Bug#1029152: Bug#995236: libpam-modules: pam_limits.so always overwrites rlimits, contrary to man page and upstream behaviour

Sun May 26 01:17:34 BST 2024

On Thu, 7 Oct 2021 23:06:34 +0200 Chris Hofstaedtler <zeha at debian.org>
wrote:
> * Simon McVittie <smcv at debian.org> [211007 22:36]:
> > On Thu, 07 Oct 2021 at 22:19:43 +0200, Chris Hofstaedtler wrote:
> > > * Simon McVittie <smcv at debian.org> [210928 13:27]:
> > > > To avoid reintroducing #63230, if that is not a desired
outcome, it will
> > > > be necessary to change /etc/pam.d/su (in the util-linux
package) so that
> > > > it invokes "pam_limits.so set_all" instead of plain
"pam_limits.so".
> > >
> > > So, should util-linux start shipping /etc/pam.d/su with
> > > "pam_limits.so set_all" then?
> > 
> > If we want su to reset all limits to whatever value PAM guesses
might be a
> > reasonable default, then maybe yes. (But see also #917374, #976373
and
> > upstream bug https://github.com/linux-pam/linux-pam/issues/85 - the
way
> > in which PAM guesses what reasonable limits might be is not great
if pid 1
> > is non-trivial.)
> 
> Removing pam_limits.so from su's PAM configuration might be a better
> idea for an init that has its own ideas about the limits. I would
> favor a config that is consistent with the rest of Debian -- if sudo
> does not use pam_limits.so today, maybe su should stop.
> 
> > > As an alternate datapoint: on
> > > Fedora-derived distributions, PAM config for su does not include
> > > pam_limits.so.
> > 
> > If I'm reading correctly, Fedora has pam_limits.so (but *without*
set_all)
> > in their equivalent of our common-session, so most/all services
pick it up
> > from there.
> 
> Ah, indeed. I missed that.

In 2.38 util-linux started setting some defaults in su, so I don't
think the original downstream change is needed anymore:

https://github.com/util-linux/util-linux/commit/08273c672b105602e1a9031160ccefec171b02ed

I am going to revert the change from #917167 that stopped the default
fd limit from being bumped, sometimes next week. If changes are needed
to deal with this in the pam/util-linux config/patches, I would
appreciate if they could please be taken care of for Trixie. Thanks.

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240526/df40e815/attachment.sig>