From 5deaac423159103d02b146afa753a8ebb7fddf09 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
Date: Wed, 3 Nov 2021 09:02:40 +0100
Subject: [PATCH 3/3] Use vendor specific limits.conf as fallback (#402)
* Use vendor specific limits.conf as fallback
---
modules/pam_limits/pam_limits.8.xml | 6 ++++++
modules/pam_limits/pam_limits.c | 19 ++++++++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/modules/pam_limits/pam_limits.8.xml b/modules/pam_limits/pam_limits.8.xml
index bc46cbf4..c1c10eca 100644
--- a/modules/pam_limits/pam_limits.8.xml
+++ b/modules/pam_limits/pam_limits.8.xml
@@ -57,6 +57,12 @@
If a config file is explicitly specified with a module option then the
files in the above directory are not parsed.
+
+ If there is no explicitly specified configuration file and
+ /etc/security/limits.conf does not exist,
+ %vendordir%/security/limits.conf is used.
+ If this file does not exist, too, an error is thrown.
+
The module must not be called by a multithreaded application.
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 7cc45d77..53188965 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -816,9 +816,22 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
fil = fopen(CONF_FILE, "r");
if (fil == NULL) {
- pam_syslog (pamh, LOG_WARNING,
- "cannot read settings from %s: %m", CONF_FILE);
- return PAM_SERVICE_ERR;
+ int err = errno;
+
+#ifdef VENDORDIR
+ /* if the specified file does not exist, and it is not provided by
+ the user, try the vendor file as fallback. */
+ if (pl->conf_file == NULL && err == ENOENT)
+ fil = fopen(VENDORDIR"/security/limits.conf", "r");
+
+ if (fil == NULL)
+#endif
+ {
+ pam_syslog (pamh, LOG_WARNING,
+ "cannot read settings from %s: %s", CONF_FILE,
+ strerror(err));
+ return PAM_SERVICE_ERR;
+ }
}
/* start the show */
--
2.31.1