From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [RFC] Support for pam_limits.so: =?utf-8?B?4oCcc3XigJ0=?= is ignored. Date: Fri, 01 Apr 2016 13:00:59 +0200 Message-ID: <87io01h9uc.fsf@gnu.org> References: <87bn5tyfrn.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58321) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1alwp8-00081T-BJ for guix-devel@gnu.org; Fri, 01 Apr 2016 07:01:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1alwp5-0006GB-3s for guix-devel@gnu.org; Fri, 01 Apr 2016 07:01:06 -0400 In-Reply-To: <87bn5tyfrn.fsf@elephly.net> (Ricardo Wurmus's message of "Fri, 01 Apr 2016 09:01:00 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ricardo Wurmus Cc: guix-devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ricardo Wurmus skribis: > * the pam-extension procedure appears to be called more than once on the > same pam-service. I added a =E2=80=9C(format #t ...)=E2=80=9D statemen= t to print the > name of the pam-service that was passed to the procedure and the same > name appeared multiple times. The order of these multiple executions > appears random, so we can have three times =E2=80=9Csu=E2=80=9D, follow= ed by one time > =E2=80=9Clogin=E2=80=9D, then two times =E2=80=9Csu=E2=80=9D again, etc= . I thought service folding > ensured that each service extension is evaluated/applied just once. It=E2=80=99s purely functional, so it doesn=E2=80=99t matter how many times= we call it. ;-) That said, I agree that the fact that it=E2=80=99s called several times sug= gests we=E2=80=99re not doing things efficiently (presumably that=E2=80=99s becau= se =E2=80=98fold-services=E2=80=99 is called in several places where there=E2= =80=99s no memoization.) Would be worth improving it in the future. > * pam-services =E2=80=9Csu=E2=80=9D, =E2=80=9Csudo=E2=80=9D, and possibly= =E2=80=9Cpasswd=E2=80=9D are not actually > modified when I check their names (as I do in this patch). If I > extend all pam-services without checking their names they do get > modified. With the attached patch the pam file for =E2=80=9Csu=E2=80= =9D does not get > the pam entry for =E2=80=9Cpam_limits.so=E2=80=9D. But it works for me! :-) I=E2=80=99ve applied the attached patch (fixes a minor syntax issue in the = patch you sent), and then did: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix system build ~/src/configuration/pluto-configuration.= scm substitute: updating list of substitutes from 'https://mirror.hydra.gnu.org= '... 100.0% substitute: updating list of substitutes from 'https://hydra.gnu.org'... 10= 0.0% La jenaj derivoj estos konstruataj: /gnu/store/0fxwylcmdxy7bqmjpxwqf24v2x4yr53w-system.drv /gnu/store/q254gqx3rgwxn98nsaz16z8rl58nhfkw-shepherd.conf.drv /gnu/store/517cxw8xiniwsh9bfdp389qxlm9w5jj8-activate-service.drv /gnu/store/ky8p3bq0xpj3lf989fz1ba3j2xycyiz6-activate.drv /gnu/store/ljjl4zs722flxbpip8jdssqd549g7pay-boot.drv /gnu/store/vz8745sdk0ph0rykxldwzmfa3a5r7cm1-etc.drv /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system ludo@pluto ~/src/guix$ grep pam_limit /gnu/store/s84hvl064k494174z692wl1vaq= zrygln-system/etc/pam.d/* /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/login:session = required pam_limits.so conf=3D/etc/security/limits.conf /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/slim:session r= equired pam_limits.so conf=3D/etc/security/limits.conf /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/su:session req= uired pam_limits.so conf=3D/etc/security/limits.conf --8<---------------cut here---------------end--------------->8--- =E2=80=A6 where the configuration in question has (pam-limits-service) in i= ts =E2=80=98services=E2=80=99 field. HTH, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable diff --git a/gnu/services/base.scm b/gnu/services/base.scm index b168543..37618a3 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -3,6 +3,7 @@ ;;; Copyright =C2=A9 2015, 2016 Alex Kost ;;; Copyright =C2=A9 2015 Mark H Weaver ;;; Copyright =C2=A9 2015 Sou Bunnbu +;;; Copyright =C2=A9 2016 Ricardo Wurmus ;;; ;;; This file is part of GNU Guix. ;;; @@ -93,6 +94,9 @@ gpm-service-type gpm-service =20 + pam-limits-service-type + pam-limits-service + %base-services)) =20 ;;; Commentary: @@ -811,6 +815,41 @@ settings. information on the configuration file syntax." (service syslog-service-type config-file)) =20 +(define pam-limits-service-type + (let () + ;; Create /etc/security containing the provided "limits.conf" file. + (define (security-limits limits-file) + `(("security" + ,(computed-file + "security" + #~(begin (mkdir #$output) + (stat #$limits-file) + (symlink #$limits-file + (string-append #$output "/limits.conf"))))))) + (define (pam-extension pam) + (let ((pam-limits (pam-entry + (control "required") + (module "pam_limits.so") + (arguments '("conf=3D/etc/security/limits.conf"))= ))) + (if (member (pam-service-name pam) + '("login" "su" "slim")) + (pam-service + (inherit pam) + (session (cons pam-limits + (pam-service-session pam)))) + pam))) + (service-type + (name 'limits) + (extensions + (list (service-extension etc-service-type security-limits) + (service-extension pam-root-service-type + (lambda _ (list pam-extension)))))))) + +(define* (pam-limits-service #:optional (limits (plain-file "limits.conf" = ""))) + "Return a service that makes selected programs respect the limits specif= ied +in LIMITS via pam_limits.so." + (service pam-limits-service-type limits)) + ;;; ;;; Guix services. --=-=-=--