Bug#518464: Restore inclusion of pam_limits.so PAM module

Salvatore Bonaccorso Wed, 20 Oct 2021 07:51:15 -0700

Control: retitle -1 sudo: Restore inclusion of pam_limits.so PAM module
Control: tags -1 + security
Control: severity -1 important


On Fri, Mar 06, 2009 at 12:23:27PM +0100, Xavier Martin wrote:
> Package: sudo
> Version: 1.6.9p17-2
> Severity: normal
> 
> I've upgraded from Etch to Lenny, 
> ulimit doesn't report correct open files limits set on my machine
> 
> Here's a test case:
> # sudo -u www-data /bin/bash -c 'ulimit -n'
> 4096
> 
> # grep nofile /etc/security/limits.conf 
> * soft nofile 4096
> * hard nofile 65535
> 
> 
> On previous version of sudo : 1.6.8p12-4
> 
> # sudo -u www-data /bin/bash -c 'ulimit -n'
> 65536
> 
> 
> I'd think it's related to a change in /etc/pam.d/sudo
> 
> 1.6.8p12-4:
> #%PAM-1.0
> 
> @include common-auth
> @include common-account
> 
> 1.6.9p17-2:
> #%PAM-1.0
> 
> @include common-auth
> @include common-account
> 
> session required pam_permit.so
> session required pam_limits.so

This is a longstanding issue and in fact we should restore the
inclusion of the pam_limits.so. This serves as mitigation/hardening
against the issue as explained in

https://www.openwall.com/lists/oss-security/2021/10/20/2

I made a merge request addressing this at least for unstable for now
in 

https://salsa.debian.org/sudo-team/sudo/-/merge_requests/7

The same issue affects 'doas', will fill a bug about it.

Regards,
Salvatore

Bug#518464: Restore inclusion of pam_limits.so PAM module

Reply via email to