Re: [RFC] Support for pam_limits.so: “su” is ignored.

[Ricardo Wurmus]

Ludovic Courtès <address@hidden> writes:

> Ricardo Wurmus <address@hidden> skribis:
>
>> Ludovic Courtès <address@hidden> writes:
>
> [...]
>
>>> I get:
>>>
>>> --8<---------------cut here---------------start------------->8---
>>> $ ./pre-inst-env guix system build 
>>> gnu/system/examples/lightweight-desktop.tmpl
>>> substitute: updating list of substitutes from 
>>> 'https://mirror.hydra.gnu.org'... 100.0%
>>> substitute: updating list of substitutes from 'https://hydra.gnu.org'... 
>>> 100.0%
>>>
>>> [...]
>>>
>>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system
>>> $ grep pam_limit 
>>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/*
>>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/login:session 
>>> required pam_limits.so conf=/etc/security/limits.conf
>>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/slim:session 
>>> required pam_limits.so conf=/etc/security/limits.conf
>>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/su:session 
>>> required pam_limits.so conf=/etc/security/limits.conf
>>> --8<---------------cut here---------------end--------------->8---
>>>
>>> Could you try it?
>>
>> I did and I don’t get the same as you do:
>>
>> $ ./pre-inst-env guix system build 
>> gnu/system/examples/lightweight-desktop.tmpl
>> substitute: updating list of substitutes from 'https://hydra.gnu.org'... 
>> 100.0%
>> The following derivations will be built:
>>    /gnu/store/l8r7k5ysw5vkdi67rcz9wx5gl9sxp892-system.drv
>>    /gnu/store/5q0rh32ns03y4ndsj1fmsim9zm04x182-activate-service.drv
>>    /gnu/store/rvgr25dfw70kf3dyr3mp8w9dmpqsqlll-activate.drv
>>    /gnu/store/56d9psa8xcv3i6wqfc01zb39i9sbd7v5-boot.drv
>>    /gnu/store/siny40wkak05sqlnmwwsmpxwh93rva1f-gtk-icon-themes.drv
>>    /gnu/store/fx5bkg9cz15w90yqximsd678g31blyzk-info-dir.drv
>>    /gnu/store/68ri6jqwbg1k15iiyvj3j9a065c22rd1-ca-certificate-bundle.drv
>>    /gnu/store/ja6pgayi1qcyf8ffq27s4jimzcq2nm54-profile.drv
>>    /gnu/store/50s165xprg605n58i81z49sv1f797vpz-etc.drv
>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system
>> $ grep pam_limit 
>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/*
>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/login:session 
>> required pam_limits.so conf=/etc/security/limits.conf
>> /gnu/store/rx31x0m8fk5aknwf754in9yxl7vcq8ls-system/etc/pam.d/slim:session 
>> required pam_limits.so conf=/etc/security/limits.conf
>
> Crazy stuff.
>
> The ‘/etc-entry’ procedure in (gnu system pam) clearly calls the
> transformation procedure for all the PAM services.  I don’t see what
> could go wrong.

I tried this patch on another machine and it works just fine.  Weird.

> Could you add a bunch of ’pk’ in this procedure and in your
> ‘pam-extension’ procedure as well and report on that?

I’ll try this later.  I did this before and saw that my extension
procedure is in fact called with “su” (and the correct branch is taken),
but it has no effect.  I’ll did deeper at some other point.

>> I’m using Guix at commit a754eaf with additional commits to add packages
>> to gnu/packages and the patch I sent earlier to extend the pam files
>> with pam_limits.  The only uncommited change is the modification of
>> “gnu/system/examples/lightweight-desktop.tmpl”.
>>
>> Very odd.  It’s possible that this is a problem with my setup here.  If
>> that’s so, would you be okay with the commit (if it had a proper commit
>> message)?
>
> Yes (and doc :-)).

Oh, right :)

> I haven’t checked the feasibility etc., but eventually, maybe it would
> be best to have Scheme bindings for limits.conf.  That way, we could
> write services that extend ‘limits-service-type’ with new limits or
> something.

I’m not very familiar with limits.conf (I only copied the realtime audio
settings from the JACK website), but it looks like the format is very
simple.  We could certainly have something like a “limits-entry” to
specify the limits and a matching service.

~~ Ricardo