From: ludo@gnu.org (Ludovic Courtès)
To: Ricardo Wurmus <rekado@elephly.net>
Cc: "guix-devel@gnu.org" <guix-devel@gnu.org>
Subject: Re: [RFC]: Respect /etc/security/limits.conf
Date: Mon, 12 Oct 2015 19:13:34 +0200 [thread overview]
Message-ID: <87twpw9fi9.fsf@gnu.org> (raw)
In-Reply-To: <87si5g4q45.fsf@elephly.net> (Ricardo Wurmus's message of "Mon, 12 Oct 2015 07:23:22 +0200")
Ricardo Wurmus <rekado@elephly.net> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Ricardo Wurmus <rekado@elephly.net> skribis:
>>
>>> The attached patch tries to add an entry for pam_limits.so, but I have
>>> no idea if this actually works or if this is the way it should be done.
>>> As far as I can tell we only need the pam_limits.so entry for
>>> “/etc/pam.d/login”, but I could not find where this file is generated.
>>
>> It is generated based on the ‘pam-services’ field of the service
>> returned by ‘mingetty-service’.
>>
>> Maybe it would be best to adjust just that part?
>
> Oh, right. Attached are two patches:
>
> * The first exports the pam-service-* getters, making it possible to
> extend a pam-service.
>
> * The second extends the “session” field of the mingetty-service to
> add “pam_limits.so” to the required modules.
>
> Loading the module doesn’t yet do anything on GuixSD because we don’t
> generate ‘/etc/security/limits.conf’ (or ‘/etc/security/limits.d/’), but
> it should respect such file if it does exist. (I have not yet tested
> this, but I will some time this week.)
>
> Does this look okay?
As long as lack of /etc/security/limits.conf doesn’t create any problems
or annoying warnings, that’s fine!
>> Is this PREFIX/etc/security/limits.d convention already used? If not,
>> I’d rather avoid inventing it. ;-)
>>
>> What we could do is add a field in ‘operating-system’ to specify the
>> limits.conf file to install as /etc/security/limits.conf?
>
> Yes, that’s a better idea.
One way to do that within the new service framework would be to have a
“limits” service that extends ‘etc-service-type’. Something like that.
> From cdf974eb7595cfb8997111d09f6da2350c72afdd Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <rekado@elephly.net>
> Date: Mon, 12 Oct 2015 07:08:32 +0200
> Subject: [PATCH 1/2] system: Export pam-service accessors.
>
> * gnu/system/linux.scm (pam-service-name, pam-service-account,
> pam-service-auth, pam-service-password, pam-service-session): Export.
Sure!
> From 0a1b5cad3d302d937a29dec95e805488a26b34e8 Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <rekado@elephly.net>
> Date: Mon, 12 Oct 2015 07:11:51 +0200
> Subject: [PATCH 2/2] services: Add entry for pam_limits to
> mingetty-pam-service.
>
> * gnu/services/base.scm (mingetty-pam-service): Add pam-entry for
> PAM module "pam_limits.so" to session field.
[...]
> + (session (cons (pam-entry
> + (control "required")
> + (module "pam_limits.so"))
Please add a one-line comment saying what this is about.
OK as long as it doesn’t break anything in the absence of limits.conf
and doesn’t trigger warnings.
Thanks!
Ludo’.
next prev parent reply other threads:[~2015-10-12 17:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-19 10:51 [RFC]: Respect /etc/security/limits.conf Ricardo Wurmus
2015-09-20 16:41 ` Ludovic Courtès
2015-10-12 5:23 ` Ricardo Wurmus
2015-10-12 17:13 ` Ludovic Courtès [this message]
2015-10-17 18:24 ` Ricardo Wurmus
2015-10-19 14:58 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87twpw9fi9.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=rekado@elephly.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.