On Thu, 07 Oct 2021 at 22:19:43 +0200, Chris Hofstaedtler wrote: > * Simon McVittie <s...@debian.org> [210928 13:27]: > > To avoid reintroducing #63230, if that is not a desired outcome, it will > > be necessary to change /etc/pam.d/su (in the util-linux package) so that > > it invokes "pam_limits.so set_all" instead of plain "pam_limits.so". > > So, should util-linux start shipping /etc/pam.d/su with > "pam_limits.so set_all" then?
If we want su to reset all limits to whatever value PAM guesses might be a reasonable default, then maybe yes. (But see also #917374, #976373 and upstream bug https://github.com/linux-pam/linux-pam/issues/85 - the way in which PAM guesses what reasonable limits might be is not great if pid 1 is non-trivial.) > As an alternate datapoint: on > Fedora-derived distributions, PAM config for su does not include > pam_limits.so. If I'm reading correctly, Fedora has pam_limits.so (but *without* set_all) in their equivalent of our common-session, so most/all services pick it up from there. smcv