On Mon, Oct 15, 2018 at 06:00:05PM +0200, Kamil Paral wrote:
On Tue, Oct 9, 2018 at 6:15 PM Lennart Poettering
<mzerqung(a)0pointer.de>
wrote:
> On Di, 09.10.18 14:45, Anderson, Charles R (cra(a)wpi.edu) wrote:
>
> > > It would be nice if somebody managed to find where this is patched in
> > > Debian. Because I somewhat doubt that they made this change without a
> > > proper discussion. And Debian is very much server oriented.
> >
> > Can we not have the RPM package drop a file in /etc/security/limits.d
> > to set the limit only when that package is installed? That way it
> > only affects users of that package.
>
> That only affects stuff that goes through PAM (specifically, all PAM
> stacks that include pam_limits.so).
>
> It is my intention to change this system wide, i.e. for system
> services (which do not go through PAM) too.
>
Lennart, what is the path forward here? Should we pull in some security
experts to give us recommendations on the best default value? Or are those
conversations already happening somewhere else? Also, do you need any more
information regarding the Wine esync use case, or has Zebediah provided
sufficient data?
It's being discussed in systemd upstream:
https://github.com/systemd/systemd/pull/10244
It needs another round of review, but looks like it'll be merged soon.
Zbyszek