Lorietta,

Thanks

On Thu, Nov 23, 2023 at 12:50:36AM +0000, meow wrote:

>    Package: openrc
>    X-Debbugs-Cc: lorietta2023@???
>    Version: 0.45.2-2
>    Severity: grave
>    Justification: user security hole
>    Tags: security patch
>    Dear Maintainer,
>    the openrc package is missing the /etc/pam.d/supervise-daemon file.
>    this file is in upstream. due to the absence of this file, settings
>    from /etc/security are not applied to supervise-daemon, which can lead
>    to very sad consequences.

Are you sure that is true? What consequences specifically?

Whilst you are correct that the upstream pam supervise-daemon is omitted, it
isn't correct for a Debian based system. We would need a more tailored pam
configuration.

In addition, if there is no specific pam configuration, the fallback file
/etc/pam.d/other is used

#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used. If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.

# We fall back to the system default in /etc/pam.d/common-*
#

@include common-auth
@include common-account
@include common-password
@include common-session

So, there maybe the optional pam_limits that is missing.

Do you see anything else?

Mark