Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Bug#454309: pam_limits.so malfunction

49 views

Skip to first unread message

Emjay

unread,

Dec 4, 2007, 11:30:12 AM12/4/07

Package: libpam-modules
Version: 0.79-4
Severity: grave

adding "session required pam_limits.so" to /etc/pam.d/login results in
limits beeing taken ONLY from /etc/security/limits.conf - all default values
are flushed.

PROBLEMS

1) This is a minor security issue because the default configuration is an
empty (only commented lines) limits.conf (thus leaving almost no limits in
place where the user tries to increase security/useablility of the system and
by default doing exactly the opposite).
2) Adding only some rules is not enough, adding all default limits again is
required to restore default behaviour.
3) Removing pam_limits.so from /etc/pam.d/* also restores default behaviour.
4) Severity was chosen based on the pam_limits.so not the entire package.

SUGGESTION

- no idea what is causing this bug, probably an issue with pam_limits.so
- should it be the default behaviour and not be considered a bug I suggest
there should be a BIG WARNING in the pam.d/login file regarding this matter.

Please note, that this error is architecture independent and that the
information given below is only about where the error was verified.

-- System Information:
Debian Release: etch
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.8
--
This report was not filed by reportbug and may therefore not be 100% compliant
with the debian requirements - I am sorry for inconvenience.

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Steve Langasek

unread,

Dec 4, 2007, 7:20:06 PM12/4/07

On Tue, Dec 04, 2007 at 05:03:34PM +0100, Emjay wrote:
> adding "session required pam_limits.so" to /etc/pam.d/login results in
> limits beeing taken ONLY from /etc/security/limits.conf - all default values
> are flushed.

Where is it documented that pam_limits will do anything other than this?

> 1) This is a minor security issue because the default configuration is an
> empty (only commented lines) limits.conf (thus leaving almost no limits in
> place where the user tries to increase security/useablility of the system and
> by default doing exactly the opposite).

And "by default", pam_limits clearly has no limits configured, so it makes
no sense to enable it without configuring limits.conf (and verifying the
outcome of those configuration changes).

(If it's a "minor" security issue, why are you claiming that it's a "grave"
bug?)

> - no idea what is causing this bug, probably an issue with pam_limits.so
> - should it be the default behaviour and not be considered a bug I suggest
> there should be a BIG WARNING in the pam.d/login file regarding this matter.

Here are the limits that I see when logging in via ssh to a system *without*
pam_limits:

$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
max nice (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 8118
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
max rt priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 8118
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
$

and the results when logging into the same system with pam_limits enabled
but not configured:

So which of these are you claiming is affected negatively by pam_limits'
default behavior? I no longer have any systems with pam 0.79 installed, so
this may be fixed in 0.99.7 and above due to a change introduced upstream in
Linux-PAM 0.99.5.0.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slan...@ubuntu.com vor...@debian.org

0 new messages