guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC] Support for pam_limits.so: “su” is ignored.

From: Ludovic Courtès
Subject: Re: [RFC] Support for pam_limits.so: “su” is ignored.
Date: Sat, 02 Apr 2016 16:44:53 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
Ricardo Wurmus <address@hidden> skribis:

> Ludovic Courtès <address@hidden> writes:

[...]

>> --8<---------------cut here---------------start------------->8---
>> $ ./pre-inst-env guix system build 
>> ~/src/configuration/pluto-configuration.scm
>> substitute: updating list of substitutes from 
>> 'https://mirror.hydra.gnu.org'... 100.0%
>> substitute: updating list of substitutes from 'https://hydra.gnu.org'... 
>> 100.0%
>> La jenaj derivoj estos konstruataj:
>>    /gnu/store/0fxwylcmdxy7bqmjpxwqf24v2x4yr53w-system.drv
>>    /gnu/store/q254gqx3rgwxn98nsaz16z8rl58nhfkw-shepherd.conf.drv
>>    /gnu/store/517cxw8xiniwsh9bfdp389qxlm9w5jj8-activate-service.drv
>>    /gnu/store/ky8p3bq0xpj3lf989fz1ba3j2xycyiz6-activate.drv
>>    /gnu/store/ljjl4zs722flxbpip8jdssqd549g7pay-boot.drv
>>    /gnu/store/vz8745sdk0ph0rykxldwzmfa3a5r7cm1-etc.drv
>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system
>> address@hidden ~/src/guix$ grep pam_limit 
>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/*
>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/login:session 
>> required pam_limits.so conf=/etc/security/limits.conf
>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/slim:session 
>> required pam_limits.so conf=/etc/security/limits.conf
>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/su:session 
>> required pam_limits.so conf=/etc/security/limits.conf
>> --8<---------------cut here---------------end--------------->8---
>>
>> … where the configuration in question has (pam-limits-service) in its
>> ‘services’ field.

… in addition to ‘%base-services’ and a bunch of things.

> How odd.  It does not work for me:
>
> rekado in guix: ./pre-inst-env guix system build /etc/config.scm
> substitute: updating list of substitutes from 'https://hydra.gnu.org'... 
> 100.0%
> The following derivations will be built:
>    /gnu/store/8pldcwijn1szpyc4cbm4z808sbdn18r0-system.drv
>    /gnu/store/x2pigxf3mrf5crbmnjfxza8h3a70fvnv-activate-service.drv
>    /gnu/store/nwm5gsfavv35g3hjgzi5xymhxhqf2g4l-activate.drv
>    /gnu/store/38x73bdqj40wmy3lz8qnpfc20wb0dr6x-boot.drv
>    /gnu/store/mlkssjhw4avm8a37yi0nfk4z4zd9bkj6-security.drv
>    /gnu/store/1lxncnhdab3l732r144r5ww0y9rjq72f-etc.drv
> /gnu/store/qwjbfjzqlbdcrsbnyyjylfkhm6kqna5d-system
> rekado in guix: grep limits 
> /gnu/store/qwjbfjzqlbdcrsbnyyjylfkhm6kqna5d-system/etc/pam.d/*
> /gnu/store/qwjbfjzqlbdcrsbnyyjylfkhm6kqna5d-system/etc/pam.d/login:session 
> required pam_limits.so conf=/etc/security/limits.conf
> /gnu/store/qwjbfjzqlbdcrsbnyyjylfkhm6kqna5d-system/etc/pam.d/slim:session 
> required pam_limits.so conf=/etc/security/limits.conf
>
> When my configuration looks like this:
>
>       (services (list (pam-limits-service)))
>
> Then there’s one file containing pam_limits, namely “/etc/pam.d/su”.

That’s expected: in this case, there’s no ‘login’ and no ‘slim’.

> When my configuration looks like this, however:
>
>       (services (cons* (pam-limits-service)
>                        %desktop-services))
>
> Then only “/etc/pam.d/login” and “/etc/pam.d/slim” contain pam_limits;
> “/etc/pam.d/su” does not.

Hmm, I can’t reproduce it.  For instance, with this:


diff --git a/gnu/system/examples/lightweight-desktop.tmpl 
b/gnu/system/examples/lightweight-desktop.tmpl
index 7cb461f..f98b6cf 100644
--- a/gnu/system/examples/lightweight-desktop.tmpl
+++ b/gnu/system/examples/lightweight-desktop.tmpl
@@ -33,13 +33,13 @@
 
   ;; Add a bunch of window managers; we can choose one at
   ;; the log-in screen with F1.
-  (packages (cons* ratpoison i3-wm xmonad  ;window managers
+  (packages (cons* ratpoison
                    nss-certs               ;for HTTPS access
                    %base-packages))
 
   ;; Use the "desktop" services, which include the X11
   ;; log-in service, networking with Wicd, and more.
-  (services %desktop-services)
+  (services (cons (pam-limits-service) %desktop-services))
 
   ;; Allow resolution of '.local' host names with mDNS.
   (name-service-switch %mdns-host-lookup-nss))

I get:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix system build gnu/system/examples/lightweight-desktop.tmpl
substitute: updating list of substitutes from 'https://mirror.hydra.gnu.org'... 
100.0%
substitute: updating list of substitutes from 'https://hydra.gnu.org'... 100.0%

[...]

/gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system
$ grep pam_limit /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/*
/gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/login:session 
required pam_limits.so conf=/etc/security/limits.conf
/gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/slim:session 
required pam_limits.so conf=/etc/security/limits.conf
/gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/su:session 
required pam_limits.so conf=/etc/security/limits.conf
--8<---------------cut here---------------end--------------->8---

Could you try it?

Thanks,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]