From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: [RFC]: Respect /etc/security/limits.conf Date: Sat, 19 Sep 2015 12:51:58 +0200 Message-ID: <87zj0i65rl.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44990) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZdFkZ-0002QP-KT for guix-devel@gnu.org; Sat, 19 Sep 2015 06:52:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZdFkV-0000tS-Ir for guix-devel@gnu.org; Sat, 19 Sep 2015 06:52:11 -0400 Received: from sender163-mail.zoho.com ([74.201.84.163]:25162) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZdFkV-0000tM-AH for guix-devel@gnu.org; Sat, 19 Sep 2015 06:52:07 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: "guix-devel@gnu.org" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Hi Guix, I noticed that we aren’t using pam_limits.so, so it is impossible to set session-wide limits per user. This is useful to explicitly grant the “audio” group realtime priorities and lift memory allocation restrictions. The attached patch tries to add an entry for pam_limits.so, but I have no idea if this actually works or if this is the way it should be done. As far as I can tell we only need the pam_limits.so entry for “/etc/pam.d/login”, but I could not find where this file is generated. Also, I wonder how users are supposed to edit /etc/security/limits.conf at all. I suppose they are not to edit anything in /etc anyway. pam_limits.so also reads *.conf files in “/etc/security/limits.d/” and maybe it would make sense for packages to provide a “$out/etc/security/limits.d/$name.conf” file with settings. For example, the “jack” packages could then provide “$out/etc/security/limits.d/realtime.conf”, which contains the following: @realtime - rtprio 99 @realtime - memlock unlimited (See http://www.jackaudio.org/faq/linux_rt_config.html) A user in the “realtime” group could then finally use JACK in realtime mode. What is the best way to make this work? (I really want to run JACK in realtime mode.) ~~ Ricardo --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-WIP-respect-etc-security-limits.conf.patch >From 7a92f5a3f9bfa22749d0a635d5ac878560336611 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Sat, 19 Sep 2015 12:40:20 +0200 Subject: [PATCH] WIP: respect /etc/security/limits.conf --- gnu/system/linux.scm | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm index 7461a4a..d94e4ca 100644 --- a/gnu/system/linux.scm +++ b/gnu/system/linux.scm @@ -132,7 +132,10 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE." (define unix-pam-service (let ((unix (pam-entry (control "required") - (module "pam_unix.so")))) + (module "pam_unix.so"))) + (limits (pam-entry + (control "required") + (module "pam_limits.so")))) (lambda* (name #:key allow-empty-passwords? motd) "Return a standard Unix-style PAM service for NAME. When ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When MOTD is true, it @@ -154,13 +157,13 @@ should be the name of a file used as the message-of-the-day." ;; Store SHA-512 encrypted passwords in /etc/shadow. (arguments '("sha512" "shadow"))))) (session (if motd - (list unix + (list unix limits (pam-entry (control "optional") (module "pam_motd.so") (arguments (list #~(string-append "motd=" #$motd))))) - (list unix)))))))) + (list unix limits)))))))) (define (rootok-pam-service command) "Return a PAM service for COMMAND such that 'root' does not need to -- 2.5.0 --=-=-=--