RFC: dropping Linux capabilities support from pam_limits (bug #440130)
For a long time, the Debian pam package has been carrying a local patch to
add support for Linux capabilities in pam_limits. While catching up on bug
triage work on the package, I've come to the conclusion that this
functionality is broken, useless, and that no one actually uses it; it was
broken for several years, leaking memory for longer, and now that it's fully
"fixed" it's still insanely cumbersome to use, so I conclude that no one
actually uses it or we would have heard complaints before now.
For gory details on what's wrong with pam_limits' capabilities support,
please see bug #440130. The short summary, though, is that unless someone
speaks up in defense of this code, preferably with a clear explanation of
how it's possible to do anything useful with it, I'm planning to kill off
this patch in the near future.
Advantages of doing so are one less local patch being carried around that's
not up to snuff for upstream, and being able to drop libcap1 from the base
system since libpam-modules is the only base package that depends on it.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.