[RFC] Support for pam_limits.so: “su” is ignored.

[Ricardo Wurmus]

Hi Guix,

attached is a draft patch to make “su”, “login”, and “slim” respect a
limits file via pam_limits.so.  This seems to work, but I found two
things that are a little odd:

* the pam-extension procedure appears to be called more than once on the
  same pam-service.  I added a “(format #t ...)” statement to print the
  name of the pam-service that was passed to the procedure and the same
  name appeared multiple times.  The order of these multiple executions
  appears random, so we can have three times “su”, followed by one time
  “login”, then two times “su” again, etc.  I thought service folding
  ensured that each service extension is evaluated/applied just once.

* pam-services “su”, “sudo”, and possibly “passwd” are not actually
  modified when I check their names (as I do in this patch).  If I
  extend all pam-services without checking their names they do get
  modified.  With the attached patch the pam file for “su” does not get
  the pam entry for “pam_limits.so”.

I’d be glad if someone could give me a hint as to what’s going on here.
It would also help if you cannot reproduce it; then it’s probably
something to do with the state of my working directory.

~~ Ricardo

>From cfe06b7c37035ab95e7b527fcde3a785f9e7de13 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <address@hidden>
Date: Fri, 1 Apr 2016 08:50:50 +0200
Subject: [PATCH] WIP support for pam_limits.so

---
 gnu/services/base.scm | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index a006c00..2c256ad 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015, 2016 Alex Kost <address@hidden>
 ;;; Copyright © 2015 Mark H Weaver <address@hidden>
 ;;; Copyright © 2015 Sou Bunnbu <address@hidden>
+;;; Copyright © 2016 Ricardo Wurmus <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -93,6 +94,9 @@
             gpm-service-type
             gpm-service
 
+            pam-limits-service-type
+            pam-limits-service
+
             %base-services))
 
 ;;; Commentary:
@@ -818,6 +822,40 @@ settings.
 information on the configuration file syntax."
   (service syslog-service-type config-file))
 
+(define pam-limits-service-type
+  ;; Create /etc/security containing the provided "limits.conf" file.
+  (define (security-limits limits-file)
+    `(("security"
+       ,(computed-file
+         "security"
+         #~(begin (mkdir #$output)
+                  (stat #$limits-file)
+                  (symlink #$limits-file
+                           (string-append #$output "/limits.conf")))))))
+  (define (pam-extension pam)
+    (let ((pam-limits (pam-entry
+                       (control "required")
+                       (module "pam_limits.so")
+                       (arguments '("conf=/etc/security/limits.conf")))))
+      (if (member (pam-service-name pam)
+                  '("login" "su" "slim"))
+          (pam-service
+           (inherit pam)
+           (session (cons pam-limits
+                          (pam-service-session pam))))
+          pam)))
+  (service-type
+   (name 'limits)
+   (extensions
+    (list (service-extension etc-service-type security-limits)
+          (service-extension pam-root-service-type
+                             (lambda _ (list pam-extension)))))))
+
+(define* (pam-limits-service #:optional (limits (plain-file "limits.conf" "")))
+  "Return a service that makes selected programs respect the limits specified
+in LIMITS via pam_limits.so."
+  (service pam-limits-service-type limits))
+
 
 ;;;
 ;;; Guix services.
-- 
2.7.3