Accepting request 266389 from Linux-PAM

1 OBS-URL: https://build.opensuse.org/request/show/266389 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=78
2014-12-28 23:29:39 +00:00 · 2014-12-28 23:29:39 +00:00 · 19e8b12220
commit 19e8b12220
parent d000807cbb bdcad7ea0f
3 changed files with 23 additions and 0 deletions
--- a/pam-limit-nproc.patch
+++ b/pam-limit-nproc.patch
@ -0,0 +1,15 @@
+Index: Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+===================================================================
+--- Linux-PAM-1.1.8.orig/modules/pam_limits/limits.conf
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+@@ -47,4 +47,10 @@
+ #ftp             hard    nproc           0
+ #@student        -       maxlogins       4
+ 
+# harden against fork-bombs
+*               hard    nproc           800
+*               soft    nproc           700
+root            hard    nproc           900
+root            soft    nproc           850
+
+ # End of file
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue May  6 14:31:36 UTC 2014 - bwiedemann@suse.com
+
+- limit number of processes to 700 to harden against fork-bombs
+  Add pam-limit-nproc.patch
+
 -------------------------------------------------------------------
 Wed Apr  9 16:02:17 UTC 2014 - ckornacker@suse.com

--- a/pam.spec
+++ b/pam.spec
@ -56,6 +56,7 @@ Patch1:         Linux-PAM-git-20140127.diff
 Patch2:         pam_loginuid-log_write_errors.diff
 Patch3:         pam_xauth-sigpipe.diff
 Patch4:         bug-870433_pam_timestamp-fix-directory-traversal.patch
+Patch5:         pam-limit-nproc.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -104,6 +105,7 @@ building both PAM-aware applications and modules for use with PAM.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1

 %build
 export CFLAGS="%optflags -DNDEBUG"