On Thu, 07 Oct 2021 at 22:19:43 +0200, Chris Hofstaedtler wrote:
> * Simon McVittie <s...@debian.org> [210928 13:27]:
> > To avoid reintroducing #63230, if that is not a desired outcome, it will
> > be necessary to change /etc/pam.d/su (in the util-linux package) so that
> > it invokes "pam_limits.so set_all" instead of plain "pam_limits.so".
>
> So, should util-linux start shipping /etc/pam.d/su with
> "pam_limits.so set_all" then?
If we want su to reset all limits to whatever value PAM guesses might be a
reasonable default, then maybe yes. (But see also #917374, #976373 and
upstream bug https://github.com/linux-pam/linux-pam/issues/85 - the way
in which PAM guesses what reasonable limits might be is not great if pid 1
is non-trivial.)

> As an alternate datapoint: on
> Fedora-derived distributions, PAM config for su does not include
> pam_limits.so.

If I'm reading correctly, Fedora has pam_limits.so (but *without* set_all)
in their equivalent of our common-session, so most/all services pick it up
from there.

    smcv

Reply via email to