From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [RFC]: Respect /etc/security/limits.conf Date: Mon, 12 Oct 2015 19:13:34 +0200 Message-ID: <87twpw9fi9.fsf@gnu.org> References: <87zj0i65rl.fsf@elephly.net> <87zj0hjb5o.fsf@gnu.org> <87si5g4q45.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45063) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZlgfO-0005Wr-U5 for guix-devel@gnu.org; Mon, 12 Oct 2015 13:13:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZlgfK-0003h7-BO for guix-devel@gnu.org; Mon, 12 Oct 2015 13:13:42 -0400 In-Reply-To: <87si5g4q45.fsf@elephly.net> (Ricardo Wurmus's message of "Mon, 12 Oct 2015 07:23:22 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ricardo Wurmus Cc: "guix-devel@gnu.org" Ricardo Wurmus skribis: > Ludovic Court=C3=A8s writes: > >> Ricardo Wurmus skribis: >> >>> The attached patch tries to add an entry for pam_limits.so, but I have >>> no idea if this actually works or if this is the way it should be done. >>> As far as I can tell we only need the pam_limits.so entry for >>> =E2=80=9C/etc/pam.d/login=E2=80=9D, but I could not find where this fil= e is generated. >> >> It is generated based on the =E2=80=98pam-services=E2=80=99 field of the= service >> returned by =E2=80=98mingetty-service=E2=80=99. >> >> Maybe it would be best to adjust just that part? > > Oh, right. Attached are two patches: > > * The first exports the pam-service-* getters, making it possible to > extend a pam-service. > > * The second extends the =E2=80=9Csession=E2=80=9D field of the mingett= y-service to > add =E2=80=9Cpam_limits.so=E2=80=9D to the required modules. > > Loading the module doesn=E2=80=99t yet do anything on GuixSD because we d= on=E2=80=99t > generate =E2=80=98/etc/security/limits.conf=E2=80=99 (or =E2=80=98/etc/se= curity/limits.d/=E2=80=99), but > it should respect such file if it does exist. (I have not yet tested > this, but I will some time this week.) > > Does this look okay? As long as lack of /etc/security/limits.conf doesn=E2=80=99t create any pro= blems or annoying warnings, that=E2=80=99s fine! >> Is this PREFIX/etc/security/limits.d convention already used? If not, >> I=E2=80=99d rather avoid inventing it. ;-) >> >> What we could do is add a field in =E2=80=98operating-system=E2=80=99 to= specify the >> limits.conf file to install as /etc/security/limits.conf? > > Yes, that=E2=80=99s a better idea. One way to do that within the new service framework would be to have a =E2=80=9Climits=E2=80=9D service that extends =E2=80=98etc-service-type=E2= =80=99. Something like that. > From cdf974eb7595cfb8997111d09f6da2350c72afdd Mon Sep 17 00:00:00 2001 > From: Ricardo Wurmus > Date: Mon, 12 Oct 2015 07:08:32 +0200 > Subject: [PATCH 1/2] system: Export pam-service accessors. > > * gnu/system/linux.scm (pam-service-name, pam-service-account, > pam-service-auth, pam-service-password, pam-service-session): Export. Sure! > From 0a1b5cad3d302d937a29dec95e805488a26b34e8 Mon Sep 17 00:00:00 2001 > From: Ricardo Wurmus > Date: Mon, 12 Oct 2015 07:11:51 +0200 > Subject: [PATCH 2/2] services: Add entry for pam_limits to > mingetty-pam-service. > > * gnu/services/base.scm (mingetty-pam-service): Add pam-entry for > PAM module "pam_limits.so" to session field. [...] > + (session (cons (pam-entry > + (control "required") > + (module "pam_limits.so")) Please add a one-line comment saying what this is about. OK as long as it doesn=E2=80=99t break anything in the absence of limits.co= nf and doesn=E2=80=99t trigger warnings. Thanks! Ludo=E2=80=99.