Re: [RFC] Support for pam_limits.so: “su” is ignored.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC] Support for pam_limits.so: “su” is ignored.

From:	Ricardo Wurmus
Subject:	Re: [RFC] Support for pam_limits.so: “su” is ignored.
Date:	Sat, 02 Apr 2016 19:34:40 +0200
User-agent:	mu4e 0.9.13; emacs 24.5.1

Ludovic Courtès <address@hidden> writes:

> Ricardo Wurmus <address@hidden> skribis:
>
>> Ludovic Courtès <address@hidden> writes:
>
> [...]
>
>>> --8<---------------cut here---------------start------------->8---
>>> $ ./pre-inst-env guix system build 
>>> ~/src/configuration/pluto-configuration.scm
>>> substitute: updating list of substitutes from 
>>> 'https://mirror.hydra.gnu.org'... 100.0%
>>> substitute: updating list of substitutes from 'https://hydra.gnu.org'... 
>>> 100.0%
>>> La jenaj derivoj estos konstruataj:
>>>    /gnu/store/0fxwylcmdxy7bqmjpxwqf24v2x4yr53w-system.drv
>>>    /gnu/store/q254gqx3rgwxn98nsaz16z8rl58nhfkw-shepherd.conf.drv
>>>    /gnu/store/517cxw8xiniwsh9bfdp389qxlm9w5jj8-activate-service.drv
>>>    /gnu/store/ky8p3bq0xpj3lf989fz1ba3j2xycyiz6-activate.drv
>>>    /gnu/store/ljjl4zs722flxbpip8jdssqd549g7pay-boot.drv
>>>    /gnu/store/vz8745sdk0ph0rykxldwzmfa3a5r7cm1-etc.drv
>>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system
>>> address@hidden ~/src/guix$ grep pam_limit 
>>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/*
>>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/login:session 
>>> required pam_limits.so conf=/etc/security/limits.conf
>>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/slim:session 
>>> required pam_limits.so conf=/etc/security/limits.conf
>>> /gnu/store/s84hvl064k494174z692wl1vaqzrygln-system/etc/pam.d/su:session 
>>> required pam_limits.so conf=/etc/security/limits.conf
>>> --8<---------------cut here---------------end--------------->8---
>>>
>>> … where the configuration in question has (pam-limits-service) in its
>>> ‘services’ field.
>
> … in addition to ‘%base-services’ and a bunch of things.
>
>> How odd.  It does not work for me:
>>
>> rekado in guix: ./pre-inst-env guix system build /etc/config.scm
>> substitute: updating list of substitutes from 'https://hydra.gnu.org'... 
>> 100.0%
>> The following derivations will be built:
>>    /gnu/store/8pldcwijn1szpyc4cbm4z808sbdn18r0-system.drv
>>    /gnu/store/x2pigxf3mrf5crbmnjfxza8h3a70fvnv-activate-service.drv
>>    /gnu/store/nwm5gsfavv35g3hjgzi5xymhxhqf2g4l-activate.drv
>>    /gnu/store/38x73bdqj40wmy3lz8qnpfc20wb0dr6x-boot.drv
>>    /gnu/store/mlkssjhw4avm8a37yi0nfk4z4zd9bkj6-security.drv
>>    /gnu/store/1lxncnhdab3l732r144r5ww0y9rjq72f-etc.drv
>> /gnu/store/qwjbfjzqlbdcrsbnyyjylfkhm6kqna5d-system
>> rekado in guix: grep limits 
>> /gnu/store/qwjbfjzqlbdcrsbnyyjylfkhm6kqna5d-system/etc/pam.d/*
>> /gnu/store/qwjbfjzqlbdcrsbnyyjylfkhm6kqna5d-system/etc/pam.d/login:session 
>> required pam_limits.so conf=/etc/security/limits.conf
>> /gnu/store/qwjbfjzqlbdcrsbnyyjylfkhm6kqna5d-system/etc/pam.d/slim:session 
>> required pam_limits.so conf=/etc/security/limits.conf
>>
>> When my configuration looks like this:
>>
>>       (services (list (pam-limits-service)))
>>
>> Then there’s one file containing pam_limits, namely “/etc/pam.d/su”.
>
> That’s expected: in this case, there’s no ‘login’ and no ‘slim’.

Yes, I know.  I just wanted to show that the file for “su” *does*
contain pam_limits in this case, but not when %desktop-services is used
as well.

>> When my configuration looks like this, however:
>>
>>       (services (cons* (pam-limits-service)
>>                        %desktop-services))
>>
>> Then only “/etc/pam.d/login” and “/etc/pam.d/slim” contain pam_limits;
>> “/etc/pam.d/su” does not.
>
> Hmm, I can’t reproduce it.  For instance, with this:
>
>
> I get:
>
> --8<---------------cut here---------------start------------->8---
> $ ./pre-inst-env guix system build 
> gnu/system/examples/lightweight-desktop.tmpl
> substitute: updating list of substitutes from 
> 'https://mirror.hydra.gnu.org'... 100.0%
> substitute: updating list of substitutes from 'https://hydra.gnu.org'... 
> 100.0%
>
> [...]
>
> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system
> $ grep pam_limit 
> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/*
> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/login:session 
> required pam_limits.so conf=/etc/security/limits.conf
> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/slim:session 
> required pam_limits.so conf=/etc/security/limits.conf
> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/su:session 
> required pam_limits.so conf=/etc/security/limits.conf
> --8<---------------cut here---------------end--------------->8---
>
> Could you try it?

I did and I don’t get the same as you do:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix system build gnu/system/examples/lightweight-desktop.tmpl
substitute: updating list of substitutes from 'https://hydra.gnu.org'... 100.0%
The following derivations will be built:
   /gnu/store/l8r7k5ysw5vkdi67rcz9wx5gl9sxp892-system.drv
   /gnu/store/5q0rh32ns03y4ndsj1fmsim9zm04x182-activate-service.drv
   /gnu/store/rvgr25dfw70kf3dyr3mp8w9dmpqsqlll-activate.drv
   /gnu/store/56d9psa8xcv3i6wqfc01zb39i9sbd7v5-boot.drv
   /gnu/store/siny40wkak05sqlnmwwsmpxwh93rva1f-gtk-icon-themes.drv
   /gnu/store/fx5bkg9cz15w90yqximsd678g31blyzk-info-dir.drv
   /gnu/store/68ri6jqwbg1k15iiyvj3j9a065c22rd1-ca-certificate-bundle.drv
   /gnu/store/ja6pgayi1qcyf8ffq27s4jimzcq2nm54-profile.drv
   /gnu/store/50s165xprg605n58i81z49sv1f797vpz-etc.drv
/gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system
$ grep pam_limit /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/*
/gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/login:session 
required pam_limits.so conf=/etc/security/limits.conf
/gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/slim:session 
required pam_limits.so conf=/etc/security/limits.conf
--8<---------------cut here---------------end--------------->8---

I’m using Guix at commit a754eaf with additional commits to add packages
to gnu/packages and the patch I sent earlier to extend the pam files
with pam_limits.  The only uncommited change is the modification of
“gnu/system/examples/lightweight-desktop.tmpl”.

Very odd.  It’s possible that this is a problem with my setup here.  If
that’s so, would you be okay with the commit (if it had a proper commit
message)?

~~ Ricardo

[Prev in Thread]

Current Thread

[Next in Thread]

[RFC] Support for pam_limits.so: “su” is ignored., Ricardo Wurmus, 2016/04/01
- Re: [RFC] Support for pam_limits.so: “su” is ignored., Ludovic Courtès, 2016/04/01
  - Re: [RFC] Support for pam_limits.so: “su” is ignored., Ricardo Wurmus, 2016/04/02
    - Re: [RFC] Support for pam_limits.so: “su” is ignored., Ludovic Courtès, 2016/04/02
    - Re: [RFC] Support for pam_limits.so: “su” is ignored., Ricardo Wurmus <=
    - Re: [RFC] Support for pam_limits.so: “su” is ignored., Ludovic Courtès, 2016/04/03
    - Re: [RFC] Support for pam_limits.so: “su” is ignored., Ricardo Wurmus, 2016/04/05
    - Re: [RFC] Support for pam_limits.so: “su” is ignored., Ludovic Courtès, 2016/04/05

Prev by Date: Re: [v2 2/2] gnu: Add signify.
Next by Date: [PATCH] gnu: Add progress.
Previous by thread: Re: [RFC] Support for pam_limits.so: “su” is ignored.
Next by thread: Re: [RFC] Support for pam_limits.so: “su” is ignored.
Index(es):
- Date
- Thread