From: Felix Lechner via Guix-patches via <guix-patches@gnu.org>
To: 63383@debbugs.gnu.org
Cc: Felix Lechner <felix.lechner@lease-up.com>
Subject: [bug#63383] [PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type.
Date: Fri, 12 May 2023 11:52:48 -0700 [thread overview]
Message-ID: <664a326ae17afabd71301893f1c56ff4e9d01c68.1683917556.git.felix.lechner@lease-up.com> (raw)
In-Reply-To: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
This commit was tested and is already deployed in production.
* gnu/services/base.scm: Drop config file limits.conf from /etc; use absolute
path in store instead.
---
gnu/services/base.scm | 63 +++++++++++++++++++++----------------------
1 file changed, 30 insertions(+), 33 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index fdc2c8c764..4bef781977 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1603,38 +1603,36 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
(define pam-limits-service-type
(let ((pam-extension
- (pam-extension
- (transformer
- (lambda (pam)
- (let ((pam-limits (pam-entry
- (control "required")
- (module "pam_limits.so")
- (arguments
- '("conf=/etc/security/limits.conf")))))
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password"
- "sddm" "sudo" "sshd"))
- (pam-service
- (inherit pam)
- (session (cons pam-limits
- (pam-service-session pam))))
- pam))))))
-
- ;; XXX: Using file-like objects is deprecated, use lists instead.
- ;; This is to be reduced into the list? case when the deprecated
- ;; code gets removed.
- ;; Create /etc/security containing the provided "limits.conf" file.
- (security-limits
+ (lambda (limits-file)
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (let ((pam-limits (pam-entry
+ (control "required")
+ (module "pam_limits.so")
+ (arguments
+ (list #~(string-append "conf=" #$limits-file))))))
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password" "sddm"
+ "sudo" "sshd"))
+ (pam-service
+ (inherit pam)
+ (session (cons pam-limits
+ (pam-service-session pam))))
+ pam)))))))
+ (make-limits-file
(match-lambda
+ ;; XXX: Using file-like objects is deprecated, use lists instead.
+ ;; This is to be reduced into the list? case when the deprecated
+ ;; code gets removed.
((? file-like? obj)
(warning (G_ "Using file-like value for \
'pam-limits-service-type' is deprecated~%"))
- `(("security/limits.conf" ,obj)))
+ obj)
((? list? lst)
- `(("security/limits.conf"
- ,(plain-file "limits.conf"
- (string-join (map pam-limits-entry->string lst)
- "\n" 'suffix)))))
+ (plain-file "limits.conf"
+ (string-join (map pam-limits-entry->string lst)
+ "\n" 'suffix)))
(_ (raise
(formatted-message
(G_ "invalid input for 'pam-limits-service-type'~%")))))))
@@ -1642,13 +1640,12 @@ (module "pam_limits.so")
(service-type
(name 'limits)
(extensions
- (list (service-extension etc-service-type security-limits)
- (service-extension pam-root-service-type
- (lambda _ (list pam-extension)))))
+ (list (service-extension pam-root-service-type
+ (lambda (config)
+ (list (pam-extension (make-limits-file config)))))))
(description
- "Install the specified resource usage limits by populating
-@file{/etc/security/limits.conf} and using the @code{pam_limits}
-authentication module.")
+ "Use the @code{pam_limits} authentication module to set the specified
+resource usage limits.")
(default-value '()))))
(define-deprecated (pam-limits-service #:optional (limits '()))
--
2.40.1
next prev parent reply other threads:[~2023-05-12 18:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 4/4] Use more file-append Felix Lechner via Guix-patches via
2023-05-12 18:51 ` [bug#63383] rebased Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-12 18:52 ` Felix Lechner via Guix-patches via [this message]
2023-05-12 18:52 ` [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 4/4] Use more file-append Felix Lechner via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=664a326ae17afabd71301893f1c56ff4e9d01c68.1683917556.git.felix.lechner@lease-up.com \
--to=guix-patches@gnu.org \
--cc=63383@debbugs.gnu.org \
--cc=felix.lechner@lease-up.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.