pam 0.99
Kees Cook
kees at ubuntu.com
Thu Sep 6 01:18:30 BST 2007
Hi,
It was suggested to take a look at the new PAM in Debian, and perhaps
get a UVFe for it. I figured I'd start with (this) email, and get
feedback before creating the bug for the official UVFe. What do people
think about getting this into Gutsy?
Merge is here[1], including the debdiffs between Debian for the old[2] and
the new[3] versions. The Debian changelog[4] is extensive, but is
probably worth us getting it into Gutsy to get as much shake-down time
as we can.
Does anyone (Mithrandir?) remember why we're carrying the per-user
.pam_environment file patch? That was the most extensive to port to the
new code (the other Ubuntu changes were pretty trivial).
Also, I wanted to make sure the Conflicts and postinst version tests for
things prior to Dapper were safe to drop in the interests of minimizing
our delta.
A notable change between old and new PAM is the (correct, IMHO) handling
of the kernel ulimit defaults. Here is the diff between pre and post
upgrade:
--- pre.txt 2007-09-05 20:50:36.000000000 -0400
+++ post.txt 2007-09-05 21:05:04.000000000 -0400
@@ -1,16 +1,16 @@
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
-scheduling priority (-e) 20
+scheduling priority (-e) 0
file size (blocks, -f) unlimited
-pending signals (-i) unlimited
-max locked memory (kbytes, -l) unlimited
+pending signals (-i) 2048
+max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
-POSIX message queues (bytes, -q) unlimited
+POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
-max user processes (-u) unlimited
+max user processes (-u) 2048
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
This addresses all of the issues I had with ulimits. This change alone,
will likely close several security-related bugs. :)
Details on the merge:
pam (0.99.7.1-4ubuntu1) gutsy; urgency=low
.
* Resynchronise with Debian. Remaining changes:
- debian/control, debian/local/common-session{,md5sums}: use
libpam-foreground for session management.
- debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
The nis package handles overriding this as necessary.
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in etc/security/pam_env.conf.
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
RLIMIT_NICE from below as well as from above. Fix off-by-one error when
converting RLIMIT_NICE to the range of values used by the kernel.
(Originally patch 101; converted to quilt.)
* Dropped:
- debian/rules: bashism fixes (merged upstream).
- debian/control: Conflict on ancient nis (expired with Breezy).
- debian/libpam-runtime.postinst: check for ancient pam (expired with
Breezy).
Thanks,
-Kees
[1] http://people.ubuntu.com/~kees/gutsy/
[2] http://people.ubuntu.com/~kees/gutsy/pam_0.79-4ubuntu2.ubuntu.diff
[3] http://people.ubuntu.com/~kees/gutsy/pam_0.99.7.1-4ubuntu1.ubuntu.diff
[4] http://packages.debian.org/changelogs/pool/main/p/pam/current/changelog
--
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20070905/c69013af/attachment.pgp
More information about the ubuntu-devel
mailing list