[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC]: Respect /etc/security/limits.conf
From: |
Ludovic Courtès |
Subject: |
Re: [RFC]: Respect /etc/security/limits.conf |
Date: |
Mon, 12 Oct 2015 19:13:34 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Ricardo Wurmus <address@hidden> skribis:
> Ludovic Courtès <address@hidden> writes:
>
>> Ricardo Wurmus <address@hidden> skribis:
>>
>>> The attached patch tries to add an entry for pam_limits.so, but I have
>>> no idea if this actually works or if this is the way it should be done.
>>> As far as I can tell we only need the pam_limits.so entry for
>>> “/etc/pam.d/login”, but I could not find where this file is generated.
>>
>> It is generated based on the ‘pam-services’ field of the service
>> returned by ‘mingetty-service’.
>>
>> Maybe it would be best to adjust just that part?
>
> Oh, right. Attached are two patches:
>
> * The first exports the pam-service-* getters, making it possible to
> extend a pam-service.
>
> * The second extends the “session” field of the mingetty-service to
> add “pam_limits.so” to the required modules.
>
> Loading the module doesn’t yet do anything on GuixSD because we don’t
> generate ‘/etc/security/limits.conf’ (or ‘/etc/security/limits.d/’), but
> it should respect such file if it does exist. (I have not yet tested
> this, but I will some time this week.)
>
> Does this look okay?
As long as lack of /etc/security/limits.conf doesn’t create any problems
or annoying warnings, that’s fine!
>> Is this PREFIX/etc/security/limits.d convention already used? If not,
>> I’d rather avoid inventing it. ;-)
>>
>> What we could do is add a field in ‘operating-system’ to specify the
>> limits.conf file to install as /etc/security/limits.conf?
>
> Yes, that’s a better idea.
One way to do that within the new service framework would be to have a
“limits” service that extends ‘etc-service-type’. Something like that.
> From cdf974eb7595cfb8997111d09f6da2350c72afdd Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <address@hidden>
> Date: Mon, 12 Oct 2015 07:08:32 +0200
> Subject: [PATCH 1/2] system: Export pam-service accessors.
>
> * gnu/system/linux.scm (pam-service-name, pam-service-account,
> pam-service-auth, pam-service-password, pam-service-session): Export.
Sure!
> From 0a1b5cad3d302d937a29dec95e805488a26b34e8 Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <address@hidden>
> Date: Mon, 12 Oct 2015 07:11:51 +0200
> Subject: [PATCH 2/2] services: Add entry for pam_limits to
> mingetty-pam-service.
>
> * gnu/services/base.scm (mingetty-pam-service): Add pam-entry for
> PAM module "pam_limits.so" to session field.
[...]
> + (session (cons (pam-entry
> + (control "required")
> + (module "pam_limits.so"))
Please add a one-line comment saying what this is about.
OK as long as it doesn’t break anything in the absence of limits.conf
and doesn’t trigger warnings.
Thanks!
Ludo’.