Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] PAM-level integration of prctl(PR_SET_NO_NEW_PRIVS, ...) #224

Closed
vcaputo opened this issue May 12, 2020 · 3 comments
Closed

[RFE] PAM-level integration of prctl(PR_SET_NO_NEW_PRIVS, ...) #224

vcaputo opened this issue May 12, 2020 · 3 comments

Comments

@vcaputo
Copy link
Contributor

vcaputo commented May 12, 2020

I want to enforce this prctl() at login time in the same spirit of things found in /etc/security/limits.conf.

Would a PR adding a no_new_privs option to modules/pam_limits.c be considered for acceptance upstream?

LMK if this is already supported and I'm just missing something. What I'm interested in is a user/group-oriented way of forcing PR_SET_NO_NEW_PRIVS @ login time.
@t8m
Copy link
Member

t8m commented May 12, 2020

Do you mean a new item for limits.conf? In that case it should be probably named nonewprivs without underscores to align with the other items. I suppose it should be somewhat acceptable for pam_limits instead of creating a completely new module just for this purpose and duplicating all the user/group matching there.
@ldv-alt @thkukuk What is your opinion?

@vcaputo
Copy link
Contributor Author

vcaputo commented May 12, 2020

Do you mean a new item for limits.conf?

Yep! No opinion here on naming, with or without underscores, doesn't matter to me. Seems like a trivial patch.

@ldv-alt
Copy link
Member

ldv-alt commented May 12, 2020 via email

vcaputo added a commit to vcaputo/linux-pam that referenced this issue May 12, 2020
@vcaputo
modules/pam_limits: add support for nonewprivs
ae09ed5 
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs"

Fixes linux-pam#224
@vcaputo vcaputo mentioned this issue May 12, 2020
Closed
vcaputo added a commit to vcaputo/linux-pam that referenced this issue May 12, 2020
@vcaputo
modules/pam_limits: add support for nonewprivs
c012130 
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs"

Fixes linux-pam#224
vcaputo added a commit to vcaputo/linux-pam that referenced this issue May 13, 2020
@vcaputo
modules/pam_limits: add support for nonewprivs
ec0709b 
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item

The valid values are a boolean toggle 0/1 to keep semi-consistent
with the other numeric limits.  It's slightly awkward as this is
an oddball relative to the other items in pam_limits but outside
of the item value itself this does seem at home in pam_limit.

Fixes linux-pam#224
vcaputo added a commit to vcaputo/linux-pam that referenced this issue Jun 18, 2020
@vcaputo
modules/pam_limits: add support for nonewprivs
5cf4873 
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item

The valid values are a boolean toggle 0/1 to keep semi-consistent
with the other numeric limits.  It's slightly awkward as this is
an oddball relative to the other items in pam_limits but outside
of the item value itself this does seem at home in pam_limits.

Fixes linux-pam#224
vcaputo added a commit to vcaputo/linux-pam that referenced this issue Jun 22, 2020
@vcaputo
modules/pam_limits: add support for nonewprivs
0e5d4e8 
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item

The valid values are a boolean toggle 0/1 to keep semi-consistent
with the other numeric limits.  It's slightly awkward as this is
an oddball relative to the other items in pam_limits but outside
of the item value itself this does seem at home in pam_limits.

Fixes linux-pam#224
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

modules/pam_limits: add support for nonewprivs vcaputo/linux-pam
3 participants
@vcaputo @ldv-alt @t8m