Bug#518464: Restore inclusion of pam_limits.so PAM module

2021-10-23 Thread Salvatore Bonaccorso 
Hi,

On Wed, Oct 20, 2021 at 04:49:06PM +0200, Salvatore Bonaccorso wrote:
> Control: retitle -1 sudo: Restore inclusion of pam_limits.so PAM module
> Control: tags -1 + security
> Control: severity -1 important
> 
> On Fri, Mar 06, 2009 at 12:23:27PM +0100, Xavier Martin wrote:
> > Package: sudo
> > Version: 1.6.9p17-2
> > Severity: normal
> > 
> > I've upgraded from Etch to Lenny, 
> > ulimit doesn't report correct open files limits set on my machine
> > 
> > Here's a test case:
> > # sudo -u www-data /bin/bash -c 'ulimit -n'
> > 4096
> > 
> > # grep nofile /etc/security/limits.conf 
> > * soft nofile 4096
> > * hard nofile 65535
> > 
> > 
> > On previous version of sudo : 1.6.8p12-4
> > 
> > # sudo -u www-data /bin/bash -c 'ulimit -n'
> > 65536
> > 
> > 
> > I'd think it's related to a change in /etc/pam.d/sudo
> > 
> > 1.6.8p12-4:
> > #%PAM-1.0
> > 
> > @include common-auth
> > @include common-account
> > 
> > 1.6.9p17-2:
> > #%PAM-1.0
> > 
> > @include common-auth
> > @include common-account
> > 
> > session required pam_permit.so
> > session required pam_limits.so
> 
> This is a longstanding issue and in fact we should restore the
> inclusion of the pam_limits.so. This serves as mitigation/hardening
> against the issue as explained in
> 
> https://www.openwall.com/lists/oss-security/2021/10/20/2
> 
> I made a merge request addressing this at least for unstable for now
> in 
> 
> https://salsa.debian.org/sudo-team/sudo/-/merge_requests/7

Let me be more specific on the mitigation part for sudo of the above
oss-security reference. As we in Debian miss the pam_limits inclusion:

| user@sid:~$ cat /etc/pam.d/sudo
| #%PAM-1.0
|
| @include common-auth
| @include common-account
| @include common-session-noninteractive
| user@sid:~$ ulimit -c
| unlimited
| user@sid:~$ sudo sh -c 'ulimit -c'
| unlimited

with the merge request patch adding pam_limits back:

| user@sid:~$ cat /etc/pam.d/sudo
| #%PAM-1.0
|
| # Set up user limits from /etc/security/limits.conf.
| sessionrequired   pam_limits.so
|
| @include common-auth
| @include common-account
| @include common-session-noninteractive
| user@sid:~$ ulimit -c
| unlimited
| user@sid:~$ sudo sh -c 'ulimit -c'
| 0

So far I think we should do the change only in unstable and expose the
change further. 

Regards,
Salvatore

Bug#518464: Restore inclusion of pam_limits.so PAM module

2021-10-20 Thread Salvatore Bonaccorso 
Control: retitle -1 sudo: Restore inclusion of pam_limits.so PAM module
Control: tags -1 + security
Control: severity -1 important

On Fri, Mar 06, 2009 at 12:23:27PM +0100, Xavier Martin wrote:
> Package: sudo
> Version: 1.6.9p17-2
> Severity: normal
> 
> I've upgraded from Etch to Lenny, 
> ulimit doesn't report correct open files limits set on my machine
> 
> Here's a test case:
> # sudo -u www-data /bin/bash -c 'ulimit -n'
> 4096
> 
> # grep nofile /etc/security/limits.conf 
> * soft nofile 4096
> * hard nofile 65535
> 
> 
> On previous version of sudo : 1.6.8p12-4
> 
> # sudo -u www-data /bin/bash -c 'ulimit -n'
> 65536
> 
> 
> I'd think it's related to a change in /etc/pam.d/sudo
> 
> 1.6.8p12-4:
> #%PAM-1.0
> 
> @include common-auth
> @include common-account
> 
> 1.6.9p17-2:
> #%PAM-1.0
> 
> @include common-auth
> @include common-account
> 
> session required pam_permit.so
> session required pam_limits.so

This is a longstanding issue and in fact we should restore the
inclusion of the pam_limits.so. This serves as mitigation/hardening
against the issue as explained in

https://www.openwall.com/lists/oss-security/2021/10/20/2

I made a merge request addressing this at least for unstable for now
in 

https://salsa.debian.org/sudo-team/sudo/-/merge_requests/7

The same issue affects 'doas', will fill a bug about it.

Regards,
Salvatore