* Simon McVittie <s...@debian.org> [211007 22:36]: > On Thu, 07 Oct 2021 at 22:19:43 +0200, Chris Hofstaedtler wrote: > > * Simon McVittie <s...@debian.org> [210928 13:27]: > > > To avoid reintroducing #63230, if that is not a desired outcome, it will > > > be necessary to change /etc/pam.d/su (in the util-linux package) so that > > > it invokes "pam_limits.so set_all" instead of plain "pam_limits.so". > > > > So, should util-linux start shipping /etc/pam.d/su with > > "pam_limits.so set_all" then? > > If we want su to reset all limits to whatever value PAM guesses might be a > reasonable default, then maybe yes. (But see also #917374, #976373 and > upstream bug https://github.com/linux-pam/linux-pam/issues/85 - the way > in which PAM guesses what reasonable limits might be is not great if pid 1 > is non-trivial.)
Removing pam_limits.so from su's PAM configuration might be a better idea for an init that has its own ideas about the limits. I would favor a config that is consistent with the rest of Debian -- if sudo does not use pam_limits.so today, maybe su should stop. > > As an alternate datapoint: on > > Fedora-derived distributions, PAM config for su does not include > > pam_limits.so. > > If I'm reading correctly, Fedora has pam_limits.so (but *without* set_all) > in their equivalent of our common-session, so most/all services pick it up > from there. Ah, indeed. I missed that. Chris