pam 0.99

Kees Cook kees at
Thu Sep 6 01:18:30 BST 2007


It was suggested to take a look at the new PAM in Debian, and perhaps
get a UVFe for it.  I figured I'd start with (this) email, and get
feedback before creating the bug for the official UVFe.  What do people
think about getting this into Gutsy?

Merge is here[1], including the debdiffs between Debian for the old[2] and
the new[3] versions.  The Debian changelog[4] is extensive, but is
probably worth us getting it into Gutsy to get as much shake-down time
as we can.

Does anyone (Mithrandir?) remember why we're carrying the per-user
.pam_environment file patch?  That was the most extensive to port to the
new code (the other Ubuntu changes were pretty trivial).

Also, I wanted to make sure the Conflicts and postinst version tests for
things prior to Dapper were safe to drop in the interests of minimizing
our delta.

A notable change between old and new PAM is the (correct, IMHO) handling
of the kernel ulimit defaults.  Here is the diff between pre and post

--- pre.txt       2007-09-05 20:50:36.000000000 -0400
+++ post.txt    2007-09-05 21:05:04.000000000 -0400
@@ -1,16 +1,16 @@
 core file size          (blocks, -c) 0
 data seg size           (kbytes, -d) unlimited
-scheduling priority             (-e) 20
+scheduling priority             (-e) 0
 file size               (blocks, -f) unlimited
-pending signals                 (-i) unlimited
-max locked memory       (kbytes, -l) unlimited
+pending signals                 (-i) 2048
+max locked memory       (kbytes, -l) 32
 max memory size         (kbytes, -m) unlimited
 open files                      (-n) 1024
 pipe size            (512 bytes, -p) 8
-POSIX message queues     (bytes, -q) unlimited
+POSIX message queues     (bytes, -q) 819200
 real-time priority              (-r) 0
 stack size              (kbytes, -s) 8192
 cpu time               (seconds, -t) unlimited
-max user processes              (-u) unlimited
+max user processes              (-u) 2048
 virtual memory          (kbytes, -v) unlimited
 file locks                      (-x) unlimited

This addresses all of the issues I had with ulimits.  This change alone,
will likely close several security-related bugs.  :)

Details on the merge:

 pam ( gutsy; urgency=low
   * Resynchronise with Debian. Remaining changes:
     - debian/control, debian/local/common-session{,md5sums}: use
       libpam-foreground for session management.
     - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
       The nis package handles overriding this as necessary.
     - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
       present there or in etc/security/pam_env.conf.
     - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
       type rather than __u8.
     - debian/patches-applied/ubuntu-user_defined_environment: Look at
       ~/.pam_environment too, with the same format as
       /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
     - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
       initialise RLIMIT_NICE rather than relying on the kernel limits.  Bound
       RLIMIT_NICE from below as well as from above. Fix off-by-one error when
       converting RLIMIT_NICE to the range of values used by the kernel.
       (Originally patch 101; converted to quilt.)
   * Dropped:
     - debian/rules: bashism fixes (merged upstream).
     - debian/control: Conflict on ancient nis (expired with Breezy).
     - debian/libpam-runtime.postinst: check for ancient pam (expired with




Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : 

More information about the ubuntu-devel mailing list