Debian Bug report logs - #241663
pam_limits resets nice value to 0

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jö Fahlke <jorrit@jorrit.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pam_limits resets nice value to 0

Date: Fri, 2 Apr 2004 11:35:44 +0200

[Message part 1 (text/plain, inline)]

Package: libpam-modules
Version: 0.76-16
Severity: normal
File: pam_limits.so
Tags: patch

pam_limits resets the nice value to 0, even with an empty limits.conf.
Refer to bug #240873 for why this is a problem.

The attached patch fixes the problem by initializing the priority from
the current processes priority instead of unconditionally initializing
it with 0.

Jö.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: i386 (i586)
Kernel: Linux 2.6.2-jupiter
Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro

Versions of packages libpam-modules depends on:
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  libcap1                     1:1.10-13    support for getting/setting POSIX.
ii  libdb3                      3.2.9-19     Berkeley v3 Database Libraries [ru
ii  libpam0g                    0.76-16      Pluggable Authentication Modules l

-- no debconf information

-- 
Of all the things I've lost, I miss my mind the most.

[pam_limits.diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 241663@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Jö Fahlke <jorrit@jorrit.de>

Cc: 241663@bugs.debian.org

Subject: Re: Bug#241663: pam_limits resets nice value to 0

Date: Sun, 04 Apr 2004 09:38:41 -0400

My initial inclination is to close this bug and mark it wontfix.  My
understanding of the intended behavior of the pam_limits module is
that it is intended to completely replace the limits of a process.
Certainly it has been the policy of Debian maintainers since before I
got the package to do this and at various times changes have been made
to default to relaxing limits rather than to preserving them.

I understand your problem with su and agree that it is not desired
behavior.  I don't think your fix is correct either.

One possible solution would be to add a way of specifying that limits
should not be changed for a particular limit.

Message #15 received at 241663@bugs.debian.org (full text, mbox, reply):

From: Jö Fahlke <jorrit@jorrit.de>

To: Sam Hartman <hartmans@debian.org>

Cc: 241663@bugs.debian.org

Subject: Re: Bug#241663: pam_limits resets nice value to 0

Date: Sun, 4 Apr 2004 17:19:25 +0200

[Message part 1 (text/plain, inline)]

Am So,  4. Apr 2004, 09:38:41 -0400 schrieb Sam Hartman:
> My initial inclination is to close this bug and mark it wontfix.  My
> understanding of the intended behavior of the pam_limits module is
> that it is intended to completely replace the limits of a process.

You're right.  My unterstanding was quiet the opposite but I looked
into the source again.  I was probably mislead by init_limits()
calling getrlimit() and overwriting the result later.

> One possible solution would be to add a way of specifying that limits
> should not be changed for a particular limit.

Three solutions come to my mind:
(a) add a limit value (like "current" or "undef" or "-") to mean that
    the current value is kept.
(b) add a statement to the configuration file (like "keep" on a line
    of its own) to tell the module not to change a limit if not
    otherwise told.
(c) add a module option which can be specified in the pam
    configuration file (like "pam_limits.so keep").

(a) is the most flexible while (c) is easiest to implement.  (b) has
the same functionality as (c) but would be even harder than (a) to
implement or would have strange restrictions like "keep" being the
first statement in the config file.

I'm willing to implement (a) or (c) if you would like to have them.
Otherwise I'll just work around the problem :)

Jö.

-- 
In the shower, time can be measured only by the fluctuations of the
temperature.

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 241663@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Jö Fahlke <jorrit@jorrit.de>

Cc: 241663@bugs.debian.org

Subject: Re: Bug#241663: pam_limits resets nice value to 0

Date: Sun, 04 Apr 2004 17:28:57 -0400

>>>>> "Jö" == Jö Fahlke <jorrit@jorrit.de> writes:

    Jö> Three solutions come to my mind: (a) add a limit value
    Jö> (like "current" or "undef" or "-") to mean that the current
    Jö> value is kept.  

I think I prefer this solution.  Option c is also reasonable.  I don't
really like option B because it wouldn't fit in with the rest of the
config file.

--Sam

Message #25 received at 241663@bugs.debian.org (full text, mbox, reply):

From: Jö Fahlke <jorrit@jorrit.de>

To: Sam Hartman <hartmans@debian.org>

Cc: 241663@bugs.debian.org

Subject: Re: Bug#241663: pam_limits resets nice value to 0

Date: Sat, 10 Apr 2004 23:15:29 +0200

[Message part 1 (text/plain, inline)]

Am So,  4. Apr 2004, 17:28:57 -0400 schrieb Sam Hartman:
> I think I prefer this solution.  Option c is also reasonable.  I don't
> really like option B because it wouldn't fit in with the rest of the
> config file.

Ok, here is solution c.  I tried to implement a, but found myself
starting to rewrite the whole module.

It's not very well tested, I only verified that it does't crash with
an empty limits.conf and that it does what its supposed to for the
nice level.

This patch is against version 0.76-16

Jö.

-- 
oil -- operation iraqi liberation
http://www.mo.tecsamples.de/mahnwache/index.html

[keep.diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 241663@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 311058@bugs.debian.org, 241663@bugs.debian.org

Subject: Reassigning bug that definitely doesn't belong to shadow

Date: Wed, 10 May 2006 10:03:47 +0200

[Message part 1 (text/plain, inline)]

tags 311058 - wontfix
reassign 311058 libpam-modules
merge 311058 241663

The story of this bug report clearly shows that the correct fix is not
in shadow but rather in libpam-modules if its maintainer(s) decide
this should be fixed (see #241663).


The issue has been documented for enough time now and I believe this
is not the BTS job to document issues.

As a consequence, I reassign the bug to libpam-modules, merging with
#241663....which has a patch that probably deserves some
consideration, anyway.


-- 

[signature.asc (application/pgp-signature, inline)]

Message #43 received at 241663-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 241663-close@bugs.debian.org

Subject: Bug#241663: fixed in pam 0.79-4

Date: Mon, 23 Oct 2006 06:17:44 -0700

Source: pam
Source-Version: 0.79-4

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_0.79-4_i386.deb
  to pool/main/p/pam/libpam-cracklib_0.79-4_i386.deb
libpam-doc_0.79-4_all.deb
  to pool/main/p/pam/libpam-doc_0.79-4_all.deb
libpam-modules_0.79-4_i386.deb
  to pool/main/p/pam/libpam-modules_0.79-4_i386.deb
libpam-runtime_0.79-4_all.deb
  to pool/main/p/pam/libpam-runtime_0.79-4_all.deb
libpam0g-dev_0.79-4_i386.deb
  to pool/main/p/pam/libpam0g-dev_0.79-4_i386.deb
libpam0g_0.79-4_i386.deb
  to pool/main/p/pam/libpam0g_0.79-4_i386.deb
pam_0.79-4.diff.gz
  to pool/main/p/pam/pam_0.79-4.diff.gz
pam_0.79-4.dsc
  to pool/main/p/pam/pam_0.79-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 241663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 23 Oct 2006 05:36:08 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime libpam-cracklib
Architecture: source i386 all
Version: 0.79-4
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 122400 149027 149883 241663 313542 313588 318452 327272 335273 344447 352329 360657 388431
Changes: 
 pam (0.79-4) unstable; urgency=medium
 .
   * Medium-urgency upload; at least one RC bugfix, but also a
     significant number of changes, hence not urgency=high.
   * Move libpam-modules and libpam0g to Section: libs and libpam-runtime
     to section: admin, to match the overrides in the archive.
   * Move old changelog entries (well, entry) that don't follow the current
     format to debian/changelog.old, since there's no way to figure out a
     timestamp for an 8-year-old upload, and this is the most effective
     way to clear a glut of lintian warnings.
   * Fix the formatting of the libpam-cracklib package description.
   * Patch 010: remove parts of the patch that aren't necessary for C++
     compatibility.
   * Patch 060: fix a segfault in pam_tally caused by misuse of
     pam_get_data(); already fixed upstream.  Closes: #335273.
   * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse)
     of strdup (similar to patch 059).  Already fixed upstream.
     Closes: #327272.
   * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs.
     Closes: #352329.
   * Patch 005: sync pam_limits with upstream:
     - support "-" (unlimited) for all limit types except process priority.
     - support the additional aliases "-1", "unlimited", and "infinity" for
       clearing the limits; closes: #122400, #149027.
     - restrict the range of process priority, login count, and system login
       count settings to (INT_MIN,INT_MAX) (heh).
     - special-case RLIM_INFINITY when applying multipliers to values from
       the config.
     - document maxsyslogins in the default limits.conf; closes: #149883.
     - use the current process priority as a default instead of resetting to
       0; closes: #241663.
     - add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO
       settings in Linux 2.6.12 and above; closes: #313542, #313588.
     - allow imposing limits on uid=0.
   * Patch 027: only set RLIM_INFINITY as the default for the limits where
     we know this is sensible, so that recompiling in an environment with new
     limits doesn't create a security hole -- as happened with RLIMIT_NICE and
     RLIMIT_RTPRIO!  Thanks to Ville Hallik for the initial patch.
     Closes: #388431.
   * Patch 029, 047: Fix up the broken pam_limits capabilities patch so it
     actually works -- which may well be a first...  Closes: #318452.
 .
 pam (0.79-3.2) unstable; urgency=low
 .
   * Non-maintainer upload to fix important bug, that makes passwd segfault
     when CTRL-D is pressed at the password prompt.  Applied the patch
     provided by Dann Frazier.  (Closes: #360657)
 .
 pam (0.79-3.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Linux-PAM/libpamc/include/security/pam_client.h,
     Linux-PAM/libpamc/pamc_converse.c: Apply patch from
     latest upstream version to remove redefinition of internal
     glibc/libstdc++ types.  Closes: #344447.
Files: 
 bb83e935d98ee21122360cab326e204a 970 libs optional pam_0.79-4.dsc
 f1401efc74c136fb07652643d1b1a1cf 136866 libs optional pam_0.79-4.diff.gz
 0fb6ed72ff29cf455d62e8a8a8292338 64282 admin required libpam-runtime_0.79-4_all.deb
 004664714294d7a4a89954c5e9554d00 731984 doc optional libpam-doc_0.79-4_all.deb
 1ced26f43273eb1055384bd711fb1651 79676 libs required libpam0g_0.79-4_i386.deb
 f884fb9426c4f73c40c892ac343efc85 187500 libs required libpam-modules_0.79-4_i386.deb
 badc0696da385466937f22929a7a1bb1 117900 libdevel optional libpam0g-dev_0.79-4_i386.deb
 e28da4b5da863be36d965369e4828340 59530 libs optional libpam-cracklib_0.79-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFPLzSKN6ufymYLloRAurrAJ9qK9+NWBnnhGZbRwBJQBTbyMGMVwCbBml2
UPu1tc4FiTiEnO3989I4kcc=
=pfjG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.