1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
From: Sam Hartman <hartmans@debian.org>
Date: Thu, 16 Jan 2025 15:40:56 -0700
Subject: pam_limits: Defaults if kernel limits unavailable
When set_all is set in pam_limits control, if we are not on linux, or
if parsing kernel limits fails, set explicit defaults that are similar
to linux defaults.
This patch is not particularly important to Debian on linux now that
set_all is no longer the default; kept mainly for non-linux ports.
based on patch by Peter Paluch <peterp@frcatel.fri.utc.sk>
---
modules/pam_limits/pam_limits.c | 73 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 70 insertions(+), 3 deletions(-)
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 7eb93c0..ca3bb18 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -58,6 +58,14 @@
# define PR_SET_NO_NEW_PRIVS 38 /* from <linux/prctl.h> */
#endif
+#ifndef MLOCK_LIMIT
+#ifdef __FreeBSD_kernel__
+#define MLOCK_LIMIT RLIM_INFINITY
+#else
+#define MLOCK_LIMIT (64*1024)
+#endif
+#endif
+
/* Module defines */
#define LIMITS_DEF_USER 0 /* limit was set by a user entry */
#define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */
@@ -537,11 +545,18 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
{
int i;
int retval = PAM_SUCCESS;
+ static int mlock_limit = 0;
D(("called."));
pl->root = 0;
+ if (mlock_limit == 0) {
+ mlock_limit = sysconf(_SC_PAGESIZE);
+ if (mlock_limit < MLOCK_LIMIT)
+ mlock_limit = MLOCK_LIMIT;
+ }
+
for(i = 0; i < RLIM_NLIMITS; i++) {
int r = getrlimit(i, &pl->limits[i].limit);
if (r == -1) {
@@ -556,19 +571,71 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
}
}
-#ifdef __linux__
if (ctrl & PAM_SET_ALL) {
+#ifdef __linux__
parse_kernel_limits(pamh, pl, ctrl);
+#endif
for(i = 0; i < RLIM_NLIMITS; i++) {
if (pl->limits[i].supported &&
(pl->limits[i].src_soft == LIMITS_DEF_NONE ||
pl->limits[i].src_hard == LIMITS_DEF_NONE)) {
- pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using PAM default", rlimit2str(i));
+#ifdef __linux__
+ pam_syslog(pamh, LOG_WARNING, "Did not find kernel RLIMIT for %s, using default", rlimit2str(i));
+#endif
+ pl->limits[i].src_soft = LIMITS_DEF_DEFAULT;
+ pl->limits[i].src_hard = LIMITS_DEF_DEFAULT;
+ switch(i) {
+ case RLIMIT_CPU:
+ case RLIMIT_FSIZE:
+ case RLIMIT_DATA:
+ case RLIMIT_RSS:
+ case RLIMIT_NPROC:
+#ifdef RLIMIT_AS
+ case RLIMIT_AS:
+#endif
+#ifdef RLIMIT_LOCKS
+ case RLIMIT_LOCKS:
+#endif
+ pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
+ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+ break;
+ case RLIMIT_MEMLOCK:
+ pl->limits[i].limit.rlim_cur = mlock_limit;
+ pl->limits[i].limit.rlim_max = mlock_limit;
+ break;
+#ifdef RLIMIT_SIGPENDING
+ case RLIMIT_SIGPENDING:
+ pl->limits[i].limit.rlim_cur = 16382;
+ pl->limits[i].limit.rlim_max = 16382;
+ break;
+#endif
+#ifdef RLIMIT_MSGQUEUE
+ case RLIMIT_MSGQUEUE:
+ pl->limits[i].limit.rlim_cur = 819200;
+ pl->limits[i].limit.rlim_max = 819200;
+ break;
+#endif
+ case RLIMIT_CORE:
+ pl->limits[i].limit.rlim_cur = 0;
+ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+ break;
+ case RLIMIT_STACK:
+ pl->limits[i].limit.rlim_cur = 8192*1024;
+ pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+ break;
+ case RLIMIT_NOFILE:
+ pl->limits[i].limit.rlim_cur = 1024;
+ pl->limits[i].limit.rlim_max = 1024;
+ break;
+ default:
+ pl->limits[i].src_soft = LIMITS_DEF_NONE;
+ pl->limits[i].src_hard = LIMITS_DEF_NONE;
+ break;
+ }
}
}
}
-#endif
errno = 0;
pl->priority = getpriority (PRIO_PROCESS, 0);
|
