From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [RFC]: Respect /etc/security/limits.conf Date: Sun, 20 Sep 2015 18:41:39 +0200 Message-ID: <87zj0hjb5o.fsf@gnu.org> References: <87zj0i65rl.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54559) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZdhgP-0007Dm-5Q for guix-devel@gnu.org; Sun, 20 Sep 2015 12:41:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZdhgL-0004QZ-Um for guix-devel@gnu.org; Sun, 20 Sep 2015 12:41:45 -0400 In-Reply-To: <87zj0i65rl.fsf@elephly.net> (Ricardo Wurmus's message of "Sat, 19 Sep 2015 12:51:58 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ricardo Wurmus Cc: "guix-devel@gnu.org" Ricardo Wurmus skribis: > The attached patch tries to add an entry for pam_limits.so, but I have > no idea if this actually works or if this is the way it should be done. > As far as I can tell we only need the pam_limits.so entry for > =E2=80=9C/etc/pam.d/login=E2=80=9D, but I could not find where this file = is generated. It is generated based on the =E2=80=98pam-services=E2=80=99 field of the se= rvice returned by =E2=80=98mingetty-service=E2=80=99. Maybe it would be best to adjust just that part? > Also, I wonder how users are supposed to edit /etc/security/limits.conf > at all. I suppose they are not to edit anything in /etc anyway. > pam_limits.so also reads *.conf files in =E2=80=9C/etc/security/limits.d/= =E2=80=9D and > maybe it would make sense for packages to provide a > =E2=80=9C$out/etc/security/limits.d/$name.conf=E2=80=9D file with setting= s. For > example, the =E2=80=9Cjack=E2=80=9D packages could then provide > =E2=80=9C$out/etc/security/limits.d/realtime.conf=E2=80=9D, which contain= s the > following: > > @realtime - rtprio 99 > @realtime - memlock unlimited > > (See http://www.jackaudio.org/faq/linux_rt_config.html) Is this PREFIX/etc/security/limits.d convention already used? If not, I=E2=80=99d rather avoid inventing it. ;-) What we could do is add a field in =E2=80=98operating-system=E2=80=99 to sp= ecify the limits.conf file to install as /etc/security/limits.conf? It would be even better to create Scheme data types that mirror the settings of a limits.conf file (similar to what is done for PAM settings), and have users fiddle with that rather than with a plain text file. > A user in the =E2=80=9Crealtime=E2=80=9D group could then finally use JAC= K in realtime > mode. > > What is the best way to make this work? (I really want to run JACK in > realtime mode.) (In the meantime I think your patch plus manual fiddling of /etc/security/limits.conf does the job.) Ludo=E2=80=99.