Hello Simon, PAM Maintainers, * Simon McVittie <[email protected]> [210928 13:27]: [detailed analysis, thanks!] > Transitional considerations > =========================== > > To avoid reintroducing #63230, if that is not a desired outcome, it will > be necessary to change /etc/pam.d/su (in the util-linux package) so that > it invokes "pam_limits.so set_all" instead of plain "pam_limits.so". sudo > does not seem to invoke pam_limits.so at all (at the moment), but if it > did, I suspect we would want it to use "pam_limits.so set_all" too. Other > privilege-changing tools like pkexec and calife might also want to use > "pam_limits.so set_all".
> Possible implementation > ======================= [..] > I'm not marking this bug as +patch, because action is needed in other > packages, notably util-linux, before taking this beyond a prototype. So, should util-linux start shipping /etc/pam.d/su with "pam_limits.so set_all" then? As an alternate datapoint: on Fedora-derived distributions, PAM config for su does not include pam_limits.so. I could arrange to add "set_all" in one of the next util-linux uploads, if so desired. Chris
