Bug#300720: (forw) Bug#300720: Bug#300725: Bug#300720: [Pkg-shadow-devel] Bug#300720: Login: Configuration does not load limits.so while others do

Olivier Sessink Olivier Sessink <lists@olivier.pk.wau.nl>, 300720@bugs.debian.org
Tue, 10 May 2005 18:07:25 +0200


Christian Perrier wrote:
> OK, let's get advice from the security and release teams. Looks like
> the advice from both th shadow and cron package maintainers is not enough.
> 
> In short, #300720 complains that login does not activate by default
> the pam_limits module, in the provided /etc/pam.d/login file
> 
> This bug report came very late and did not show high security
> implications at that moment. Nor was the bug RC. Given the policy we
> had at that moment for base system packages, I reported the fix to
> post-sarge.
> 
> The cron package maintainer, Steve Greenland, made the same choice.
> 
> Now, at least Olivier mentions this to be a potential fork-bomb issue.
> 
> As there is likely a kind of dispute raising with the arguments
> developed below by Olivier, I'd rather get the input from both teams
> whether 300720 deserved being fixed in sarge.

just for the record:

the SecurityFocus article mentioning many Linux distro's being affected
by an ancient fork-bomb by any user can  be found here:
http://www.securityfocus.com/columnists/308?ref=rssdebia

The Slashdot discussion, mentioning Woody not being affected, but Sarge
being affected can be found here:
http://linux.slashdot.org/article.pl?sid=05/03/18/1421255&tid=172&tid=106

regards,
	Olivier Sessink