Hi I tested the proposed patch for this bug and it seems to work. IMHO the patch seems correct.
I did not upload an NMU, because I was not sure why the patch was not yet integrated into the SVN repository. If you don't oppose I can do an NMU either with only the patch applied to the version currently in sid or of the current SVN version. Attached you can find an updated patch wich applies to the version in SVN. gaudenz -- Ever tried. Ever failed. No matter. Try again. Fail again. Fail better. ~ Samuel Beckett ~
Index: debian/changelog =================================================================== --- debian/changelog (Revision 377) +++ debian/changelog (Arbeitskopie) @@ -1,5 +1,6 @@ pam (0.79-4) UNRELEASED; urgency=low + [ Steve Langasek ] * Move libpam-modules and libpam0g to Section: libs and libpam-runtime to section: admin, to match the overrides in the archive. * Move old changelog entries (well, entry) that don't follow the current @@ -17,8 +18,12 @@ * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs. Closes: #352329. - -- Steve Langasek <[EMAIL PROTECTED]> Sun, 23 Oct 2005 23:17:24 -0700 + [ Gaudenz Steinlin ] + * Patch 062: fix pam_limit to not set "max nice" and "max rt priority" to + unlimited. Set to 0 by default instead. + -- Gaudenz Steinlin <[EMAIL PROTECTED]> Sat, 7 Oct 2006 17:23:54 +0200 + pam (0.79-3) unstable; urgency=low * Patch 059 Index: Linux-PAM/modules/pam_limits/pam_limits.c =================================================================== --- Linux-PAM/modules/pam_limits/pam_limits.c (Revision 377) +++ Linux-PAM/modules/pam_limits/pam_limits.c (Arbeitskopie) @@ -257,8 +257,38 @@ pl->supported[i] = 1; pl->limits[i].src_soft = LIMITS_DEF_NONE; pl->limits[i].src_hard = LIMITS_DEF_NONE; - pl->limits[i].limit.rlim_cur = RLIM_INFINITY; - pl->limits[i].limit.rlim_max = RLIM_INFINITY; + switch (i) { + case RLIMIT_CPU: + case RLIMIT_FSIZE: + case RLIMIT_DATA: + case RLIMIT_STACK: + case RLIMIT_CORE: + case RLIMIT_RSS: + case RLIMIT_NPROC: + case RLIMIT_NOFILE: + case RLIMIT_MEMLOCK: +#ifdef RLIMIT_AS + case RLIMIT_AS: +#endif +#ifdef RLIMIT_LOCKS + case RLIMIT_LOCKS: +#endif +#ifdef RLIMIT_SIGPENDING + case RLIMIT_SIGPENDING: +#endif +#ifdef RLIMIT_MSGQUEUE + case RLIMIT_MSGQUEUE: +#endif + pl->limits[i].limit.rlim_cur = RLIM_INFINITY; + pl->limits[i].limit.rlim_max = RLIM_INFINITY; + break; + default: + /* Dont touch unknown/unsupported rlimit values --- + * RLIM_INFINITY might be a bad choice for them and + * even open up security holes (for example, the latter + * is true for RLIM_RTPRIO in newer Linux kernels). */ + break; + } } } @@ -327,6 +357,14 @@ else if (strcmp(lim_item, "msgqueue") == 0) limit_item = RLIMIT_MSGQUEUE; #endif +#ifdef RLIMIT_RTPRIO + else if (strcmp(lim_item, "rt_priority") == 0) + limit_item = RLIMIT_RTPRIO; +#endif +#ifdef RLIMIT_NICE + else if (strcmp(lim_item, "nice") == 0) + limit_item = RLIMIT_NICE; +#endif else if (strcmp(lim_item, "maxlogins") == 0) { limit_item = LIMIT_LOGIN; pl->flag_numsyslogins = 0; @@ -399,6 +437,22 @@ #endif limit_value *= 1024; break; +#ifdef RLIMIT_RTPRIO + case RLIMIT_RTPRIO: + if (limit_value > 99) + limit_value = 99; + if (limit_value < 0) + limit_value = 0; + break; +#endif +#ifdef RLIMIT_NICE + case RLIMIT_NICE: + if (limit_value > 39) + limit_value = 39; + if (limit_value < 0) + limit_value = 0; + break; +#endif } if ( (limit_item != LIMIT_LOGIN) Index: Linux-PAM/modules/pam_limits/README =================================================================== --- Linux-PAM/modules/pam_limits/README (Revision 377) +++ Linux-PAM/modules/pam_limits/README (Arbeitskopie) @@ -42,7 +42,11 @@ - sigpending - max number of pending signals (Linux 2.6 and higher) - msgqueue - max memory used by POSIX message queues (bytes) (Linux 2.6 and higher) - + - rt_priority - ceiling on real-time priority which can be set by + this user (Linux 2.6.13 and higher) + - nice - ceiling to which the processesâ nice value can be raised + (Linux 2.6.13 and higher) + Note, if you specify a type of '-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. . Index: Linux-PAM/modules/pam_limits/limits.skel =================================================================== --- Linux-PAM/modules/pam_limits/limits.skel (Revision 377) +++ Linux-PAM/modules/pam_limits/limits.skel (Arbeitskopie) @@ -32,6 +32,8 @@ # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) +# - rt_priority - ceiling on real-time priority which can be set +# - nice - ceiling to which the processesâ nice value can be raised # #<domain> <type> <item> <value> #