Bug#300720: (forw) Bug#300720: Bug#300725: Bug#300720: [Pkg-shadow-devel] Bug#300720: Login: Configuration does not load limits.so while others do
Olivier Sessink
Olivier Sessink <lists@olivier.pk.wau.nl>, 300720@bugs.debian.org
Tue, 10 May 2005 18:07:25 +0200
Christian Perrier wrote:
> OK, let's get advice from the security and release teams. Looks like
> the advice from both th shadow and cron package maintainers is not enough.
>
> In short, #300720 complains that login does not activate by default
> the pam_limits module, in the provided /etc/pam.d/login file
>
> This bug report came very late and did not show high security
> implications at that moment. Nor was the bug RC. Given the policy we
> had at that moment for base system packages, I reported the fix to
> post-sarge.
>
> The cron package maintainer, Steve Greenland, made the same choice.
>
> Now, at least Olivier mentions this to be a potential fork-bomb issue.
>
> As there is likely a kind of dispute raising with the arguments
> developed below by Olivier, I'd rather get the input from both teams
> whether 300720 deserved being fixed in sarge.
just for the record:
the SecurityFocus article mentioning many Linux distro's being affected
by an ancient fork-bomb by any user can be found here:
http://www.securityfocus.com/columnists/308?ref=rssdebia
The Slashdot discussion, mentioning Woody not being affected, but Sarge
being affected can be found here:
http://linux.slashdot.org/article.pl?sid=05/03/18/1421255&tid=172&tid=106
regards,
Olivier Sessink