[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC]: Respect /etc/security/limits.conf
From: |
Ricardo Wurmus |
Subject: |
Re: [RFC]: Respect /etc/security/limits.conf |
Date: |
Mon, 12 Oct 2015 07:23:22 +0200 |
User-agent: |
mu4e 0.9.13; emacs 24.5.1 |
Ludovic Courtès <address@hidden> writes:
> Ricardo Wurmus <address@hidden> skribis:
>
>> The attached patch tries to add an entry for pam_limits.so, but I have
>> no idea if this actually works or if this is the way it should be done.
>> As far as I can tell we only need the pam_limits.so entry for
>> “/etc/pam.d/login”, but I could not find where this file is generated.
>
> It is generated based on the ‘pam-services’ field of the service
> returned by ‘mingetty-service’.
>
> Maybe it would be best to adjust just that part?
Oh, right. Attached are two patches:
* The first exports the pam-service-* getters, making it possible to
extend a pam-service.
* The second extends the “session” field of the mingetty-service to
add “pam_limits.so” to the required modules.
Loading the module doesn’t yet do anything on GuixSD because we don’t
generate ‘/etc/security/limits.conf’ (or ‘/etc/security/limits.d/’), but
it should respect such file if it does exist. (I have not yet tested
this, but I will some time this week.)
Does this look okay?
> Is this PREFIX/etc/security/limits.d convention already used? If not,
> I’d rather avoid inventing it. ;-)
>
> What we could do is add a field in ‘operating-system’ to specify the
> limits.conf file to install as /etc/security/limits.conf?
Yes, that’s a better idea.
> It would be even better to create Scheme data types that mirror the
> settings of a limits.conf file (similar to what is done for PAM
> settings), and have users fiddle with that rather than with a plain text
> file.
I’ll familiarise myself with how other (service) configuration files are
created in GuixSD and propose a patch later.
~~ Ricardo
>From cdf974eb7595cfb8997111d09f6da2350c72afdd Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <address@hidden>
Date: Mon, 12 Oct 2015 07:08:32 +0200
Subject: [PATCH 1/2] system: Export pam-service accessors.
* gnu/system/linux.scm (pam-service-name, pam-service-account,
pam-service-auth, pam-service-password, pam-service-session): Export.
---
gnu/system/linux.scm | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm
index cd14bc9..bfb1db6 100644
--- a/gnu/system/linux.scm
+++ b/gnu/system/linux.scm
@@ -26,6 +26,12 @@
#:use-module (srfi srfi-26)
#:use-module ((guix utils) #:select (%current-system))
#:export (pam-service
+ pam-service-name
+ pam-service-account
+ pam-service-auth
+ pam-service-password
+ pam-service-session
+
pam-entry
pam-services->directory
unix-pam-service
--
2.5.0
>From 0a1b5cad3d302d937a29dec95e805488a26b34e8 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <address@hidden>
Date: Mon, 12 Oct 2015 07:11:51 +0200
Subject: [PATCH 2/2] services: Add entry for pam_limits to
mingetty-pam-service.
* gnu/services/base.scm (mingetty-pam-service): Add pam-entry for
PAM module "pam_limits.so" to session field.
---
gnu/services/base.scm | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index adafe1b..4243327 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -438,11 +438,17 @@ stopped before 'kill' is called."
;; Let 'login' be known to PAM. All the mingetty services will have that
;; PAM service, but that's fine because they're all identical and duplicates
;; are removed.
- (list (unix-pam-service "login"
- #:allow-empty-passwords?
- (mingetty-configuration-allow-empty-passwords? conf)
- #:motd
- (mingetty-configuration-motd conf))))
+ (let ((login (unix-pam-service "login"
+ #:allow-empty-passwords?
+
(mingetty-configuration-allow-empty-passwords? conf)
+ #:motd
+ (mingetty-configuration-motd conf))))
+ (list (pam-service
+ (inherit login)
+ (session (cons (pam-entry
+ (control "required")
+ (module "pam_limits.so"))
+ (pam-service-session login)))))))
(define mingetty-dmd-service
(match-lambda
--
2.5.0
- Re: [RFC]: Respect /etc/security/limits.conf,
Ricardo Wurmus <=