From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: Re: [RFC]: Respect /etc/security/limits.conf Date: Mon, 12 Oct 2015 07:23:22 +0200 Message-ID: <87si5g4q45.fsf@elephly.net> References: <87zj0i65rl.fsf@elephly.net> <87zj0hjb5o.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47304) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZlVaD-0005bl-KR for guix-devel@gnu.org; Mon, 12 Oct 2015 01:23:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZlVaC-0002qw-F0 for guix-devel@gnu.org; Mon, 12 Oct 2015 01:23:37 -0400 In-reply-to: <87zj0hjb5o.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: "guix-devel@gnu.org" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Ludovic Courtès writes: > Ricardo Wurmus skribis: > >> The attached patch tries to add an entry for pam_limits.so, but I have >> no idea if this actually works or if this is the way it should be done. >> As far as I can tell we only need the pam_limits.so entry for >> “/etc/pam.d/login”, but I could not find where this file is generated. > > It is generated based on the ‘pam-services’ field of the service > returned by ‘mingetty-service’. > > Maybe it would be best to adjust just that part? Oh, right. Attached are two patches: * The first exports the pam-service-* getters, making it possible to extend a pam-service. * The second extends the “session” field of the mingetty-service to add “pam_limits.so” to the required modules. Loading the module doesn’t yet do anything on GuixSD because we don’t generate ‘/etc/security/limits.conf’ (or ‘/etc/security/limits.d/’), but it should respect such file if it does exist. (I have not yet tested this, but I will some time this week.) Does this look okay? > Is this PREFIX/etc/security/limits.d convention already used? If not, > I’d rather avoid inventing it. ;-) > > What we could do is add a field in ‘operating-system’ to specify the > limits.conf file to install as /etc/security/limits.conf? Yes, that’s a better idea. > It would be even better to create Scheme data types that mirror the > settings of a limits.conf file (similar to what is done for PAM > settings), and have users fiddle with that rather than with a plain text > file. I’ll familiarise myself with how other (service) configuration files are created in GuixSD and propose a patch later. ~~ Ricardo --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-system-Export-pam-service-accessors.patch >From cdf974eb7595cfb8997111d09f6da2350c72afdd Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Mon, 12 Oct 2015 07:08:32 +0200 Subject: [PATCH 1/2] system: Export pam-service accessors. * gnu/system/linux.scm (pam-service-name, pam-service-account, pam-service-auth, pam-service-password, pam-service-session): Export. --- gnu/system/linux.scm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm index cd14bc9..bfb1db6 100644 --- a/gnu/system/linux.scm +++ b/gnu/system/linux.scm @@ -26,6 +26,12 @@ #:use-module (srfi srfi-26) #:use-module ((guix utils) #:select (%current-system)) #:export (pam-service + pam-service-name + pam-service-account + pam-service-auth + pam-service-password + pam-service-session + pam-entry pam-services->directory unix-pam-service -- 2.5.0 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-services-Add-entry-for-pam_limits-to-mingetty-pam-se.patch >From 0a1b5cad3d302d937a29dec95e805488a26b34e8 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Mon, 12 Oct 2015 07:11:51 +0200 Subject: [PATCH 2/2] services: Add entry for pam_limits to mingetty-pam-service. * gnu/services/base.scm (mingetty-pam-service): Add pam-entry for PAM module "pam_limits.so" to session field. --- gnu/services/base.scm | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index adafe1b..4243327 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -438,11 +438,17 @@ stopped before 'kill' is called." ;; Let 'login' be known to PAM. All the mingetty services will have that ;; PAM service, but that's fine because they're all identical and duplicates ;; are removed. - (list (unix-pam-service "login" - #:allow-empty-passwords? - (mingetty-configuration-allow-empty-passwords? conf) - #:motd - (mingetty-configuration-motd conf)))) + (let ((login (unix-pam-service "login" + #:allow-empty-passwords? + (mingetty-configuration-allow-empty-passwords? conf) + #:motd + (mingetty-configuration-motd conf)))) + (list (pam-service + (inherit login) + (session (cons (pam-entry + (control "required") + (module "pam_limits.so")) + (pam-service-session login))))))) (define mingetty-dmd-service (match-lambda -- 2.5.0 --=-=-=--