Package: libpam-modules Version: 0.79-4 Severity: important Currently, pam_limits includes a Debian-specific patch to support setting Linux capabilities for services. However, Linux capabilities are of limited utility in Linux 2.4 kernels and above, because full POSIX capabilities have been deliberately crippled upstream; the set of permitted capabilities is not inherited across exec boundaries regardless of the contents of the 'inherited' set, and capabilities are not preserved across uid changes except when a particular process option is manually set with prctl(), so the pam_limits capabilities support is only useful on a modern kernel for processes which:
- run pam_open_session() for each applicant - handle each applicant in a separate process (since there's no support for restoring capabilities once they've been dropped) - don't need to carry any positive capabilities across an exec() boundary (so either the service runs as root and uses pam_limits to drop privileges, or runs as non-root and never needs to start another program with the same privileges) - has a reason for permitting different capabilities on a per-applicant basis (otherwise the app is better served by using libcap directly) The third point rules out any shell-based services for users; the fourth point really seems to rule out most network-based services, which normally need a fixed set of capabilities to function correctly and should implement their own uid/capability handling; the first point rules out a number of applications such as apache; and the second point rules out a number of other use cases. So the principal remaining use case here seems to be to limit the capabilities of root shells, but pam_limits doesn't give any granularity finer than per-user, so this only helps if you want to limit the capabilities of *all* root shells, which again doesn't seem very useful. Add to that the fact that the pam_limits capability support was broken for several years without anyone complaining, and that today it *still* doesn't support the full cap_from_text() semantics for specifying capabilities (specifying negative capability sets for root is a PITA), and this local patch doesn't seem very useful to me. It has never been submitted upstream, and dropping it would allow us to drop libcap1 from the base system. Therefore it is my intention to drop this patch from a future upload of pam unless there's a good reason not to. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
