Control: retitle -1 sudo: Restore inclusion of pam_limits.so PAM module Control: tags -1 + security Control: severity -1 important
On Fri, Mar 06, 2009 at 12:23:27PM +0100, Xavier Martin wrote: > Package: sudo > Version: 1.6.9p17-2 > Severity: normal > > I've upgraded from Etch to Lenny, > ulimit doesn't report correct open files limits set on my machine > > Here's a test case: > # sudo -u www-data /bin/bash -c 'ulimit -n' > 4096 > > # grep nofile /etc/security/limits.conf > * soft nofile 4096 > * hard nofile 65535 > > > On previous version of sudo : 1.6.8p12-4 > > # sudo -u www-data /bin/bash -c 'ulimit -n' > 65536 > > > I'd think it's related to a change in /etc/pam.d/sudo > > 1.6.8p12-4: > #%PAM-1.0 > > @include common-auth > @include common-account > > 1.6.9p17-2: > #%PAM-1.0 > > @include common-auth > @include common-account > > session required pam_permit.so > session required pam_limits.so This is a longstanding issue and in fact we should restore the inclusion of the pam_limits.so. This serves as mitigation/hardening against the issue as explained in https://www.openwall.com/lists/oss-security/2021/10/20/2 I made a merge request addressing this at least for unstable for now in https://salsa.debian.org/sudo-team/sudo/-/merge_requests/7 The same issue affects 'doas', will fill a bug about it. Regards, Salvatore