Debian Bug report logs - #313588
add pam support for the real time rlimits audio patch

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Romain Chantereau <romain@mezimail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: kernel-image-2.6.11-9-amd64-k8: Please configure Security Capatibilities as module

Date: Mon, 30 May 2005 13:11:43 +0200

Package: kernel-image-2.6.11-9-amd64-k8
Version: 2.6.11-2
Severity: wishlist

Hi !

It is impossible to compile the realtime security module with the actual
kernel configuration.

The security capatibilities are not configured as module.

Please setup this option as a module permitting building realtime-lsm.

Cheers,
Romain Chantereau.

-- System Information:
Debian Release: 3.1
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-9-amd64-k8
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages kernel-image-2.6.11-9-amd64-k8 depends on:
ii  coreutils [fileutil 5.2.1-2              The GNU core utilities
ii  e2fsprogs           1.37+1.38-WIP-0509-1 ext2 file system utilities and lib
ii  initrd-tools        0.1.81.1             tools to create initrd image for p
ii  module-init-tools   3.2-pre1-2           tools for managing Linux kernel mo

-- no debconf information

Message #10 received at 311273@bugs.debian.org (full text, mbox, reply):

From: maximilian attems <debian@sternwelten.at>

To: Romain Chantereau <romain@mezimail.com>, 311273@bugs.debian.org

Subject: Re: Bug#311273: kernel-image-2.6.11-9-amd64-k8: Please configure Security Capatibilities as module

Date: Mon, 30 May 2005 23:54:24 +0200

retitle 311273 please set CONFIG_SECURITY_CAPABILITIES on common arch config
reassign 311273 kernel
thanks

On Mon, 30 May 2005, Romain Chantereau wrote:

> Hi !
> 
> It is impossible to compile the realtime security module with the actual
> kernel configuration.

this module is rejected upstream.
 
> The security capatibilities are not configured as module.

agreed, that opens security problems.
 
> Please setup this option as a module permitting building realtime-lsm.

we do not care, as this should be done through pam with the merged
efforts for 2.6.12
 
--
maks

Message #19 received at 311273@bugs.debian.org (full text, mbox, reply):

From: Frederik Schueler <fs@lowpingbastards.de>

To: maximilian attems <debian@sternwelten.at>, 311273@bugs.debian.org

Cc: Romain Chantereau <romain@mezimail.com>

Subject: Re: Bug#311273: kernel-image-2.6.11-9-amd64-k8: Please configure Security Capatibilities as module

Date: Tue, 31 May 2005 00:29:29 +0200

[Message part 1 (text/plain, inline)]

Hello,

On Mon, May 30, 2005 at 11:54:24PM +0200, maximilian attems wrote:
> > The security capatibilities are not configured as module.
> 
> agreed, that opens security problems.

Well, it is built in to _prevent_ security problems, like
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1337 

This bug is fixed in 2.6.11, though.

I opt for SECURITY_CAPABILITIES=y in the common arch config.


Kind regards
Frederik Schueler

-- 
ENOSIG

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 311273@bugs.debian.org (full text, mbox, reply):

From: Romain Chantereau <romain@mezimail.com>

To: Frederik Schueler <fs@lowpingbastards.de>

Cc: maximilian attems <debian@sternwelten.at>, 311273@bugs.debian.org

Subject: Re: Bug#311273: kernel-image-2.6.11-9-amd64-k8: Please configure Security Capatibilities as module

Date: Wed, 01 Jun 2005 12:39:36 +0200

Le mardi 31 mai 2005 à 00:29 +0200, Frederik Schueler a écrit :
> I opt for SECURITY_CAPABILITIES=y in the common arch config.

I understood what you told. But, what do you suggest ?

Will I have to compile my own kernel, or do you have another solution in
order to provide realtime privileges for non-root user ?

Thanks,
Romain.

Message #29 received at 311273@bugs.debian.org (full text, mbox, reply):

From: maximilian attems <debian@sternwelten.at>

To: Romain Chantereau <romain@mezimail.com>

Cc: Frederik Schueler <fs@lowpingbastards.de>, 311273@bugs.debian.org

Subject: Re: Bug#311273: kernel-image-2.6.11-9-amd64-k8: Please configure Security Capatibilities as module

Date: Wed, 1 Jun 2005 18:25:15 +0200

On Wed, 01 Jun 2005, Romain Chantereau wrote:

> Le mardi 31 mai 2005 à 00:29 +0200, Frederik Schueler a écrit :
> > I opt for SECURITY_CAPABILITIES=y in the common arch config.
> 
> I understood what you told. But, what do you suggest ?

to take latest upstream 2.6.12-rc5,
add the pam magic.
 
> Will I have to compile my own kernel, or do you have another solution in
> order to provide realtime privileges for non-root user ?

read the lkml about the merged solution,
gain the pam knwonledge and fix it for debian. :)

otherwise it will take a bit more time until someone else pops up
and does it.

--
maks

Message #34 received at 311273@bugs.debian.org (full text, mbox, reply):

From: Romain Chantereau <romain@mezimail.com>

To: maximilian attems <debian@sternwelten.at>

Cc: Frederik Schueler <fs@lowpingbastards.de>, 311273@bugs.debian.org

Subject: Re: Bug#311273: kernel-image-2.6.11-9-amd64-k8: Please configure Security Capatibilities as module

Date: Tue, 07 Jun 2005 12:45:25 +0200

Hi !

Le mercredi 01 juin 2005 à 18:25 +0200, maximilian attems a écrit : 
> gain the pam knwonledge and fix it for debian. :)
> 
> otherwise it will take a bit more time until someone else pops up
> and does it.

It seams that people does it already:


http://www.steamballoon.com/wiki/index.php?title=Rlimits&oldid=36


The fact seems to be:

- PAM need to be patched and configured (/etc/security/limits.conf)

- Kernel version >= 2.6.12-rc4

Thanks you very much for you help.

Romain.

Message #39 received at 311273@bugs.debian.org (full text, mbox, reply):

From: maximilian attems <debian@sternwelten.at>

To: Romain Chantereau <romain@mezimail.com>

Cc: Frederik Schueler <fs@lowpingbastards.de>, 311273@bugs.debian.org, Andres Salomon <dilinger@debian.org>

Subject: Re: Bug#311273: kernel-image-2.6.11-9-amd64-k8: Please configure Security Capatibilities as module

Date: Tue, 14 Jun 2005 09:37:49 +0200

clone -1 311273
clone -2 311273
retitle -1 add pam support for the real time rlimits audio patch
reassign -1 libpam-modules
retitle -2 support the rt audio patch
thanks

On Tue, 07 Jun 2005, Romain Chantereau wrote:

> Hi !
> 
> Le mercredi 01 juin 2005 à 18:25 +0200, maximilian attems a écrit : 
> > gain the pam knwonledge and fix it for debian. :)
> > 
> > otherwise it will take a bit more time until someone else pops up
> > and does it.
> 
> It seams that people does it already:
> 
> 
> http://www.steamballoon.com/wiki/index.php?title=Rlimits&oldid=36

ooh nice pointer,
i'm cc'ing dilinger as he's been seeing to do pam work lately
and may better judge quality of aboves work. :)
 
> The fact seems to be:
> 
> - PAM need to be patched and configured (/etc/security/limits.conf)

indeed, recloing bug for pam.
 
> - Kernel version >= 2.6.12-rc4

yes that's be done as soon as 2.6.12 gets released upstream.
recloning for that.
 
> Thanks you very much for you help.
> 
> Romain.

thank you!

--
maks

Message #50 received at 313588@bugs.debian.org (full text, mbox, reply):

From: Bluefuture <bluefuture@email.it>

To: 313588@bugs.debian.org

Subject: will this (ubuntu) patch close this bug?

Date: Tue, 07 Feb 2006 01:37:28 +0100

[Message part 1 (text/plain, inline)]

Tags: patch


I tried this patch from here[1] and seems to works all fine. This issue seems solved.

[1] http://ubuntustudio.com/wiki/index.php/Breezy:Rlimits-Aware_PAM

[pam-0.76-rlimits.patch (text/x-patch, attachment)]

Message #55 received at 313588@bugs.debian.org (full text, mbox, reply):

From: Bluefuture <bluefuture@email.it>

To: 313588@bugs.debian.org

Subject: will this (ubuntu) patch close this bug?

Date: Tue, 07 Feb 2006 02:38:17 +0100

Tags: patch


Here [1] you can find two patch that seems to works fine also with the version 0.79.

[1] http://ubuntustudio.com/wiki/index.php/Devel:Rlimits-Aware_PAM

Message #62 received at 313588@bugs.debian.org (full text, mbox, reply):

From: Antonio <debian@fastwebnet.it>

To: 313588@bugs.debian.org

Subject: add pam support for the real time rlimits audio patch

Date: Mon, 20 Mar 2006 12:01:48 +0100

Hi,

I'm using current Debian Etch and I can confirm that the above patch
worked straightforward on my system. 

Please consider the inclusion of the patch because is very much needed
(and waited) by many multimedia and audio users.

Cheers,

  ~ Antonio

Message #67 received at 313588-quiet@bugs.debian.org (full text, mbox, reply):

From: Margarita Manterola <marga@debian.org>

To: 313588-quiet@bugs.debian.org

Subject: Status report

Date: Thu, 13 Jul 2006 16:18:20 -0300

I'm pasting an IRC log in order for people who look at this bug to have an
idea of why it hasn't yet been fixed:

[15:48] <marga> vorlon: someone in slashdot is trolling for
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=313588 to get fixed...
What do you think?
[15:49] <vorlon> marga: as I've commented elsewhere, my mental schedule of
not working on pam this week now has a mental note added to it indicating
that I'm doing so with spite
[15:51] <marga> vorlon: oh... Ok... Do you know at least why this is not
being fixed?
[15:58] <vorlon> marga: oh, apparently everybody who's ever asked me about
the status of it did so outside of the bts so there's no record of it,
bastards
[15:59] <vorlon> anyway, it's fixed upstream, and any time I spend on pam
anytime in the near future is focused on re-syncing with upstream, not on
generating more local patches against the current Debian package
[15:59] <vorlon> because we already have a metric shitload of patches
against pam that need to get merged or dropped
[15:59] <marga> vorlon: maybe you can look in your outbox and forward
something to the bug?
[16:00] <vorlon> marga: heh, you can forward my comments to the BTS
yourself if you like; otherwise, that again falls into the category of
"time I don't have to spend on pam"
[16:00] <marga> vorlon: ok, then :)


So, bottom line is: this bug will be fixed when pam is re-synced with 
upstream.

-- 
Besos,          ,''`.
       Marga   : :' :
               `. `' 
                 `-  

Message #80 received at 313588-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 313588-close@bugs.debian.org

Subject: Bug#313588: fixed in pam 0.79-4

Date: Mon, 23 Oct 2006 06:17:44 -0700

Source: pam
Source-Version: 0.79-4

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_0.79-4_i386.deb
  to pool/main/p/pam/libpam-cracklib_0.79-4_i386.deb
libpam-doc_0.79-4_all.deb
  to pool/main/p/pam/libpam-doc_0.79-4_all.deb
libpam-modules_0.79-4_i386.deb
  to pool/main/p/pam/libpam-modules_0.79-4_i386.deb
libpam-runtime_0.79-4_all.deb
  to pool/main/p/pam/libpam-runtime_0.79-4_all.deb
libpam0g-dev_0.79-4_i386.deb
  to pool/main/p/pam/libpam0g-dev_0.79-4_i386.deb
libpam0g_0.79-4_i386.deb
  to pool/main/p/pam/libpam0g_0.79-4_i386.deb
pam_0.79-4.diff.gz
  to pool/main/p/pam/pam_0.79-4.diff.gz
pam_0.79-4.dsc
  to pool/main/p/pam/pam_0.79-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 313588@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 23 Oct 2006 05:36:08 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime libpam-cracklib
Architecture: source i386 all
Version: 0.79-4
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 122400 149027 149883 241663 313542 313588 318452 327272 335273 344447 352329 360657 388431
Changes: 
 pam (0.79-4) unstable; urgency=medium
 .
   * Medium-urgency upload; at least one RC bugfix, but also a
     significant number of changes, hence not urgency=high.
   * Move libpam-modules and libpam0g to Section: libs and libpam-runtime
     to section: admin, to match the overrides in the archive.
   * Move old changelog entries (well, entry) that don't follow the current
     format to debian/changelog.old, since there's no way to figure out a
     timestamp for an 8-year-old upload, and this is the most effective
     way to clear a glut of lintian warnings.
   * Fix the formatting of the libpam-cracklib package description.
   * Patch 010: remove parts of the patch that aren't necessary for C++
     compatibility.
   * Patch 060: fix a segfault in pam_tally caused by misuse of
     pam_get_data(); already fixed upstream.  Closes: #335273.
   * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse)
     of strdup (similar to patch 059).  Already fixed upstream.
     Closes: #327272.
   * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs.
     Closes: #352329.
   * Patch 005: sync pam_limits with upstream:
     - support "-" (unlimited) for all limit types except process priority.
     - support the additional aliases "-1", "unlimited", and "infinity" for
       clearing the limits; closes: #122400, #149027.
     - restrict the range of process priority, login count, and system login
       count settings to (INT_MIN,INT_MAX) (heh).
     - special-case RLIM_INFINITY when applying multipliers to values from
       the config.
     - document maxsyslogins in the default limits.conf; closes: #149883.
     - use the current process priority as a default instead of resetting to
       0; closes: #241663.
     - add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO
       settings in Linux 2.6.12 and above; closes: #313542, #313588.
     - allow imposing limits on uid=0.
   * Patch 027: only set RLIM_INFINITY as the default for the limits where
     we know this is sensible, so that recompiling in an environment with new
     limits doesn't create a security hole -- as happened with RLIMIT_NICE and
     RLIMIT_RTPRIO!  Thanks to Ville Hallik for the initial patch.
     Closes: #388431.
   * Patch 029, 047: Fix up the broken pam_limits capabilities patch so it
     actually works -- which may well be a first...  Closes: #318452.
 .
 pam (0.79-3.2) unstable; urgency=low
 .
   * Non-maintainer upload to fix important bug, that makes passwd segfault
     when CTRL-D is pressed at the password prompt.  Applied the patch
     provided by Dann Frazier.  (Closes: #360657)
 .
 pam (0.79-3.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Linux-PAM/libpamc/include/security/pam_client.h,
     Linux-PAM/libpamc/pamc_converse.c: Apply patch from
     latest upstream version to remove redefinition of internal
     glibc/libstdc++ types.  Closes: #344447.
Files: 
 bb83e935d98ee21122360cab326e204a 970 libs optional pam_0.79-4.dsc
 f1401efc74c136fb07652643d1b1a1cf 136866 libs optional pam_0.79-4.diff.gz
 0fb6ed72ff29cf455d62e8a8a8292338 64282 admin required libpam-runtime_0.79-4_all.deb
 004664714294d7a4a89954c5e9554d00 731984 doc optional libpam-doc_0.79-4_all.deb
 1ced26f43273eb1055384bd711fb1651 79676 libs required libpam0g_0.79-4_i386.deb
 f884fb9426c4f73c40c892ac343efc85 187500 libs required libpam-modules_0.79-4_i386.deb
 badc0696da385466937f22929a7a1bb1 117900 libdevel optional libpam0g-dev_0.79-4_i386.deb
 e28da4b5da863be36d965369e4828340 59530 libs optional libpam-cracklib_0.79-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFPLzSKN6ufymYLloRAurrAJ9qK9+NWBnnhGZbRwBJQBTbyMGMVwCbBml2
UPu1tc4FiTiEnO3989I4kcc=
=pfjG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.