Accepting request 242966 from home:bmwiedemann:branches:Linux-PAM

limit number of processes to 700 by default to harden against fork-bombs

OBS-URL: https://build.opensuse.org/request/show/242966
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=141

pam-limit-nproc.patch

@@ -0,0 +1,15 @@
+Index: Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+===================================================================
+--- Linux-PAM-1.1.8.orig/modules/pam_limits/limits.conf
++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+@@ -47,4 +47,10 @@
+ #ftp             hard    nproc           0
+ #@student        -       maxlogins       4
+ 
++# harden against fork-bombs
++*               hard    nproc           800
++*               soft    nproc           700
++root            hard    nproc           900
++root            soft    nproc           850
++
+ # End of file

pam.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue May  6 14:31:36 UTC 2014 - bwiedemann@suse.com
+
+- limit number of processes to 700 to harden against fork-bombs
+  Add pam-limit-nproc.patch
+
 -------------------------------------------------------------------
 Wed Apr  9 16:02:17 UTC 2014 - ckornacker@suse.com
 

pam.spec

@@ -56,6 +56,7 @@ Patch1:         Linux-PAM-git-20140127.diff
 Patch2:         pam_loginuid-log_write_errors.diff
 Patch3:         pam_xauth-sigpipe.diff
 Patch4:         bug-870433_pam_timestamp-fix-directory-traversal.patch
+Patch5:         pam-limit-nproc.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -104,6 +105,7 @@ building both PAM-aware applications and modules for use with PAM.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 export CFLAGS="%optflags -DNDEBUG"