From: ludo@gnu.org (Ludovic Courtès)
To: Ricardo Wurmus <rekado@elephly.net>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: [PATCH] Add pam-limits-service.
Date: Mon, 18 Jul 2016 14:29:58 +0200 [thread overview]
Message-ID: <874m7nqgc9.fsf@gnu.org> (raw)
In-Reply-To: <87eg6snitm.fsf@elephly.net> (Ricardo Wurmus's message of "Sun, 17 Jul 2016 21:52:21 +0200")
Guten Tag!
Ricardo Wurmus <rekado@elephly.net> skribis:
> We now have a constructor “pam-limits-entry”, which validates given
> settings (i.e. it throws an error when values are passed that don’t make
> sense) and returns a value of type “<pam-limits-entry>”.
>
> A list of these values can be passed to “pam-limits-service”, which
> generates a working “/etc/security/limits.conf”. I’m using it right now
> with the exact same limits that are now documented in the manual.
>
> This snippet:
>
> (pam-limits-service
> (list
> (pam-limits-entry "@realtime" 'both 'rtprio 99)
> (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
>
> generates a limits.conf file with the following contents:
>
> @realtime - rtprio 99
> @realtime - memlock unlimited
>
> One advantage of using “pam-limits-entry” instead of a plain string is
> that values are validated according to the documentation in “man 5
> limits.conf”.
Nice!
Eventually, we should probably use a constructor in the spirit of (rnrs
enums) to provide expansion-time validation, as already done in (gnu
system nss) (info "(guile) rnrs enums").
> From 3f5d7b405ac7faadd753719fe4100d8f6605d191 Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <rekado@elephly.net>
> Date: Mon, 12 Oct 2015 07:11:51 +0200
> Subject: [PATCH] services: Add pam-limits-service.
>
> * gnu/system/pam.scm (<pam-limits-entry>): New record type.
> (pam-limits-entry, pam-limits-entry->string): New procedures.
> * gnu/services/base.scm (pam-limits-service-type): New variable.
> (pam-limits-service): New procedure.
> * doc/guix.texi (Base Services): Document it.
[...]
> +@deffn {Scheme Procedure} pam-limits-service [#:limits @var{limits}]
> +
> +Return a service that installs a configuration file for the
> +@code{pam_limits} module. The procedure optionally takes a list of
^^^^^^^^^^^^^^^^^^
It would be nice to add an @uref to the on-line manual of pam_limits, if
it exists.
> +(define pam-limits-service-type
> + (let ((security-limits
> + ;; Create /etc/security containing the provided "limits.conf" file.
> + (lambda (limits-file)
> + `(("security"
> + ,(computed-file
> + "security"
> + #~(begin (mkdir #$output)
> + (stat #$limits-file)
> + (symlink #$limits-file
> + (string-append #$output "/limits.conf"))))))))
Indentation, rather:
(begin
(mkdir #$output)
…)
> + (service-type
> + (name 'limits)
> + (extensions
> + (list (service-extension etc-service-type security-limits)
> + (service-extension pam-root-service-type
> + (lambda _ (list pam-extension))))))))
It may be useful to allow users to extend this service with additional
<pam-limits-entry> objects. To do that we’d simply need something like:
(service-type
(name 'limits)
;; …
(compose concatenate) ;concatenate lists of <pam-limits-entry>
(extend append)) ;append them
WDYT?
This shouldn’t block this patch, though.
> +(define-record-type <pam-limits-entry>
> + (make-pam-limits-entry domain type item value)
Maybe just add a comment above with the URL of the reference manual.
Otherwise LGTM, thank you!
Ludo’.
next prev parent reply other threads:[~2016-07-18 12:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-01 7:01 [RFC] Support for pam_limits.so: “su” is ignored Ricardo Wurmus
2016-04-01 11:00 ` Ludovic Courtès
2016-04-02 7:23 ` Ricardo Wurmus
2016-04-02 14:44 ` Ludovic Courtès
2016-04-02 17:34 ` Ricardo Wurmus
2016-04-03 21:42 ` Ludovic Courtès
2016-04-05 7:47 ` Ricardo Wurmus
2016-04-05 9:48 ` Ludovic Courtès
2016-07-17 19:52 ` [PATCH] Add pam-limits-service. (was: [RFC] Support for pam_limits.so: “su” is ignored.) Ricardo Wurmus
2016-07-18 12:29 ` Ludovic Courtès [this message]
2016-07-20 5:28 ` [PATCH] Add pam-limits-service Ricardo Wurmus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874m7nqgc9.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=rekado@elephly.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.