From: Ricardo Wurmus <rekado@elephly.net>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: "guix-devel@gnu.org" <guix-devel@gnu.org>
Subject: Re: [RFC]: Respect /etc/security/limits.conf
Date: Mon, 12 Oct 2015 07:23:22 +0200 [thread overview]
Message-ID: <87si5g4q45.fsf@elephly.net> (raw)
In-Reply-To: <87zj0hjb5o.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 1734 bytes --]
Ludovic Courtès <ludo@gnu.org> writes:
> Ricardo Wurmus <rekado@elephly.net> skribis:
>
>> The attached patch tries to add an entry for pam_limits.so, but I have
>> no idea if this actually works or if this is the way it should be done.
>> As far as I can tell we only need the pam_limits.so entry for
>> “/etc/pam.d/login”, but I could not find where this file is generated.
>
> It is generated based on the ‘pam-services’ field of the service
> returned by ‘mingetty-service’.
>
> Maybe it would be best to adjust just that part?
Oh, right. Attached are two patches:
* The first exports the pam-service-* getters, making it possible to
extend a pam-service.
* The second extends the “session” field of the mingetty-service to
add “pam_limits.so” to the required modules.
Loading the module doesn’t yet do anything on GuixSD because we don’t
generate ‘/etc/security/limits.conf’ (or ‘/etc/security/limits.d/’), but
it should respect such file if it does exist. (I have not yet tested
this, but I will some time this week.)
Does this look okay?
> Is this PREFIX/etc/security/limits.d convention already used? If not,
> I’d rather avoid inventing it. ;-)
>
> What we could do is add a field in ‘operating-system’ to specify the
> limits.conf file to install as /etc/security/limits.conf?
Yes, that’s a better idea.
> It would be even better to create Scheme data types that mirror the
> settings of a limits.conf file (similar to what is done for PAM
> settings), and have users fiddle with that rather than with a plain text
> file.
I’ll familiarise myself with how other (service) configuration files are
created in GuixSD and propose a patch later.
~~ Ricardo
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-system-Export-pam-service-accessors.patch --]
[-- Type: text/x-patch, Size: 954 bytes --]
From cdf974eb7595cfb8997111d09f6da2350c72afdd Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Mon, 12 Oct 2015 07:08:32 +0200
Subject: [PATCH 1/2] system: Export pam-service accessors.
* gnu/system/linux.scm (pam-service-name, pam-service-account,
pam-service-auth, pam-service-password, pam-service-session): Export.
---
gnu/system/linux.scm | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm
index cd14bc9..bfb1db6 100644
--- a/gnu/system/linux.scm
+++ b/gnu/system/linux.scm
@@ -26,6 +26,12 @@
#:use-module (srfi srfi-26)
#:use-module ((guix utils) #:select (%current-system))
#:export (pam-service
+ pam-service-name
+ pam-service-account
+ pam-service-auth
+ pam-service-password
+ pam-service-session
+
pam-entry
pam-services->directory
unix-pam-service
--
2.5.0
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0002-services-Add-entry-for-pam_limits-to-mingetty-pam-se.patch --]
[-- Type: text/x-patch, Size: 1705 bytes --]
From 0a1b5cad3d302d937a29dec95e805488a26b34e8 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Mon, 12 Oct 2015 07:11:51 +0200
Subject: [PATCH 2/2] services: Add entry for pam_limits to
mingetty-pam-service.
* gnu/services/base.scm (mingetty-pam-service): Add pam-entry for
PAM module "pam_limits.so" to session field.
---
gnu/services/base.scm | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index adafe1b..4243327 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -438,11 +438,17 @@ stopped before 'kill' is called."
;; Let 'login' be known to PAM. All the mingetty services will have that
;; PAM service, but that's fine because they're all identical and duplicates
;; are removed.
- (list (unix-pam-service "login"
- #:allow-empty-passwords?
- (mingetty-configuration-allow-empty-passwords? conf)
- #:motd
- (mingetty-configuration-motd conf))))
+ (let ((login (unix-pam-service "login"
+ #:allow-empty-passwords?
+ (mingetty-configuration-allow-empty-passwords? conf)
+ #:motd
+ (mingetty-configuration-motd conf))))
+ (list (pam-service
+ (inherit login)
+ (session (cons (pam-entry
+ (control "required")
+ (module "pam_limits.so"))
+ (pam-service-session login)))))))
(define mingetty-dmd-service
(match-lambda
--
2.5.0
next prev parent reply other threads:[~2015-10-12 5:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-19 10:51 [RFC]: Respect /etc/security/limits.conf Ricardo Wurmus
2015-09-20 16:41 ` Ludovic Courtès
2015-10-12 5:23 ` Ricardo Wurmus [this message]
2015-10-12 17:13 ` Ludovic Courtès
2015-10-17 18:24 ` Ricardo Wurmus
2015-10-19 14:58 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87si5g4q45.fsf@elephly.net \
--to=rekado@elephly.net \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).