guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFC]: Respect /etc/security/limits.conf

From: Ricardo Wurmus
Subject: [RFC]: Respect /etc/security/limits.conf
Date: Sat, 19 Sep 2015 12:51:58 +0200 
Hi Guix,

I noticed that we aren’t using pam_limits.so, so it is impossible to set
session-wide limits per user.  This is useful to explicitly grant the
“audio” group realtime priorities and lift memory allocation
restrictions.

The attached patch tries to add an entry for pam_limits.so, but I have
no idea if this actually works or if this is the way it should be done.
As far as I can tell we only need the pam_limits.so entry for
“/etc/pam.d/login”, but I could not find where this file is generated.

Also, I wonder how users are supposed to edit /etc/security/limits.conf
at all.  I suppose they are not to edit anything in /etc anyway.
pam_limits.so also reads *.conf files in “/etc/security/limits.d/” and
maybe it would make sense for packages to provide a
“$out/etc/security/limits.d/$name.conf” file with settings.  For
example, the “jack” packages could then provide
“$out/etc/security/limits.d/realtime.conf”, which contains the
following:

    @realtime   -  rtprio     99
    @realtime   -  memlock    unlimited

(See http://www.jackaudio.org/faq/linux_rt_config.html)

A user in the “realtime” group could then finally use JACK in realtime
mode.

What is the best way to make this work?  (I really want to run JACK in
realtime mode.)

~~ Ricardo


>From 7a92f5a3f9bfa22749d0a635d5ac878560336611 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <address@hidden>
Date: Sat, 19 Sep 2015 12:40:20 +0200
Subject: [PATCH] WIP: respect /etc/security/limits.conf

---
 gnu/system/linux.scm | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm
index 7461a4a..d94e4ca 100644
--- a/gnu/system/linux.scm
+++ b/gnu/system/linux.scm
@@ -132,7 +132,10 @@ dumped in /etc/pam.d/NAME, where NAME is the name of 
SERVICE."
 (define unix-pam-service
   (let ((unix (pam-entry
                (control "required")
-               (module "pam_unix.so"))))
+               (module "pam_unix.so")))
+        (limits (pam-entry
+                 (control "required")
+                 (module "pam_limits.so"))))
     (lambda* (name #:key allow-empty-passwords? motd)
       "Return a standard Unix-style PAM service for NAME.  When
 ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When MOTD is true, it
@@ -154,13 +157,13 @@ should be the name of a file used as the 
message-of-the-day."
                           ;; Store SHA-512 encrypted passwords in /etc/shadow.
                           (arguments '("sha512" "shadow")))))
          (session (if motd
-                      (list unix
+                      (list unix limits
                             (pam-entry
                              (control "optional")
                              (module "pam_motd.so")
                              (arguments
                               (list #~(string-append "motd=" #$motd)))))
-                      (list unix))))))))
+                      (list unix limits))))))))
 
 (define (rootok-pam-service command)
   "Return a PAM service for COMMAND such that 'root' does not need to
-- 
2.5.0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]