From bdcad7ea0ff71c9b8963a9707b4f33c8faee0b57628d5f6256fbeb6244b92011 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tomas.chvatal@gmail.com>
Date: Thu, 25 Dec 2014 17:01:00 +0000
Subject: [PATCH] Accepting request 242966 from
 home:bmwiedemann:branches:Linux-PAM

limit number of processes to 700 by default to harden against fork-bombs

OBS-URL: https://build.opensuse.org/request/show/242966
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=141
---
 pam-limit-nproc.patch | 15 +++++++++++++++
 pam.changes           |  6 ++++++
 pam.spec              |  2 ++
 3 files changed, 23 insertions(+)
 create mode 100644 pam-limit-nproc.patch

diff --git a/pam-limit-nproc.patch b/pam-limit-nproc.patch
new file mode 100644
index 0000000..756946c
--- /dev/null
+++ b/pam-limit-nproc.patch
@@ -0,0 +1,15 @@
+Index: Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+===================================================================
+--- Linux-PAM-1.1.8.orig/modules/pam_limits/limits.conf
++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+@@ -47,4 +47,10 @@
+ #ftp             hard    nproc           0
+ #@student        -       maxlogins       4
+ 
++# harden against fork-bombs
++*               hard    nproc           800
++*               soft    nproc           700
++root            hard    nproc           900
++root            soft    nproc           850
++
+ # End of file
diff --git a/pam.changes b/pam.changes
index 573cc47..3fe0bf9 100644
--- a/pam.changes
+++ b/pam.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue May  6 14:31:36 UTC 2014 - bwiedemann@suse.com
+
+- limit number of processes to 700 to harden against fork-bombs
+  Add pam-limit-nproc.patch
+
 -------------------------------------------------------------------
 Wed Apr  9 16:02:17 UTC 2014 - ckornacker@suse.com
 
diff --git a/pam.spec b/pam.spec
index 3d85e4b..da993fa 100644
--- a/pam.spec
+++ b/pam.spec
@@ -56,6 +56,7 @@ Patch1:         Linux-PAM-git-20140127.diff
 Patch2:         pam_loginuid-log_write_errors.diff
 Patch3:         pam_xauth-sigpipe.diff
 Patch4:         bug-870433_pam_timestamp-fix-directory-traversal.patch
+Patch5:         pam-limit-nproc.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -104,6 +105,7 @@ building both PAM-aware applications and modules for use with PAM.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 export CFLAGS="%optflags -DNDEBUG"