#976373 libpam-modules: RLIMIT_MEMLOCK set to 1/8th of memory (due to systemd changes)

Package:
libpam-modules
Source:
pam
Description:
Pluggable Authentication Modules for PAM
Submitter:
Andres Freund
Date:
2021-09-28 11:27:04 UTC
Severity:
important
#976373#5
Date:
2020-12-04 08:47:01 UTC
From:
To:
Hi,

Since systemd v246 RLIMIT_MEMLOCK, on a clean installation, is set to
1/8th of memory (before that, since v240 it was set to 64MB, instead
of the previous 64KB) for anything going through pam_limit. That's too
high.

The reason for that is that https://salsa.debian.org/vorlon/pam/-/blob/master/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root#L66
causes rlimits to be copied from the pid 1 whenever pam_limits is used,
and /etc/security/limits.{conf,d} doesn't specify it. The one exception to that is
RLIMIT_NOFILE that's clamped to FD_SETSIZE via
https://salsa.debian.org/vorlon/pam/-/blob/master/debian/patches-applied/pam-limits-nofile-fd-setsize-cap

The systemd changes leading to this are
https://github.com/systemd/systemd/commit/04d1ee0f7ec7a280136ddf5f3f34d6282a50846d
https://github.com/systemd/systemd/commit/c8884aceefc85245b9bdfb626e2daf27521259bd

Clearly this is very related to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917374 but the
consequences are different enough (particularly because the clamping
makes the NOFILE issue fairly harmless).

Regards,

Andres Freund