Allow explicit limits for root.
Also, remove limits on su.
Index: pam.deb/modules/pam_limits/pam_limits.c
===================================================================
--- pam.deb.orig/modules/pam_limits/pam_limits.c
+++ pam.deb/modules/pam_limits/pam_limits.c
@@ -70,6 +70,7 @@
 
 /* internal data */
 struct pam_limit_s {
+    int root;            /* running as root? */
     int login_limit;     /* the max logins limit */
     int login_limit_def; /* which entry set the login limit */
     int flag_numsyslogins; /* whether to limit logins only for a
@@ -224,6 +225,7 @@
 
     D(("called."));
 
+    pl->root = 0;
     for(i = 0; i < RLIM_NLIMITS; i++) {
 	int r = getrlimit(i, &pl->limits[i].limit);
 	if (r == -1) {
@@ -235,6 +237,38 @@
 	    pl->limits[i].supported = 1;
 	    pl->limits[i].src_soft = LIMITS_DEF_NONE;
 	    pl->limits[i].src_hard = LIMITS_DEF_NONE;
+	    switch(i) {
+		case RLIMIT_CPU:
+		case RLIMIT_FSIZE:
+		case RLIMIT_DATA:
+		case RLIMIT_RSS:
+		case RLIMIT_NPROC:
+		case RLIMIT_NOFILE:
+		case RLIMIT_MEMLOCK:
+#ifdef RLIMIT_AS
+		case RLIMIT_AS:
+#endif
+#ifdef RLIMIT_LOCKS
+		case RLIMIT_LOCKS:
+#endif
+#ifdef RLIMIT_SIGPENDING
+		case RLIMIT_SIGPENDING:
+#endif
+#ifdef RLIMIT_MSGQUEUE
+		case RLIMIT_MSGQUEUE:
+#endif
+		    pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
+		    pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+		    break;
+		case RLIMIT_CORE:
+		    pl->limits[i].limit.rlim_cur = 0;
+		    pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+		    break;
+		case RLIMIT_STACK:
+		    pl->limits[i].limit.rlim_cur = 8192*1024;
+		    pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+		    break;
+	    }
 	}
     }
 
@@ -525,7 +559,7 @@
         if (i == 4) { /* a complete line */
             if (strcmp(uname, domain) == 0) /* this user have a limit */
                 process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
-            else if (domain[0]=='@') {
+            else if (domain[0]=='@' && !pl->root) {
 		    if (ctrl & PAM_DEBUG_ARG) {
 			pam_syslog(pamh, LOG_DEBUG,
 				   "checking if %s is in group %s",
@@ -534,7 +568,7 @@
                 if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1))
                     process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
 				  pl);
-            } else if (domain[0]=='%') {
+            } else if (domain[0]=='%' && !pl->root) {
 		    if (ctrl & PAM_DEBUG_ARG) {
 			pam_syslog(pamh, LOG_DEBUG,
 				   "checking if %s is in group %s",
@@ -548,7 +582,7 @@
                     process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl,
 				  pl);
 		}
-            } else if (strcmp(domain, "*") == 0)
+            } else if (strcmp(domain, "*") == 0 && !pl->root)
                 process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
 			      pl);
 	} else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */
@@ -583,6 +617,12 @@
     int status;
     int retval = LIMITED_OK;
 
+    if (uid == 0) {
+        /* do not impose +ve priority limits on the superuser */
+        if (pl->priority > 0)
+            pl->priority = 0;
+    }
+
     for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
 	if (!pl->limits[i].supported) {
 	    /* skip it if its not known to the system */
@@ -669,6 +709,8 @@
         return PAM_ABORT;
     }
 
+    if (pwd->pw_uid == 0)
+        pl->root = 1;
     retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl);
     if (retval == PAM_IGNORE) {
 	D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));