On Thu, 7 Oct 2021 23:06:34 +0200 Chris Hofstaedtler <z...@debian.org> wrote: > * Simon McVittie <s...@debian.org> [211007 22:36]: > > On Thu, 07 Oct 2021 at 22:19:43 +0200, Chris Hofstaedtler wrote: > > > * Simon McVittie <s...@debian.org> [210928 13:27]: > > > > To avoid reintroducing #63230, if that is not a desired outcome, it will > > > > be necessary to change /etc/pam.d/su (in the util-linux package) so that > > > > it invokes "pam_limits.so set_all" instead of plain "pam_limits.so". > > > > > > So, should util-linux start shipping /etc/pam.d/su with > > > "pam_limits.so set_all" then? > > > > If we want su to reset all limits to whatever value PAM guesses might be a > > reasonable default, then maybe yes. (But see also #917374, #976373 and > > upstream bug https://github.com/linux-pam/linux-pam/issues/85 - the way > > in which PAM guesses what reasonable limits might be is not great if pid 1 > > is non-trivial.) > > Removing pam_limits.so from su's PAM configuration might be a better > idea for an init that has its own ideas about the limits. I would > favor a config that is consistent with the rest of Debian -- if sudo > does not use pam_limits.so today, maybe su should stop. > > > > As an alternate datapoint: on > > > Fedora-derived distributions, PAM config for su does not include > > > pam_limits.so. > > > > If I'm reading correctly, Fedora has pam_limits.so (but *without* set_all) > > in their equivalent of our common-session, so most/all services pick it up > > from there. > > Ah, indeed. I missed that.
In 2.38 util-linux started setting some defaults in su, so I don't think the original downstream change is needed anymore: https://github.com/util-linux/util-linux/commit/08273c672b105602e1a9031160ccefec171b02ed I am going to revert the change from #917167 that stopped the default fd limit from being bumped, sometimes next week. If changes are needed to deal with this in the pam/util-linux config/patches, I would appreciate if they could please be taken care of for Trixie. Thanks. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part