:: [devuan-dev] bug#805: openrc: super…
Top Page
Delete this message
Reply to this message
Author: meow
Date:  
To: Mark Hindley, 805
Subject: [devuan-dev] bug#805: openrc: supervise-daemon: missing PAM configuration
Example: Local DoS attack due to lack of PAM limits.
I think it’s safe to either include limits.so in /etc/pam. d/other, or add a configuration for supervise-daemon.
Also, I have a question. What exactly is incompatible with debian in the upstream version of this file? I added this file to my system and everything works well, limits are applied and supervise-daemon continues in normal mode.

On November 23, 2023 7:55:34 PM UTC, Mark Hindley <mark@???> wrote:
>Lorietta,
>
>Thanks
>
>On Thu, Nov 23, 2023 at 12:50:36AM +0000, meow wrote:
>>    Package: openrc
>>    X-Debbugs-Cc: lorietta2023@???
>>    Version: 0.45.2-2
>>    Severity: grave
>>    Justification: user security hole
>>    Tags: security patch
>>    Dear Maintainer,
>>    the openrc package is missing the /etc/pam.d/supervise-daemon file.
>>    this file is in upstream. due to the absence of this file, settings
>>    from /etc/security are not applied to supervise-daemon, which can lead
>>    to very sad consequences.

>
>Are you sure that is true? What consequences specifically?
>
>Whilst you are correct that the upstream pam supervise-daemon is omitted, it
>isn't correct for a Debian based system. We would need a more tailored pam
>configuration.
>
>In addition, if there is no specific pam configuration, the fallback file
>/etc/pam.d/other is used
>
>#
># /etc/pam.d/other - specify the PAM fallback behaviour
>#
># Note that this file is used for any unspecified service; for example
>#if /etc/pam.d/cron specifies no session modules but cron calls
>#pam_open_session, the session module out of /etc/pam.d/other is
>#used. If you really want nothing to happen then use pam_permit.so or
>#pam_deny.so as appropriate.
>
># We fall back to the system default in /etc/pam.d/common-*
>#
>
>@include common-auth
>@include common-account
>@include common-password
>@include common-session
>
>So, there maybe the optional pam_limits that is missing.
>
>Do you see anything else?
>
>Mark