* [bug#37405] [PATCH] Services: Check and modify gdm-password in pam-limits
@ 2019-09-14 23:10 Jesse Gibbons
2019-09-19 2:46 ` Jesse Gibbons
0 siblings, 1 reply; 5+ messages in thread
From: Jesse Gibbons @ 2019-09-14 23:10 UTC (permalink / raw)
To: 37405
[-- Attachment #1: Type: text/plain, Size: 16 bytes --]
Fixes bug #37380
[-- Attachment #2: 0001-Services-Check-and-modify-gdm-password-in-pam-limits.patch --]
[-- Type: text/x-patch, Size: 964 bytes --]
From 6a0ced2a9ce956071290ea8bba2a74f8c9c8e5f5 Mon Sep 17 00:00:00 2001
From: Jesse Gibbons <jgibbons2357+guix@gmail.com>
Date: Sat, 14 Sep 2019 16:35:39 -0600
Subject: [PATCH] Services: Check and modify gdm-password in pam-limits-service
---
gnu/services/base.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 25716ef152..6ab7b110ec 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1478,7 +1478,7 @@ information on the configuration file syntax."
(module "pam_limits.so")
(arguments '("conf=/etc/security/limits.conf")))))
(if (member (pam-service-name pam)
- '("login" "su" "slim"))
+ '("login" "su" "slim" "gdm-password"))
(pam-service
(inherit pam)
(session (cons pam-limits
--
2.23.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#37405] [PATCH] Services: Check and modify gdm-password in pam-limits
2019-09-14 23:10 [bug#37405] [PATCH] Services: Check and modify gdm-password in pam-limits Jesse Gibbons
@ 2019-09-19 2:46 ` Jesse Gibbons
2019-09-25 15:47 ` Jesse Gibbons
0 siblings, 1 reply; 5+ messages in thread
From: Jesse Gibbons @ 2019-09-19 2:46 UTC (permalink / raw)
Cc: 37405
ping
https://lists.gnu.org/archive/html/guix-patches/2019-09/msg00357.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#37405] [PATCH] Services: Check and modify gdm-password in pam-limits
2019-09-19 2:46 ` Jesse Gibbons
@ 2019-09-25 15:47 ` Jesse Gibbons
2019-10-01 23:00 ` Danny Milosavljevic
0 siblings, 1 reply; 5+ messages in thread
From: Jesse Gibbons @ 2019-09-25 15:47 UTC (permalink / raw)
To: 37405
On Wed, 2019-09-18 at 20:46 -0600, Jesse Gibbons wrote:
> ping
> https://lists.gnu.org/archive/html/guix-patches/2019-09/msg00357.html
ping
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#37405] [PATCH] Services: Check and modify gdm-password in pam-limits
2019-09-25 15:47 ` Jesse Gibbons
@ 2019-10-01 23:00 ` Danny Milosavljevic
2019-10-02 14:53 ` Jesse Gibbons
0 siblings, 1 reply; 5+ messages in thread
From: Danny Milosavljevic @ 2019-10-01 23:00 UTC (permalink / raw)
To: Jesse Gibbons; +Cc: 37405
[-- Attachment #1: Type: text/plain, Size: 635 bytes --]
Hi,
thanks for the patch.
I'm not thrilled about that approach (arguably Guix already does it wrong
anyway).
But since the manual of pam_limits does describe that one should use it
like that, I have applied it as a stop-gap fix to guix master as
commit 0bf7d34d77ffca40be9e04586195054e9f2c7a13.
Long term, we should really make pam entries first class and show up in the
operating-system record--that's what they are FOR: to let the administrator
(and thus the organization) choose how they want to do user
authorization/session handling etc. Why do we decide for them?
Bug report kept open for obvious reasons.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#37405] [PATCH] Services: Check and modify gdm-password in pam-limits
2019-10-01 23:00 ` Danny Milosavljevic
@ 2019-10-02 14:53 ` Jesse Gibbons
0 siblings, 0 replies; 5+ messages in thread
From: Jesse Gibbons @ 2019-10-02 14:53 UTC (permalink / raw)
To: Danny Milosavljevic; +Cc: 37405
On Wed, 2019-10-02 at 01:00 +0200, Danny Milosavljevic wrote:
> Hi,
>
> thanks for the patch.
>
> I'm not thrilled about that approach (arguably Guix already does it wrong
> anyway).
I think you should start a thread on the guix-devel list expressing your
concerns, and we can discuss how to improve guix from there.
>
> But since the manual of pam_limits does describe that one should use it
> like that, I have applied it as a stop-gap fix to guix master as
> commit 0bf7d34d77ffca40be9e04586195054e9f2c7a13.
Thanks!
>
> Long term, we should really make pam entries first class and show up in
> the
> operating-system record--that's what they are FOR: to let the
> administrator
> (and thus the organization) choose how they want to do user
> authorization/session handling etc.
If PAM configurations should be up to the administrator, there should be
documentation to teach the administrator how to use them. The manual doesn't
say anything about how to use pam-services in operating-system, so I
submitted a bug report (bug #37583) requesting documentation.
> Why do we decide for them?
I think I agree with your point that if a non-default configuration is
desired, administrators should be able to modify it, just like any other
part of the configuration. Ideally they can always opt-out of details they
don't want.
I do not agree that we are deciding for the admins. This is just like the
discussion about whether GuixSD should include the /usr/bin/env and /bin/sh
special files by default, except there isn't any documentation on how to
opt out of or extend the default PAM services.
There must be a default for every detail. If a detail is found practical
most of the time, I think it is good to either have it as a default (like
/usr/bin/sh) or have a ready example of how to implement it viewable from
the install environment (like what we do with desktop environments) so most
users don't have to look up how to add it. That does not negate the ability
of power users and administrators to opt out in the operating-system
configuration.
In the context of this patch, pam-limits is still opt-in. Perhaps a more
flexible fix would be to make the pam-limits-service-type accept an optional
list of strings identifying the configurations to create or modify to use
pam-limits, with the default being %default-pam-limits-service-names
defined as '("login" "su") which could then be appended to %slim-pam-
service-names '("slim") or %gdm-pam-service-names '("gdm-password" ...). If
you or anyone else wants to implement that proposal and update the
documentation so admins will know how to configure it, feel free.
I hope I did not misunderstand your comments. We can discuss this and your
other concerns in a guix-devel thread.
--
-Jesse
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-10-02 14:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-14 23:10 [bug#37405] [PATCH] Services: Check and modify gdm-password in pam-limits Jesse Gibbons
2019-09-19 2:46 ` Jesse Gibbons
2019-09-25 15:47 ` Jesse Gibbons
2019-10-01 23:00 ` Danny Milosavljevic
2019-10-02 14:53 ` Jesse Gibbons
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).