Re: [RFC]: Respect /etc/security/limits.conf

[ludo@gnu.org (Ludovic Courtès)]

Ricardo Wurmus <rekado@elephly.net> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Ricardo Wurmus <rekado@elephly.net> skribis:
>>
>>> The attached patch tries to add an entry for pam_limits.so, but I have
>>> no idea if this actually works or if this is the way it should be done.
>>> As far as I can tell we only need the pam_limits.so entry for
>>> “/etc/pam.d/login”, but I could not find where this file is generated.
>>
>> It is generated based on the ‘pam-services’ field of the service
>> returned by ‘mingetty-service’.
>>
>> Maybe it would be best to adjust just that part?
>
> Oh, right.  Attached are two patches:
>
>   * The first exports the pam-service-* getters, making it possible to
>     extend a pam-service.
>
>   * The second extends the “session” field of the mingetty-service to
>     add “pam_limits.so” to the required modules.
>
> Loading the module doesn’t yet do anything on GuixSD because we don’t
> generate ‘/etc/security/limits.conf’ (or ‘/etc/security/limits.d/’), but
> it should respect such file if it does exist.  (I have not yet tested
> this, but I will some time this week.)
>
> Does this look okay?

As long as lack of /etc/security/limits.conf doesn’t create any problems
or annoying warnings, that’s fine!

>> Is this PREFIX/etc/security/limits.d convention already used?  If not,
>> I’d rather avoid inventing it.  ;-)
>>
>> What we could do is add a field in ‘operating-system’ to specify the
>> limits.conf file to install as /etc/security/limits.conf?
>
> Yes, that’s a better idea.

One way to do that within the new service framework would be to have a
“limits” service that extends ‘etc-service-type’.  Something like that.

> From cdf974eb7595cfb8997111d09f6da2350c72afdd Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <rekado@elephly.net>
> Date: Mon, 12 Oct 2015 07:08:32 +0200
> Subject: [PATCH 1/2] system: Export pam-service accessors.
>
> * gnu/system/linux.scm (pam-service-name, pam-service-account,
>   pam-service-auth, pam-service-password, pam-service-session): Export.

Sure!

> From 0a1b5cad3d302d937a29dec95e805488a26b34e8 Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <rekado@elephly.net>
> Date: Mon, 12 Oct 2015 07:11:51 +0200
> Subject: [PATCH 2/2] services: Add entry for pam_limits to
>  mingetty-pam-service.
>
> * gnu/services/base.scm (mingetty-pam-service): Add pam-entry for
>   PAM module "pam_limits.so" to session field.

[...]

> +           (session (cons (pam-entry
> +                           (control "required")
> +                           (module "pam_limits.so"))

Please add a one-line comment saying what this is about.

OK as long as it doesn’t break anything in the absence of limits.conf
and doesn’t trigger warnings.

Thanks!

Ludo’.