:: [devuan-dev] bug#805: openrc: super…
Startseite
Nachricht löschen
Nachricht beantworten
Autor: meow
Datum:  
To: Mark Hindley
CC: 805
Betreff: [devuan-dev] bug#805: openrc: supervise-daemon: missing PAM configuration
Yes, you’re right, it should be included in the configuration file.

/etc/pam.d/supervise-daemon:
#%PAM-1.0

auth            required        pam_permit.so
account         required        pam_permit.so
password        required        pam_deny.so
session         optional        pam_limits.so
@include common-account
@include common-session-nointeractive


use 'common-*' incorrectly. we only need common-account and common-session-nointetactive.
this config should work well in debian.

On November 24, 2023 6:16:10 PM UTC, Mark Hindley <mark@???> wrote:
>Lorietta,
>
>On Fri, Nov 24, 2023 at 03:52:58AM +0000, meow wrote:
>>    Example: Local DoS attack due to lack of PAM limits.
>>    I think it’s safe to either include limits.so in /etc/pam. d/other, or
>>    add a configuration for supervise-daemon.
>>    Also, I have a question. What exactly is incompatible with debian in
>>    the upstream version of this file? I added this file to my system and
>>    everything works well, limits are applied and supervise-daemon
>>    continues in normal mode.

>
>Debian uses pam-auth-update(8) to manage the addition of modules to
>/etc/pam.d/common-*. That will not work with the supplied upstream pam config.
>
>I am not a pam expert, but I *think* the Debian approach should be something
>like
>
>
>@include common-auth
>@include common-account
>@include common-password
>session         optional        pam_limits.so

>
>Does that work for you?
>
>Thanks
>
>Mark