import pam-1.3.1-16.el8

This commit is contained in:
CentOS Sources 2022-02-02 18:20:26 +00:00 committed by Stepan Oksanichenko
parent 2250c4cbd0
commit c01458b801
2 changed files with 86 additions and 1 deletions

View File

@ -0,0 +1,78 @@
diff -up Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml.pam-limits-unlimited-value Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml
--- Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml.pam-limits-unlimited-value 2022-01-28 09:45:41.431606850 +0100
+++ Linux-PAM-1.3.1/modules/pam_limits/limits.conf.5.xml 2022-01-28 09:47:31.732430391 +0100
@@ -275,6 +275,8 @@
All items support the values <emphasis>-1</emphasis>,
<emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
except for <emphasis remap='B'>priority</emphasis> and <emphasis remap='B'>nice</emphasis>.
+ If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
+ it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
</para>
<para>
If a hard limit or soft limit of a resource is set to a valid value,
diff -up Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c.pam-limits-unlimited-value Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c
--- Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c.pam-limits-unlimited-value 2022-01-28 09:45:41.415606731 +0100
+++ Linux-PAM-1.3.1/modules/pam_limits/pam_limits.c 2022-01-28 09:45:41.431606850 +0100
@@ -487,6 +487,41 @@ static int init_limits(pam_handle_t *pam
return retval;
}
+/*
+ * Read the contents of <pathname> and return it in *valuep
+ * return 1 if conversion succeeds, result is in *valuep
+ * return 0 if conversion fails, *valuep is untouched.
+ */
+static int
+value_from_file(const char *pathname, rlim_t *valuep)
+{
+ char buf[128];
+ FILE *fp;
+ int retval;
+
+ retval = 0;
+
+ if ((fp = fopen(pathname, "r")) != NULL) {
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
+ char *endptr;
+ unsigned long long value;
+
+ errno = 0;
+ value = strtoull(buf, &endptr, 10);
+ if (endptr != buf &&
+ (value != ULLONG_MAX || errno == 0) &&
+ (unsigned long long) (rlim_t) value == value) {
+ *valuep = (rlim_t) value;
+ retval = 1;
+ }
+ }
+
+ fclose(fp);
+ }
+
+ return retval;
+}
+
static void
process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
const char *lim_item, const char *lim_value,
@@ -652,6 +687,20 @@ process_limit (const pam_handle_t *pamh,
rlimit_value = 20 - int_value;
break;
#endif
+ case RLIMIT_NOFILE:
+ /*
+ * If nofile is to be set to "unlimited", try to set it to
+ * the value in /proc/sys/fs/nr_open instead.
+ */
+ if (rlimit_value == RLIM_INFINITY) {
+ if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value))
+ pam_syslog(pamh, LOG_WARNING,
+ "Cannot set \"nofile\" to a sensible value");
+ else if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu",
+ (unsigned long long) rlimit_value);
+ }
+ break;
}
if ( (limit_item != LIMIT_LOGIN)

View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.3.1
Release: 15%{?dist}
Release: 16%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -67,6 +67,8 @@ Patch48: pam-1.3.1-wheel-pam_ruser-fallback.patch
Patch49: pam-1.3.1-namespace-gdm-doc.patch
# https://github.com/linux-pam/linux-pam/commit/a7453aeeb398d6cbb7a709c4e2a1d75905220fff
Patch50: pam-1.3.1-pam-userdb-prevent-garbage-characters-from-db.patch
# https://github.com/linux-pam/linux-pam/commit/3234488f2c52a021eec87df1990d256314c21bff
Patch51: pam-1.3.1-pam-limits-unlimited-value.patch
%define _pamlibdir %{_libdir}
%define _moduledir %{_libdir}/security
@ -165,6 +167,8 @@ cp %{SOURCE18} .
%patch48 -p1 -b .wheel-pam_ruser-fallback
%patch49 -p1 -b .namespace-gdm-doc
%patch50 -p1 -b .pam-userdb-prevent-garbage-characters-from-db
%patch51 -p1 -b .pam-limits-unlimited-value
autoreconf -i
%build
@ -410,6 +414,9 @@ done
%doc doc/specs/rfc86.0.txt
%changelog
* Fri Jan 28 2022 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-16
- pam_limits: "Unlimited" is not a valid value for RLIMIT_NOFILE. Resolves: #2047655
* Mon May 3 2021 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-15
- pam_userdb: Prevent garbage characters from db (#1791965)