Example: Local DoS attack due to lack of PAM limits.
I think it’s safe to either include limits.so in /etc/pam. d/other, or add a configuration for supervise-daemon.
Also, I have a question. What exactly is incompatible with debian in the upstream version of this file? I added this file to my system and everything works well, limits are applied and supervise-daemon continues in normal mode.
On November 23, 2023 7:55:34 PM UTC, Mark Hindley <mark@???> wrote:
>Lorietta,
>
>Thanks
>
>On Thu, Nov 23, 2023 at 12:50:36AM +0000, meow wrote:
>> Package: openrc
>> X-Debbugs-Cc: lorietta2023@???
>> Version: 0.45.2-2
>> Severity: grave
>> Justification: user security hole
>> Tags: security patch
>> Dear Maintainer,
>> the openrc package is missing the /etc/pam.d/supervise-daemon file.
>> this file is in upstream. due to the absence of this file, settings
>> from /etc/security are not applied to supervise-daemon, which can lead
>> to very sad consequences.
>
>Are you sure that is true? What consequences specifically?
>
>Whilst you are correct that the upstream pam supervise-daemon is omitted, it
>isn't correct for a Debian based system. We would need a more tailored pam
>configuration.
>
>In addition, if there is no specific pam configuration, the fallback file
>/etc/pam.d/other is used
>
>#
># /etc/pam.d/other - specify the PAM fallback behaviour
>#
># Note that this file is used for any unspecified service; for example
>#if /etc/pam.d/cron specifies no session modules but cron calls
>#pam_open_session, the session module out of /etc/pam.d/other is
>#used. If you really want nothing to happen then use pam_permit.so or
>#pam_deny.so as appropriate.
>
># We fall back to the system default in /etc/pam.d/common-*
>#
>
>@include common-auth
>@include common-account
>@include common-password
>@include common-session
>
>So, there maybe the optional pam_limits that is missing.
>
>Do you see anything else?
>
>Mark