pam/debian/patches/pam_limits_explicit_root

From: Peter Paluch <peterp@frcatel.fri.utc.sk>
Date: Mon, 11 Sep 2023 14:00:42 -0600
Subject: Root limits must be explicit

Bug-Debian: http://bugs.debian.org/63230
Don't apply wildcard limits to the root account; only apply limits to
root that reference root by name.
===================================================================
---
 modules/pam_limits/limits.conf       |  4 ++++
 modules/pam_limits/limits.conf.5.xml |  6 ++++++
 modules/pam_limits/pam_limits.c      | 11 ++++++++---
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf
index e8a746c..c6b058a 100644
--- a/modules/pam_limits/limits.conf
+++ b/modules/pam_limits/limits.conf
@@ -22,6 +22,9 @@
 #        - the wildcard *, for default entry
 #        - the wildcard %, can be also used with %group syntax,
 #                 for maxlogin limit
+#        - NOTE: group and wildcard limits are not applied to root.
+#          To apply a limit to the root user, <domain> must be
+#          the literal username root.
 #
 #<type> can have the two values:
 #        - "soft" for enforcing the soft limits
@@ -51,6 +54,7 @@
 #
 
 #*               soft    core            0
+#root            hard    core            100000
 #*               hard    rss             10000
 #@student        hard    nproc           20
 #@faculty        soft    nproc           20
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
index dd8d68b..803cb4e 100644
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -89,6 +89,11 @@
               </para>
             </listitem>
           </itemizedlist>
+	  <para>
+	    <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not
+	    applied to the root user.  To set a limit for the root user, this field
+	    must contain the literal username <emphasis remap='B'>root</emphasis>.
+	  </para>
         </listitem>
       </varlistentry>
 
@@ -320,6 +325,7 @@
     </para>
     <programlisting>
 *               soft    core            0
+root            hard    core            100000
 *               hard    nofile          512
 @student        hard    nproc           20
 @faculty        soft    nproc           20
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 1e4dfa3..7eb93c0 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -93,6 +93,7 @@ struct user_limits_struct {
 
 /* internal data */
 struct pam_limit_s {
+    int root;            /* running as root? */
     int login_limit;     /* the max logins limit */
     int login_limit_def; /* which entry set the login limit */
     int flag_numsyslogins; /* whether to limit logins only for a
@@ -539,6 +540,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
 
     D(("called."));
 
+    pl->root = 0;
+
     for(i = 0; i < RLIM_NLIMITS; i++) {
 	int r = getrlimit(i, &pl->limits[i].limit);
 	if (r == -1) {
@@ -1020,7 +1023,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
 
             if (strcmp(uname, domain) == 0) /* this user has a limit */
                 process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
-            else if (domain[0]=='@') {
+            else if (domain[0]=='@' && !pl->root) {
 		if (ctrl & PAM_DEBUG_ARG) {
 			pam_syslog(pamh, LOG_DEBUG,
 				   "checking if %s is in group %s",
@@ -1046,7 +1049,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
 			    process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
 					  pl);
 		}
-            } else if (domain[0]=='%') {
+            } else if (domain[0]=='%' && !pl->root) {
 		if (ctrl & PAM_DEBUG_ARG) {
 			pam_syslog(pamh, LOG_DEBUG,
 				   "checking if %s is in group %s",
@@ -1081,7 +1084,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
             } else {
 		switch(rngtype) {
 		    case LIMIT_RANGE_NONE:
-			if (strcmp(domain, "*") == 0)
+			if (strcmp(domain, "*") == 0 && !pl->root)
 			    process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
 					  pl);
 			break;
@@ -1372,6 +1375,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
         return PAM_ABORT;
     }
 
+    if (pwd->pw_uid == 0)
+        pl->root = 1;
     retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid,
 			       ctrl, pl, conf_file_set_by_user);
     if (retval == PAM_IGNORE) {