path: root/patches-applied/008_modules_pam_limits_chroot

Index: Linux-PAM/modules/pam_limits/pam_limits.c
===================================================================
--- Linux-PAM/modules/pam_limits/pam_limits.c.orig
+++ Linux-PAM/modules/pam_limits/pam_limits.c
@@ -74,6 +74,7 @@
     int flag_numsyslogins; /* whether to limit logins only for a
 			      specific user or to count all logins */
     int priority;	 /* the priority to run user process with */
+    char chroot_dir[8092]; /* directory to chroot into */
     struct user_limits_struct limits[RLIM_NLIMITS];
     char conf_file[BUFSIZ];
     int utmp_after_pam_call;
@@ -84,6 +85,7 @@
 #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
 
 #define LIMIT_PRI RLIM_NLIMITS+3
+#define LIMIT_CHROOT RLIM_NLIMITS+4
 
 #define LIMIT_SOFT  1
 #define LIMIT_HARD  2
@@ -238,6 +240,8 @@
     pl->login_limit = -2;
     pl->login_limit_def = LIMITS_DEF_NONE;
 
+    pl->chroot_dir[0] = '\0';
+    
     return retval;
 }
 
@@ -306,6 +310,8 @@
 	pl->flag_numsyslogins = 1;
     } else if (strcmp(lim_item, "priority") == 0) {
 	limit_item = LIMIT_PRI;
+    } else if (strcmp(lim_item, "chroot") == 0) {
+	limit_item = LIMIT_CHROOT;
     } else {
         pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
         return;
@@ -343,9 +349,9 @@
 			pam_syslog(pamh, LOG_DEBUG,
 				   "wrong limit value '%s' for limit type '%s'",
 				   lim_value, lim_type);
-            return;
+			return;
 		}
-	} else {
+	} else if (limit_item != LIMIT_CHROOT) {
 #ifdef __USE_FILE_OFFSET64
 		rlimit_value = strtoull (lim_value, &endptr, 10);
 #else
@@ -392,7 +398,9 @@
          break;
     }
 
-    if ( (limit_item != LIMIT_LOGIN)
+    if (limit_item == LIMIT_CHROOT)
+	strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir));
+    else if ( (limit_item != LIMIT_LOGIN)
 	 && (limit_item != LIMIT_NUMSYSLOGINS)
 	 && (limit_item != LIMIT_PRI) ) {
         if (limit_type & LIMIT_SOFT) {
@@ -590,6 +598,13 @@
         retval |= LOGIN_ERR;
     }
 
+    if (!retval && pl->chroot_dir[0]) {
+	i = chdir(pl->chroot_dir);
+	if (i == 0)
+	    i = chroot(pl->chroot_dir);
+	if (i != 0)
+	    retval = LIMIT_ERR;
+    }
     return retval;
 }
 
Index: Linux-PAM/modules/pam_limits/limits.conf.5.xml
===================================================================
--- Linux-PAM/modules/pam_limits/limits.conf.5.xml.orig
+++ Linux-PAM/modules/pam_limits/limits.conf.5.xml
@@ -223,6 +223,12 @@
                   (Linux 2.6.12 and higher)</para>
               </listitem>
             </varlistentry>
+            <varlistentry>
+              <term><option>chroot</option></term>
+              <listitem>
+                <para>the directory to chroot the user to</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
Index: Linux-PAM/modules/pam_limits/limits.conf.5
===================================================================
--- Linux-PAM/modules/pam_limits/limits.conf.5.orig
+++ Linux-PAM/modules/pam_limits/limits.conf.5
@@ -1,11 +1,11 @@
 .\"     Title: limits.conf
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/22/2006
-.\"    Manual: Linux\-PAM Manual
-.\"    Source: Linux\-PAM Manual
+.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/>
+.\"      Date: 08/19/2007
+.\"    Manual: Linux-PAM Manual
+.\"    Source: Linux-PAM Manual
 .\"
-.TH "LIMITS.CONF" "5" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "LIMITS.CONF" "5" "08/19/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -23,38 +23,45 @@
 \fI<value>\fR
 .PP
 The fields listed above should be filled as follows:
-.TP 3n
+.PP
 \fB<domain>\fR
-.RS 3n
-.TP 3n
-\(bu
-a username
-.TP 3n
-\(bu
-a groupname, with
+.RS 4
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'a username
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'a groupname, with
 \fB@group\fR
 syntax. This should not be confused with netgroups.
-.TP 3n
-\(bu
-the wildcard
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'the wildcard
 \fB*\fR, for default entry.
-.TP 3n
-\(bu
-the wildcard
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'the wildcard
 \fB%\fR, for maxlogins limit only, can also be used with
 \fI%group\fR
 syntax.
 .RE
-.TP 3n
+.RE
+.PP
 \fB<type>\fR
-.RS 3n
-.TP 3n
+.RS 4
+.PP
 \fBhard\fR
+.RS 4
 for enforcing
 \fBhard\fR
 resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values.
-.TP 3n
+.RE
+.PP
 \fBsoft\fR
+.RS 4
 for enforcing
 \fBsoft\fR
 resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting
@@ -62,8 +69,10 @@
 limits. The values specified with this token can be thought of as
 \fIdefault\fR
 values, for normal system usage.
-.TP 3n
+.RE
+.PP
 \fB\-\fR
+.RS 4
 for enforcing both
 \fBsoft\fR
 and
@@ -72,65 +81,107 @@
 .sp
 Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. .
 .RE
-.TP 3n
+.RE
+.PP
 \fB<item>\fR
-.RS 3n
-.TP 3n
+.RS 4
+.PP
 \fBcore\fR
+.RS 4
 limits the core file size (KB)
-.TP 3n
+.RE
+.PP
 \fBdata\fR
+.RS 4
 maximum data size (KB)
-.TP 3n
+.RE
+.PP
 \fBfsize\fR
+.RS 4
 maximum filesize (KB)
-.TP 3n
+.RE
+.PP
 \fBmemlock\fR
+.RS 4
 maximum locked\-in\-memory address space (KB)
-.TP 3n
+.RE
+.PP
 \fBnofile\fR
+.RS 4
 maximum number of open files
-.TP 3n
+.RE
+.PP
 \fBrss\fR
+.RS 4
 maximum resident set size (KB)
-.TP 3n
+.RE
+.PP
 \fBstack\fR
+.RS 4
 maximum stack size (KB)
-.TP 3n
+.RE
+.PP
 \fBcpu\fR
+.RS 4
 maximum CPU time (minutes)
-.TP 3n
+.RE
+.PP
 \fBnproc\fR
+.RS 4
 maximum number of processes
-.TP 3n
+.RE
+.PP
 \fBas\fR
+.RS 4
 address space limit
-.TP 3n
+.RE
+.PP
 \fBmaxlogins\fR
+.RS 4
 maximum number of logins for this user
-.TP 3n
+.RE
+.PP
 \fBmaxsyslogins\fR
+.RS 4
 maximum number of logins on system
-.TP 3n
+.RE
+.PP
 \fBpriority\fR
+.RS 4
 the priority to run user process with (negative values boost process priority)
-.TP 3n
+.RE
+.PP
 \fBlocks\fR
+.RS 4
 maximum locked files (Linux 2.4 and higher)
-.TP 3n
+.RE
+.PP
 \fBsigpending\fR
+.RS 4
 maximum number of pending signals (Linux 2.6 and higher)
-.TP 3n
+.RE
+.PP
 \fBmsqqueue\fR
+.RS 4
 maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher)
-.TP 3n
+.RE
+.PP
 \fBnice\fR
+.RS 4
 maximum nice priority allowed to raise to (Linux 2.6.12 and higher)
-.TP 3n
+.RE
+.PP
 \fBrtprio\fR
+.RS 4
 maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher)
 .RE
 .PP
+\fBchroot\fR
+.RS 4
+the directory to chroot the user to
+.RE
+.RE
+.PP
 In general, individual limits have priority over group limits, so if you impose no limits for
 \fIadmin\fR
 group, but one of the members in this group have a limits line, the user will have its limits set according to this line.
@@ -149,7 +200,7 @@
 These are some example lines which might be specified in
 \fI/etc/security/limits.conf\fR.
 .sp
-.RS 3n
+.RS 4
 .nf
 *               soft    core            0
 *               hard    rss             10000
Index: Linux-PAM/modules/pam_limits/limits.conf
===================================================================
--- Linux-PAM/modules/pam_limits/limits.conf.orig
+++ Linux-PAM/modules/pam_limits/limits.conf
@@ -35,6 +35,7 @@
 #        - msgqueue - max memory used by POSIX message queues (bytes)
 #        - nice - max nice priority allowed to raise to
 #        - rtprio - max realtime priority
+#        - chroot - change root to directory (Debian-specific)
 #
 #<domain>      <type>  <item>         <value>
 #
@@ -45,6 +46,7 @@
 #@faculty        soft    nproc           20
 #@faculty        hard    nproc           50
 #ftp             hard    nproc           0
+#ftp             -       chroot          /ftp
 #@student        -       maxlogins       4
 
 # End of file