Hi,
On Wed, Oct 20, 2021 at 04:49:06PM +0200, Salvatore Bonaccorso wrote:
> Control: retitle -1 sudo: Restore inclusion of pam_limits.so PAM module
> Control: tags -1 + security
> Control: severity -1 important
>
> On Fri, Mar 06, 2009 at 12:23:27PM +0100, Xavier Martin wrote:
> > Package: sudo
> > Version: 1.6.9p17-2
> > Severity: normal
> >
> > I've upgraded from Etch to Lenny,
> > ulimit doesn't report correct open files limits set on my machine
> >
> > Here's a test case:
> > # sudo -u www-data /bin/bash -c 'ulimit -n'
> > 4096
> >
> > # grep nofile /etc/security/limits.conf
> > * soft nofile 4096
> > * hard nofile 65535
> >
> >
> > On previous version of sudo : 1.6.8p12-4
> >
> > # sudo -u www-data /bin/bash -c 'ulimit -n'
> > 65536
> >
> >
> > I'd think it's related to a change in /etc/pam.d/sudo
> >
> > 1.6.8p12-4:
> > #%PAM-1.0
> >
> > @include common-auth
> > @include common-account
> >
> > 1.6.9p17-2:
> > #%PAM-1.0
> >
> > @include common-auth
> > @include common-account
> >
> > session required pam_permit.so
> > session required pam_limits.so
>
> This is a longstanding issue and in fact we should restore the
> inclusion of the pam_limits.so. This serves as mitigation/hardening
> against the issue as explained in
>
> https://www.openwall.com/lists/oss-security/2021/10/20/2
>
> I made a merge request addressing this at least for unstable for now
> in
>
> https://salsa.debian.org/sudo-team/sudo/-/merge_requests/7
Let me be more specific on the mitigation part for sudo of the above
oss-security reference. As we in Debian miss the pam_limits inclusion:
| user@sid:~$ cat /etc/pam.d/sudo
| #%PAM-1.0
|
| @include common-auth
| @include common-account
| @include common-session-noninteractive
| user@sid:~$ ulimit -c
| unlimited
| user@sid:~$ sudo sh -c 'ulimit -c'
| unlimited
with the merge request patch adding pam_limits back:
| user@sid:~$ cat /etc/pam.d/sudo
| #%PAM-1.0
|
| # Set up user limits from /etc/security/limits.conf.
| sessionrequired pam_limits.so
|
| @include common-auth
| @include common-account
| @include common-session-noninteractive
| user@sid:~$ ulimit -c
| unlimited
| user@sid:~$ sudo sh -c 'ulimit -c'
| 0
So far I think we should do the change only in unstable and expose the
change further.
Regards,
Salvatore