import pam-1.5.1-9.el9
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
d0e0242fab
commit
ef6d9144cf
|
|
@ -0,0 +1,99 @@
|
|||
From 3234488f2c52a021eec87df1990d256314c21bff Mon Sep 17 00:00:00 2001
|
||||
From: Josef Moellers <jmoellers@suse.de>
|
||||
Date: Wed, 14 Apr 2021 16:39:28 +0200
|
||||
Subject: [PATCH] pam_limits: "Unlimited" is not a valid value for
|
||||
RLIMIT_NOFILE.
|
||||
|
||||
Replace it with a value obtained from /proc/sys/fs/nr_open
|
||||
|
||||
* modules/pam_limits/limits.conf.5.xml: Document the replacement.
|
||||
* modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE
|
||||
value with a value obtained from /proc/sys/fs/nr_open
|
||||
---
|
||||
modules/pam_limits/limits.conf.5.xml | 2 ++
|
||||
modules/pam_limits/pam_limits.c | 49 ++++++++++++++++++++++++++++
|
||||
2 files changed, 51 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
|
||||
index cd64ac90..c5bd6768 100644
|
||||
--- a/modules/pam_limits/limits.conf.5.xml
|
||||
+++ b/modules/pam_limits/limits.conf.5.xml
|
||||
@@ -283,6 +283,8 @@
|
||||
<emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
|
||||
except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>,
|
||||
and <emphasis remap='B'>nonewprivs</emphasis>.
|
||||
+ If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
|
||||
+ it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
|
||||
</para>
|
||||
<para>
|
||||
If a hard limit or soft limit of a resource is set to a valid value,
|
||||
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
|
||||
index 10049973..7cc45d77 100644
|
||||
--- a/modules/pam_limits/pam_limits.c
|
||||
+++ b/modules/pam_limits/pam_limits.c
|
||||
@@ -487,6 +487,41 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
|
||||
return retval;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Read the contents of <pathname> and return it in *valuep
|
||||
+ * return 1 if conversion succeeds, result is in *valuep
|
||||
+ * return 0 if conversion fails, *valuep is untouched.
|
||||
+ */
|
||||
+static int
|
||||
+value_from_file(const char *pathname, rlim_t *valuep)
|
||||
+{
|
||||
+ char buf[128];
|
||||
+ FILE *fp;
|
||||
+ int retval;
|
||||
+
|
||||
+ retval = 0;
|
||||
+
|
||||
+ if ((fp = fopen(pathname, "r")) != NULL) {
|
||||
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||
+ char *endptr;
|
||||
+ unsigned long long value;
|
||||
+
|
||||
+ errno = 0;
|
||||
+ value = strtoull(buf, &endptr, 10);
|
||||
+ if (endptr != buf &&
|
||||
+ (value != ULLONG_MAX || errno == 0) &&
|
||||
+ (unsigned long long) (rlim_t) value == value) {
|
||||
+ *valuep = (rlim_t) value;
|
||||
+ retval = 1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ fclose(fp);
|
||||
+ }
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
|
||||
const char *lim_item, const char *lim_value,
|
||||
@@ -666,6 +701,20 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
|
||||
rlimit_value = 20 - int_value;
|
||||
break;
|
||||
#endif
|
||||
+ case RLIMIT_NOFILE:
|
||||
+ /*
|
||||
+ * If nofile is to be set to "unlimited", try to set it to
|
||||
+ * the value in /proc/sys/fs/nr_open instead.
|
||||
+ */
|
||||
+ if (rlimit_value == RLIM_INFINITY) {
|
||||
+ if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value))
|
||||
+ pam_syslog(pamh, LOG_WARNING,
|
||||
+ "Cannot set \"nofile\" to a sensible value");
|
||||
+ else if (ctrl & PAM_DEBUG_ARG)
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu",
|
||||
+ (unsigned long long) rlimit_value);
|
||||
+ }
|
||||
+ break;
|
||||
}
|
||||
|
||||
if ( (limit_item != LIMIT_LOGIN)
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.5.1
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
|
|
@ -30,6 +30,8 @@ Patch3: pam-1.3.0-unix-nomsg.patch
|
|||
Patch4: pam-1.5.1-timestamp-openssl-hmac-authentication.patch
|
||||
# https://github.com/linux-pam/linux-pam/commit/ec0e724fe53188c5c762c34ca9db6681c0de01b8
|
||||
Patch5: pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch
|
||||
# https://github.com/linux-pam/linux-pam/commit/3234488f2c52a021eec87df1990d256314c21bff
|
||||
Patch6: pam-1.5.1-pam-limits-unlimited-value.patch
|
||||
|
||||
%global _pamlibdir %{_libdir}
|
||||
%global _moduledir %{_libdir}/security
|
||||
|
|
@ -117,6 +119,7 @@ cp %{SOURCE18} .
|
|||
%patch3 -p1 -b .nomsg
|
||||
%patch4 -p1 -b .timestamp-openssl-hmac-authentication
|
||||
%patch5 -p1 -b .pam_filter_close_file_after_controlling_tty
|
||||
%patch6 -p1 -b .pam-limits-unlimited-value
|
||||
|
||||
autoreconf -i
|
||||
|
||||
|
|
@ -371,6 +374,9 @@ done
|
|||
%doc doc/sag/*.txt doc/sag/html
|
||||
|
||||
%changelog
|
||||
* Thu Dec 2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-9
|
||||
- pam_limits: "Unlimited" is not a valid value for RLIMIT_NOFILE. Resolves: #1989900
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.1-8
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
|
|
|||
Loading…
Reference in New Issue