Lorietta,
Thanks
On Thu, Nov 23, 2023 at 12:50:36AM +0000, meow wrote:
> Package: openrc
> X-Debbugs-Cc: lorietta2023@???
> Version: 0.45.2-2
> Severity: grave
> Justification: user security hole
> Tags: security patch
> Dear Maintainer,
> the openrc package is missing the /etc/pam.d/supervise-daemon file.
> this file is in upstream. due to the absence of this file, settings
> from /etc/security are not applied to supervise-daemon, which can lead
> to very sad consequences.
Are you sure that is true? What consequences specifically?
Whilst you are correct that the upstream pam supervise-daemon is omitted, it
isn't correct for a Debian based system. We would need a more tailored pam
configuration.
In addition, if there is no specific pam configuration, the fallback file
/etc/pam.d/other is used
#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used. If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.
# We fall back to the system default in /etc/pam.d/common-*
#
@include common-auth
@include common-account
@include common-password
@include common-session
So, there maybe the optional pam_limits that is missing.
Do you see anything else?
Mark