(forw) Bug#300720: Bug#300725: Bug#300720: [Pkg-shadow-devel] Bug#300720: Login: Configuration does not load limits.so while others do

To: team@security.debian.org, debian-release@lists.debian.org
Cc: Olivier Sessink <lists@olivier.pk.wau.nl>
Subject: (forw) Bug#300720: Bug#300725: Bug#300720: [Pkg-shadow-devel] Bug#300720: Login: Configuration does not load limits.so while others do
From: Christian Perrier <bubulle@debian.org>
Date: Mon, 9 May 2005 06:41:53 +0200
Message-id: <[🔎] 20050509044153.GK17478@mykerinos.kheops.frmug.org>

OK, let's get advice from the security and release teams. Looks like
the advice from both th shadow and cron package maintainers is not enough.

In short, #300720 complains that login does not activate by default
the pam_limits module, in the provided /etc/pam.d/login file

This bug report came very late and did not show high security
implications at that moment. Nor was the bug RC. Given the policy we
had at that moment for base system packages, I reported the fix to
post-sarge.

The cron package maintainer, Steve Greenland, made the same choice.

Now, at least Olivier mentions this to be a potential fork-bomb issue.

As there is likely a kind of dispute raising with the arguments
developed below by Olivier, I'd rather get the input from both teams
whether 300720 deserved being fixed in sarge.


----- Forwarded message from Olivier Sessink <lists@olivier.pk.wau.nl> -----

Reply-To: Olivier Sessink <lists@olivier.pk.wau.nl>, 300720@bugs.debian.org
From: Olivier Sessink <lists@olivier.pk.wau.nl>
To: 300720@bugs.debian.org
Subject: Bug#300720: Bug#300725: Bug#300720: [Pkg-shadow-devel] Bug#300720: Login: Configuration does not load limits.so while others do
Date: Sun, 08 May 2005 22:28:40 +0200

> I was not planning on pushing this into sid. While I think that Javier
> is correct, I don't see it as necessary for sarge; it can easily be
> corrected on a local basis. OTOH, if the release team says "yes,
> please do it", I wouldn't object: it *is* about safe as a change can
> be.

this makes all Sarge systems go down with a simple fork-bomb. This is
quite a serious security issue. I would even think this issue is big
enough to send a security update *after* the sarge release.

Did you read the slashdot story about system being affected by
fork-bombs? Debian Woody was not. Several other distributions were
affected, and quickly changed their policy. If Sarge will be affected by
a simple fork-bomb that is a serious regression.

regards,
	Olivier



_______________________________________________
Pkg-shadow-devel mailing list
Pkg-shadow-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-devel

----- End forwarded message -----

--

Reply to:

Follow-Ups:
- Re: (forw) Bug#300720: Bug#300725: Bug#300720: [Pkg-shadow-devel] Bug#300720: Login: Configuration does not load limits.so while others do
  - From: Olivier Sessink <lists@olivier.pk.wau.nl>

Prev by Date: Re: Please allow mysql (4.0.24-8, 4.1.11-3) into Sarge!
Next by Date: Re: Please allow foomatic-gui, foomatic-filters-ppds in sarge
Previous by thread: [installer@ftp-master.debian.org: e2fsprogs_1.35-8sarge1_alpha.changes UNACCEPT]
Next by thread: Re: (forw) Bug#300720: Bug#300725: Bug#300720: [Pkg-shadow-devel] Bug#300720: Login: Configuration does not load limits.so while others do
Index(es):
- Date
- Thread