pam 0.99
Matt Zimmerman
mdz at ubuntu.com
Fri Sep 7 18:45:50 BST 2007
On Wed, Sep 05, 2007 at 05:18:30PM -0700, Kees Cook wrote:
> Does anyone (Mithrandir?) remember why we're carrying the per-user
> .pam_environment file patch? That was the most extensive to port to the
> new code (the other Ubuntu changes were pretty trivial).
I think this was low-hanging fruit added during the implementation of
one-true-path. It isn't essential functionality.
> A notable change between old and new PAM is the (correct, IMHO) handling
> of the kernel ulimit defaults. Here is the diff between pre and post
> upgrade:
>
> --- pre.txt 2007-09-05 20:50:36.000000000 -0400
> +++ post.txt 2007-09-05 21:05:04.000000000 -0400
> @@ -1,16 +1,16 @@
> core file size (blocks, -c) 0
> data seg size (kbytes, -d) unlimited
> -scheduling priority (-e) 20
> +scheduling priority (-e) 0
> file size (blocks, -f) unlimited
> -pending signals (-i) unlimited
> -max locked memory (kbytes, -l) unlimited
> +pending signals (-i) 2048
> +max locked memory (kbytes, -l) 32
> max memory size (kbytes, -m) unlimited
> open files (-n) 1024
> pipe size (512 bytes, -p) 8
> -POSIX message queues (bytes, -q) unlimited
> +POSIX message queues (bytes, -q) 819200
> real-time priority (-r) 0
> stack size (kbytes, -s) 8192
> cpu time (seconds, -t) unlimited
> -max user processes (-u) unlimited
> +max user processes (-u) 2048
> virtual memory (kbytes, -v) unlimited
> file locks (-x) unlimited
>
> This addresses all of the issues I had with ulimits. This change alone,
> will likely close several security-related bugs. :)
I think these new limits are more correct, but even correct changes often
break applications. :-)
Do you think we have sufficient time to work out the bugs prior to release?
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
--
- mdz
More information about the ubuntu-devel
mailing list