From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: [RFC]: Respect /etc/security/limits.conf Date: Sat, 17 Oct 2015 20:24:37 +0200 Message-ID: <87mvvhgxp6.fsf@elephly.net> References: <87zj0i65rl.fsf@elephly.net> <87zj0hjb5o.fsf@gnu.org> <87si5g4q45.fsf@elephly.net> <87twpw9fi9.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59648) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnWA0-0006no-Ao for guix-devel@gnu.org; Sat, 17 Oct 2015 14:24:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZnW9z-0008M7-8W for guix-devel@gnu.org; Sat, 17 Oct 2015 14:24:52 -0400 In-reply-to: <87twpw9fi9.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: "guix-devel@gnu.org" Ludovic Courtès writes: >> Loading the module doesn’t yet do anything on GuixSD because we don’t >> generate ‘/etc/security/limits.conf’ (or ‘/etc/security/limits.d/’), but >> it should respect such file if it does exist. (I have not yet tested >> this, but I will some time this week.) >> >> Does this look okay? > > As long as lack of /etc/security/limits.conf doesn’t create any problems > or annoying warnings, that’s fine! So, I did test this and found a couple of issues: * my patches need modification as ‘pam_limits.so’ looks for ‘limits.conf’ in the output directory of the linux-pam package, not in ‘/etc/security/’. This can be changed by passing “conf=/etc/security/limits.conf” as an argument for the pam-entry. * when ‘pam_limits.so’ is loaded by “login” and configured to look for ‘/etc/security/limits.conf’, logins fail with “Error in service module” when the file does not exist. * changing the pam service for “login” is not enough as it only affects console logins. When a user logs in via slim (or switches user accounts with ‘su’), limits are not respected. I’ll update my patches to address the first point. For the second point we need to make sure to install ‘/etc/security/limits.conf’ (even if it’s just empty). The linux-pam package provides ‘$out/etc/security/*’ but nothing is deployed to ‘/etc’ when configuring the system. To address the third point we could enhance the pam-services for ‘slim’ and ‘su’ in addition to ‘login’. >>> Is this PREFIX/etc/security/limits.d convention already used? If not, >>> I’d rather avoid inventing it. ;-) >>> >>> What we could do is add a field in ‘operating-system’ to specify the >>> limits.conf file to install as /etc/security/limits.conf? >> >> Yes, that’s a better idea. > > One way to do that within the new service framework would be to have a > “limits” service that extends ‘etc-service-type’. Something like that. I’ll try that and prepare an updated patch set. ~~ Ricardo