From d0e126a9a6d9aa7faf1861bb80e78fd71c6cbe6a Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Thu, 2 Dec 2021 15:38:55 +0100
Subject: [PATCH] pam_limits: "Unlimited" is not a valid value for
 RLIMIT_NOFILE

Resolves: #1989900

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 pam-1.5.1-pam-limits-unlimited-value.patch | 99 ++++++++++++++++++++++
 pam.spec                                   |  8 +-
 2 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 pam-1.5.1-pam-limits-unlimited-value.patch

diff --git a/pam-1.5.1-pam-limits-unlimited-value.patch b/pam-1.5.1-pam-limits-unlimited-value.patch
new file mode 100644
index 0000000..a025c45
--- /dev/null
+++ b/pam-1.5.1-pam-limits-unlimited-value.patch
@@ -0,0 +1,99 @@
+From 3234488f2c52a021eec87df1990d256314c21bff Mon Sep 17 00:00:00 2001
+From: Josef Moellers <jmoellers@suse.de>
+Date: Wed, 14 Apr 2021 16:39:28 +0200
+Subject: [PATCH] pam_limits: "Unlimited" is not a valid value for
+ RLIMIT_NOFILE.
+
+Replace it with a value obtained from /proc/sys/fs/nr_open
+
+* modules/pam_limits/limits.conf.5.xml: Document the replacement.
+* modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE
+  value with a value obtained from /proc/sys/fs/nr_open
+---
+ modules/pam_limits/limits.conf.5.xml |  2 ++
+ modules/pam_limits/pam_limits.c      | 49 ++++++++++++++++++++++++++++
+ 2 files changed, 51 insertions(+)
+
+diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
+index cd64ac90..c5bd6768 100644
+--- a/modules/pam_limits/limits.conf.5.xml
++++ b/modules/pam_limits/limits.conf.5.xml
+@@ -283,6 +283,8 @@
+       <emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
+       except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>,
+       and <emphasis remap='B'>nonewprivs</emphasis>.
++      If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
++      it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
+     </para>
+     <para>
+       If a hard limit or soft limit of a resource is set to a valid value,
+diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
+index 10049973..7cc45d77 100644
+--- a/modules/pam_limits/pam_limits.c
++++ b/modules/pam_limits/pam_limits.c
+@@ -487,6 +487,41 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
+     return retval;
+ }
+ 
++/*
++ * Read the contents of <pathname> and return it in *valuep
++ * return 1 if conversion succeeds, result is in *valuep
++ * return 0 if conversion fails, *valuep is untouched.
++ */
++static int
++value_from_file(const char *pathname, rlim_t *valuep)
++{
++    char buf[128];
++    FILE *fp;
++    int retval;
++
++    retval = 0;
++
++    if ((fp = fopen(pathname, "r")) != NULL) {
++	if (fgets(buf, sizeof(buf), fp) != NULL) {
++	    char *endptr;
++	    unsigned long long value;
++
++	    errno = 0;
++	    value = strtoull(buf, &endptr, 10);
++	    if (endptr != buf &&
++		(value != ULLONG_MAX || errno == 0) &&
++                (unsigned long long) (rlim_t) value == value) {
++		*valuep = (rlim_t) value;
++		retval = 1;
++	    }
++	}
++
++	fclose(fp);
++    }
++
++    return retval;
++}
++
+ static void
+ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
+ 	       const char *lim_item, const char *lim_value,
+@@ -666,6 +701,20 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
+ 	 rlimit_value = 20 - int_value;
+          break;
+ #endif
++	case RLIMIT_NOFILE:
++	/*
++	 * If nofile is to be set to "unlimited", try to set it to
++	 * the value in /proc/sys/fs/nr_open instead.
++	 */
++	if (rlimit_value == RLIM_INFINITY) {
++	    if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value))
++		pam_syslog(pamh, LOG_WARNING,
++			   "Cannot set \"nofile\" to a sensible value");
++	    else if (ctrl & PAM_DEBUG_ARG)
++		pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu",
++			   (unsigned long long) rlimit_value);
++	}
++	break;
+     }
+ 
+     if ( (limit_item != LIMIT_LOGIN)
+-- 
+2.33.1
+
diff --git a/pam.spec b/pam.spec
index c733c40..d5423fb 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.5.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -30,6 +30,8 @@ Patch3:  pam-1.3.0-unix-nomsg.patch
 Patch4:  pam-1.5.1-timestamp-openssl-hmac-authentication.patch
 # https://github.com/linux-pam/linux-pam/commit/ec0e724fe53188c5c762c34ca9db6681c0de01b8
 Patch5:  pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
+# https://github.com/linux-pam/linux-pam/commit/3234488f2c52a021eec87df1990d256314c21bff
+Patch6:  pam-1.5.1-pam-limits-unlimited-value.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -117,6 +119,7 @@ cp %{SOURCE18} .
 %patch3 -p1 -b .nomsg
 %patch4 -p1 -b .timestamp-openssl-hmac-authentication
 %patch5 -p1 -b .pam_filter_close_file_after_controlling_tty
+%patch6 -p1 -b .pam-limits-unlimited-value
 
 autoreconf -i
 
@@ -371,6 +374,9 @@ done
 %doc doc/sag/*.txt doc/sag/html
 
 %changelog
+* Thu Dec  2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-9
+- pam_limits: "Unlimited" is not a valid value for RLIMIT_NOFILE. Resolves: #1989900
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.1-8
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688