Hi, On Wed, Oct 20, 2021 at 04:49:06PM +0200, Salvatore Bonaccorso wrote: > Control: retitle -1 sudo: Restore inclusion of pam_limits.so PAM module > Control: tags -1 + security > Control: severity -1 important > > On Fri, Mar 06, 2009 at 12:23:27PM +0100, Xavier Martin wrote: > > Package: sudo > > Version: 1.6.9p17-2 > > Severity: normal > > > > I've upgraded from Etch to Lenny, > > ulimit doesn't report correct open files limits set on my machine > > > > Here's a test case: > > # sudo -u www-data /bin/bash -c 'ulimit -n' > > 4096 > > > > # grep nofile /etc/security/limits.conf > > * soft nofile 4096 > > * hard nofile 65535 > > > > > > On previous version of sudo : 1.6.8p12-4 > > > > # sudo -u www-data /bin/bash -c 'ulimit -n' > > 65536 > > > > > > I'd think it's related to a change in /etc/pam.d/sudo > > > > 1.6.8p12-4: > > #%PAM-1.0 > > > > @include common-auth > > @include common-account > > > > 1.6.9p17-2: > > #%PAM-1.0 > > > > @include common-auth > > @include common-account > > > > session required pam_permit.so > > session required pam_limits.so > > This is a longstanding issue and in fact we should restore the > inclusion of the pam_limits.so. This serves as mitigation/hardening > against the issue as explained in > > https://www.openwall.com/lists/oss-security/2021/10/20/2 > > I made a merge request addressing this at least for unstable for now > in > > https://salsa.debian.org/sudo-team/sudo/-/merge_requests/7
Let me be more specific on the mitigation part for sudo of the above oss-security reference. As we in Debian miss the pam_limits inclusion: | user@sid:~$ cat /etc/pam.d/sudo | #%PAM-1.0 | | @include common-auth | @include common-account | @include common-session-noninteractive | user@sid:~$ ulimit -c | unlimited | user@sid:~$ sudo sh -c 'ulimit -c' | unlimited with the merge request patch adding pam_limits back: | user@sid:~$ cat /etc/pam.d/sudo | #%PAM-1.0 | | # Set up user limits from /etc/security/limits.conf. | session required pam_limits.so | | @include common-auth | @include common-account | @include common-session-noninteractive | user@sid:~$ ulimit -c | unlimited | user@sid:~$ sudo sh -c 'ulimit -c' | 0 So far I think we should do the change only in unstable and expose the change further. Regards, Salvatore