New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] PAM-level integration of prctl(PR_SET_NO_NEW_PRIVS, ...) #224
Comments
Do you mean a new item for limits.conf? In that case it should be probably named nonewprivs without underscores to align with the other items. I suppose it should be somewhat acceptable for pam_limits instead of creating a completely new module just for this purpose and duplicating all the user/group matching there. |
Yep! No opinion here on naming, with or without underscores, doesn't matter to me. Seems like a trivial patch. |
On Tue, May 12, 2020 at 04:37:20AM -0700, Tomáš Mráz wrote:
Do you mean a new item for limits.conf? In that case it should be probably named nonewprivs without underscores to align with the other items. I suppose it should be somewhat acceptable for pam_limits instead of creating a completely new module just for this purpose and duplicating all the user/group matching there.
@ldv-alt @thkukuk What is your opinion?
I concur.
|
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" Fixes linux-pam#224
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" Fixes linux-pam#224
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item The valid values are a boolean toggle 0/1 to keep semi-consistent with the other numeric limits. It's slightly awkward as this is an oddball relative to the other items in pam_limits but outside of the item value itself this does seem at home in pam_limit. Fixes linux-pam#224
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item The valid values are a boolean toggle 0/1 to keep semi-consistent with the other numeric limits. It's slightly awkward as this is an oddball relative to the other items in pam_limits but outside of the item value itself this does seem at home in pam_limits. Fixes linux-pam#224
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item The valid values are a boolean toggle 0/1 to keep semi-consistent with the other numeric limits. It's slightly awkward as this is an oddball relative to the other items in pam_limits but outside of the item value itself this does seem at home in pam_limits. Fixes linux-pam#224
I want to enforce this prctl() at login time in the same spirit of things found in /etc/security/limits.conf.
Would a PR adding a no_new_privs option to modules/pam_limits.c be considered for acceptance upstream?
LMK if this is already supported and I'm just missing something. What I'm interested in is a user/group-oriented way of forcing PR_SET_NO_NEW_PRIVS @ login time.
The text was updated successfully, but these errors were encountered: