Bug#388431: improved patch

Fri, 22 Sep 2006 11:54:03 -0700 

Hello!

Here is an improved variant of patch. It allows system administrator
to configure RLIMIT_RTPRIO RLIMIT_NICE via "rt_priority" and "nice"
entries in /etc/security/limits.conf

Best regards,
 Alexei.

-- 
All science is either physics or stamp collecting.


Index: pam-0.79/Linux-PAM/modules/pam_limits/pam_limits.c
===================================================================
--- pam-0.79.orig/Linux-PAM/modules/pam_limits/pam_limits.c     2006-09-22 
22:16:10.000000000 +0400
+++ pam-0.79/Linux-PAM/modules/pam_limits/pam_limits.c  2006-09-22 
22:17:46.000000000 +0400
@@ -257,8 +257,38 @@
            pl->supported[i] = 1;
            pl->limits[i].src_soft = LIMITS_DEF_NONE;
            pl->limits[i].src_hard = LIMITS_DEF_NONE;
-           pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
-           pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+      switch (i) {
+          case RLIMIT_CPU:
+          case RLIMIT_FSIZE:
+          case RLIMIT_DATA:
+          case RLIMIT_STACK:
+          case RLIMIT_CORE:
+          case RLIMIT_RSS:
+          case RLIMIT_NPROC:
+          case RLIMIT_NOFILE:
+          case RLIMIT_MEMLOCK:
+#ifdef RLIMIT_AS
+          case RLIMIT_AS:
+#endif
+#ifdef RLIMIT_LOCKS
+          case RLIMIT_LOCKS:
+#endif
+#ifdef RLIMIT_SIGPENDING
+          case RLIMIT_SIGPENDING:
+#endif
+#ifdef RLIMIT_MSGQUEUE
+          case RLIMIT_MSGQUEUE:
+#endif
+              pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
+              pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+              break;
+          default:
+              /* Dont touch unknown/unsupported rlimit values ---
+               * RLIM_INFINITY might be a bad choice for them and
+               * even open up security holes (for example, the latter
+               * is true for RLIM_RTPRIO in newer Linux kernels). */
+              break;
+           }
        }
     }
 
@@ -327,6 +357,14 @@
     else if (strcmp(lim_item, "msgqueue") == 0)
        limit_item = RLIMIT_MSGQUEUE;
 #endif
+#ifdef RLIMIT_RTPRIO
+               else if (strcmp(lim_item, "rt_priority") == 0)
+       limit_item = RLIMIT_RTPRIO;
+#endif
+#ifdef RLIMIT_NICE
+               else if (strcmp(lim_item, "nice") == 0)
+       limit_item = RLIMIT_NICE;
+#endif
     else if (strcmp(lim_item, "maxlogins") == 0) {
        limit_item = LIMIT_LOGIN;
        pl->flag_numsyslogins = 0;
@@ -399,6 +437,22 @@
 #endif
             limit_value *= 1024;
             break;
+#ifdef RLIMIT_RTPRIO
+                               case RLIMIT_RTPRIO:
+                                               if (limit_value > 99)
+                                                       limit_value = 99;
+                                               if (limit_value < 0)
+                                                       limit_value = 0;
+                                               break;
+#endif
+#ifdef RLIMIT_NICE
+                               case RLIMIT_NICE:
+                                               if (limit_value > 39)
+                                                       limit_value = 39;
+                                               if (limit_value < 0)
+                                                       limit_value = 0;
+                                               break;
+#endif
     }
 
     if ( (limit_item != LIMIT_LOGIN)
Index: pam-0.79/Linux-PAM/modules/pam_limits/README
===================================================================
--- pam-0.79.orig/Linux-PAM/modules/pam_limits/README   2005-01-10 
13:09:51.000000000 +0300
+++ pam-0.79/Linux-PAM/modules/pam_limits/README        2006-09-22 
22:17:46.000000000 +0400
@@ -42,7 +42,11 @@
        - sigpending - max number of pending signals (Linux 2.6 and higher)
        - msgqueue - max memory used by POSIX message queues (bytes) 
          (Linux 2.6 and higher)
-
+       - rt_priority - ceiling on real-time priority which can be set by
+         this user (Linux 2.6.13 and higher)
+       - nice - ceiling to which the processes’ nice value can be raised 
+         (Linux 2.6.13 and higher)
+ 
 Note, if you specify a type of '-' but neglect to supply the item and
 value fields then the module will never enforce any limits on the
 specified user/group etc. .
Index: pam-0.79/Linux-PAM/modules/pam_limits/limits.skel
===================================================================
--- pam-0.79.orig/Linux-PAM/modules/pam_limits/limits.skel      2005-01-10 
13:09:51.000000000 +0300
+++ pam-0.79/Linux-PAM/modules/pam_limits/limits.skel   2006-09-22 
22:17:46.000000000 +0400
@@ -32,6 +32,8 @@
 #        - locks - max number of file locks the user can hold
 #        - sigpending - max number of pending signals
 #        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - rt_priority - ceiling on real-time priority which can be set
+#        - nice - ceiling to which the processes’ nice value can be raised
 #
 #<domain>      <type>  <item>         <value>
 #
Index: pam-0.79/debian/rules
===================================================================
--- pam-0.79.orig/debian/rules  2006-09-22 22:16:10.000000000 +0400
+++ pam-0.79/debian/rules       2006-09-22 22:18:30.000000000 +0400
@@ -87,7 +87,9 @@
        dh_movefiles -i
 
        dh_installman -plibpam-runtime $(BUILD_TREE)/doc/man/*.[578]
-       rm  debian/libpam-runtime/usr/share/man/man8/{pam.8,pam.d.8,pam.conf.8}
+       rm  debian/libpam-runtime/usr/share/man/man8/pam.8
+       rm  debian/libpam-runtime/usr/share/man/man8/pam.d.8
+       rm  debian/libpam-runtime/usr/share/man/man8/pam.conf.8
        dh_installdocs -i
        dh_installchangelogs -i $(BUILD_TREE)/CHANGELOG
        dh_compress -i -X.html

Attachment: signature.asc
Description: Digital signature

Reply via email to