust-for-leading-newline" \{\
-.sp -1
-.\}
-.br
-.di
-.in
-.ll
-.gcolor
-.nr BW \\n(.lu-\\n(.i
-.nr BH \\n(dn+.5v
-.ne \\n(BHu+.5v
-.ie "\\$2"adjust-for-leading-newline" \{\
-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
-.\}
-.el \{\
-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
-.\}
-.in 0
-.sp -.5v
-.nf
-.BX
-.in
-.sp .5v
-.fi
-.\}
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" BM/EM - put colored marker in margin next to block of text
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de BM
-.if t \{\
-.br
-.ll -2n
-.gcolor red
-.di BX
-.\}
-..
-.de EM
-.if t \{\
-.br
-.di
-.ll
-.gcolor
-.nr BH \\n(dn
-.ne \\n(BHu
-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
-.in 0
-.nf
-.BX
-.in
-.fi
-.\}
-..
+.TH "LIMITS\&.CONF" "5" "08/24/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
@@ -166,7 +18,7 @@
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
-.SH "Name"
+.SH "NAME"
limits.conf \- configuration file for the pam_limits module
.SH "DESCRIPTION"
.PP
@@ -360,6 +212,11 @@
.RS 4
maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher)
.RE
+.PP
+\fBchroot\fR
+.RS 4
+the directory to chroot the user to
+.RE
.RE
.PP
All items support the values
@@ -392,20 +249,12 @@
.SH "EXAMPLES"
.PP
These are some example lines which might be specified in
-\FC/etc/security/limits\&.conf\F[]\&.
+/etc/security/limits\&.conf\&.
.sp
.if n \{\
.RS 4
.\}
-.fam C
-.ps -1
.nf
-.if t \{\
-.sp -1
-.\}
-.BB lightgray adjust-for-leading-newline
-.sp -1
-
* soft core 0
* hard rss 10000
@student hard nproc 20
@@ -414,13 +263,7 @@
ftp hard nproc 0
@student \- maxlogins 4
-.EB lightgray adjust-for-leading-newline
-.if t \{\
-.sp 1
-.\}
.fi
-.fam
-.ps +1
.if n \{\
.RE
.\}
Index: pam.deb/modules/pam_limits/limits.conf
===================================================================
--- pam.deb.orig/modules/pam_limits/limits.conf
+++ pam.deb/modules/pam_limits/limits.conf
@@ -35,6 +35,7 @@
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
#
# -
#
@@ -45,6 +46,7 @@
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
+#ftp - chroot /ftp
#@student - maxlogins 4
# End of file