From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [RFC]: Respect /etc/security/limits.conf Date: Mon, 19 Oct 2015 16:58:09 +0200 Message-ID: <87oafuzz0e.fsf@gnu.org> References: <87zj0i65rl.fsf@elephly.net> <87zj0hjb5o.fsf@gnu.org> <87si5g4q45.fsf@elephly.net> <87twpw9fi9.fsf@gnu.org> <87mvvhgxp6.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37533) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZoBtB-00073Q-Cp for guix-devel@gnu.org; Mon, 19 Oct 2015 10:58:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZoBt7-0007Qq-50 for guix-devel@gnu.org; Mon, 19 Oct 2015 10:58:17 -0400 In-Reply-To: <87mvvhgxp6.fsf@elephly.net> (Ricardo Wurmus's message of "Sat, 17 Oct 2015 20:24:37 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ricardo Wurmus Cc: "guix-devel@gnu.org" Ricardo Wurmus skribis: > Ludovic Court=C3=A8s writes: > >>> Loading the module doesn=E2=80=99t yet do anything on GuixSD because we= don=E2=80=99t >>> generate =E2=80=98/etc/security/limits.conf=E2=80=99 (or =E2=80=98/etc/= security/limits.d/=E2=80=99), but >>> it should respect such file if it does exist. (I have not yet tested >>> this, but I will some time this week.) >>> >>> Does this look okay? >> >> As long as lack of /etc/security/limits.conf doesn=E2=80=99t create any = problems >> or annoying warnings, that=E2=80=99s fine! > > So, I did test this and found a couple of issues: > > * my patches need modification as =E2=80=98pam_limits.so=E2=80=99 looks f= or > =E2=80=98limits.conf=E2=80=99 in the output directory of the linux-pam = package, not in > =E2=80=98/etc/security/=E2=80=99. This can be changed by passing > =E2=80=9Cconf=3D/etc/security/limits.conf=E2=80=9D as an argument for t= he pam-entry. We don=E2=80=99t even have to add it to /etc then; we could do =E2=80=9Cconf=3D/gnu/store/=E2=80=A6-limits.conf=E2=80=9D, which is prefera= ble IMO (it=E2=80=99s like avoiding a global variable.) > * when =E2=80=98pam_limits.so=E2=80=99 is loaded by =E2=80=9Clogin=E2=80= =9D and configured to look for > =E2=80=98/etc/security/limits.conf=E2=80=99, logins fail with =E2=80=9C= Error in service > module=E2=80=9D when the file does not exist. So I guess we could create an empty(?) limits.conf file by default? > * changing the pam service for =E2=80=9Clogin=E2=80=9D is not enough as i= t only affects > console logins. When a user logs in via slim (or switches user > accounts with =E2=80=98su=E2=80=99), limits are not respected. > > I=E2=80=99ll update my patches to address the first point. For the secon= d point > we need to make sure to install =E2=80=98/etc/security/limits.conf=E2=80= =99 (even if > it=E2=80=99s just empty). The linux-pam package provides =E2=80=98$out/e= tc/security/*=E2=80=99 > but nothing is deployed to =E2=80=98/etc=E2=80=99 when configuring the sy= stem. > > To address the third point we could enhance the pam-services for =E2=80= =98slim=E2=80=99 > and =E2=80=98su=E2=80=99 in addition to =E2=80=98login=E2=80=99. Sounds like a good plan. I guess changing the default values of the PAM entries to include pam_limits.so is reasonable. A similar pattern occurs with elogind though, as Andy wrote some time ago. So, looking forward, there=E2=80=99s the question of whether we should prov= ide a more flexible way to extend =E2=80=98pam-service-type=E2=80=99. For instan= ce, there could be a =E2=80=98limits-service=E2=80=99 that extends =E2=80=98pam-servi= ce-type=E2=80=99 such that all the contributed PAM entries are augmented with =E2=80=98pam_limits.so= =E2=80=99; likewise, =E2=80=98elogind-service=E2=80=99 would add =E2=80=98pam_elogind.= so.=E2=80=99 One way to do that would be to extend =E2=80=98pam-service-type=E2=80=99 wi= th a procedure instead of a =E2=80=98pam-entry=E2=80=99; that procedure would th= en be mapped over all the contributed PAM entries. Thoughts? Ludo=E2=80=99.