>>>>> "Soren" == Soren Stoutner <so...@debian.org> writes:
Soren> The purpose of this bug report is to ask if there are any
Soren> downsides to setting the default memlock value to 64 MiB. If
Soren> not, would that be a change you would be willing to make?
I think it would be relatively harmless to raise the default.
You could exhaust memory by having a bunch of processes each lock down
64M,
but to harden a system against exhaustion attacks takes a fair bit of
work and I'm sure our defaults already allow for some exhaustion.
But pam in trixie should not set limits unless you explicitly configure
them. By default it passes along the limits systemd sets.
So I wonder if there is a way for the otp client to drop a dropin to ask
systemd to raise the limit?
I also wonder whether this is really worth an error to the user.
If I had control of all the bits involved I would try to raise the
default limit with systemd and convince Otpclient not to complain if the
memlock limit wasn't raised high enough.
