gdm doesn't load pam-limits

  • Open
  • quality assurance status badge
Details
2 participants
  • Jesse Gibbons
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Jesse Gibbons
Severity
normal
J
J
Jesse Gibbons wrote on 11 Sep 2019 17:12
(name . bug-guix mailing list)(address . bug-guix@gnu.org)
c24fb719e529bfaf92f2a11bbebf08aa49d302cc.camel@gmail.com
I have been trying to set up ardour, but jackd doesn't start in real-
time mode. I made an os definition that replicates this issue when I
use a VM[0].
I asked the gnome and gdm IRC and found out gdm loads the gdm-password
pam config, which seems untouched by pam-limits-service. My
/etc/pam.d/gdm-password (which should be the default) is attached.

Thanks!
--
-Jesse
account required pam_unix.so
auth required pam_unix.so nullok
password required pam_unix.so sha512 shadow
session required /gnu/store/90b3ypy5w6si4vd4b17i2nyzy0pfr5j2-elogind-241.3/lib/security/pam_elogind.so
session required pam_loginuid.so
session required pam_env.so
session required pam_unix.so
J
J
Jesse Gibbons wrote on 11 Sep 2019 20:08
(address . 37380@debbugs.gnu.org)
31ed0ff0829f11529996a593da2b712014a6fb00.camel@gmail.com
On Wed, 2019-09-11 at 09:12 -0600, Jesse Gibbons wrote:
Toggle quote (11 lines)
> I have been trying to set up ardour, but jackd doesn't start in real-
> time mode. I made an os definition that replicates this issue when I
> use a VM[0].
> [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.htm
> l
> I asked the gnome and gdm IRC and found out gdm loads the gdm-
> password
> pam config, which seems untouched by pam-limits-service. My
> /etc/pam.d/gdm-password (which should be the default) is attached.
>
> Thanks!
I'm not sure how to resolve this issue. I tried appending "gdm-
password" to the list of pam configs modified by pam-limits-service[1]
but it doesn't fix anything when I use ./pre-inst-env to build the
vm. gdm-password still does not have a line to load pam_limits.

Whatever the solution, we will probably also want to implement it with
other graphical login services like slim and sddm (and eventually
lightdm and kdm).

m#n1480
--
-Jesse
R
R
Ricardo Wurmus wrote on 11 Sep 2019 21:48
(name . Jesse Gibbons)(address . jgibbons2357@gmail.com)(address . 37380@debbugs.gnu.org)
87sgp2pqbw.fsf@elephly.net
Hi Jesse,

Toggle quote (8 lines)
> I have been trying to set up ardour, but jackd doesn't start in real-
> time mode. I made an os definition that replicates this issue when I
> use a VM[0].
> [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.html
> I asked the gnome and gdm IRC and found out gdm loads the gdm-password
> pam config, which seems untouched by pam-limits-service. My
> /etc/pam.d/gdm-password (which should be the default) is attached.

I can reproduce this.

(I’m sorry for accidentally misleading you earlier. Turns out I used
JACK a little longer ago than I initially realized.)

I think it should be pretty easy to fix this:

1) we should generate a single file that is used for generic session
settings.

2) all login programs (including gdm) should include that file in their
PAM settings.

3) the pam-limits-service should extend that single file instead of
attempting to update a bunch of PAM files for a selected list of
programs.

--
Ricardo
J
J
Jesse Gibbons wrote on 12 Sep 2019 20:23
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37380@debbugs.gnu.org)
9826a76740c7a7028a2022abd08136b8664c765d.camel@gmail.com
Thanks Ricardo,
On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote:
Toggle quote (18 lines)
> Hi Jesse,
>
> > I have been trying to set up ardour, but jackd doesn't start in
> > real-
> > time mode. I made an os definition that replicates this issue when
> > I
> > use a VM[0].
> > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h
> > tml
> > I asked the gnome and gdm IRC and found out gdm loads the gdm-
> > password
> > pam config, which seems untouched by pam-limits-service. My
> > /etc/pam.d/gdm-password (which should be the default) is attached.
>
> I can reproduce this.
>
> (I’m sorry for accidentally misleading you earlier. Turns out I used
> JACK a little longer ago than I initially realized.)
So was there a time when JACK worked realtime after logging in from gdm
on a GuixSD install?
Toggle quote (5 lines)
>
> I think it should be pretty easy to fix this:
>
> 1) we should generate a single file that is used for generic session
> settings.
What should be this file's default contents? Should it be empty unless
the pam-limits-service is specified?
Toggle quote (4 lines)
>
> 2) all login programs (including gdm) should include that file in
> their
> PAM settings.
I suppose this could be done by adding
(pam-entry
(control "include")
(module "standard-session"))

I'm not sure "module" is a good word to describe the file.
Toggle quote (4 lines)
>
> 3) the pam-limits-service should extend that single file instead of
> attempting to update a bunch of PAM files for a selected list of
> programs.
Should this file be a part of base-services?
Toggle quote (3 lines)
> --
> Ricardo
>
I have to go to work soon, but I hope I can have this accomplished with
a patch series ready by Saturday. I'll check in with a status update
Saturday evening UTC -6.
--
-Jesse
J
J
Jesse Gibbons wrote on 15 Sep 2019 01:13
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37380@debbugs.gnu.org)
a47dac236a66eca44357c1ed8a952a4fa850bdab.camel@gmail.com
On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote:
Toggle quote (35 lines)
> Hi Jesse,
>
> > I have been trying to set up ardour, but jackd doesn't start in
> > real-
> > time mode. I made an os definition that replicates this issue when
> > I
> > use a VM[0].
> > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h
> > tml
> > I asked the gnome and gdm IRC and found out gdm loads the gdm-
> > password
> > pam config, which seems untouched by pam-limits-service. My
> > /etc/pam.d/gdm-password (which should be the default) is attached.
>
> I can reproduce this.
>
> (I’m sorry for accidentally misleading you earlier. Turns out I used
> JACK a little longer ago than I initially realized.)
>
> I think it should be pretty easy to fix this:
>
> 1) we should generate a single file that is used for generic session
> settings.
>
> 2) all login programs (including gdm) should include that file in
> their
> PAM settings.
>
> 3) the pam-limits-service should extend that single file instead of
> attempting to update a bunch of PAM files for a selected list of
> programs.
>
> --
> Ricardo
>
Is all this best practice?

This solution would have patches for three files:
- gnu/system/pam.scm (adding the generic session settings file and
patching the "su" and "login" configurations)
- gnu/services/base.scm (patching pam-limits-service)
- gnu/services/desktop.scm (patching the graphical login
configurations).

All new login services would require a patch to just one file with
these steps implemented(to add the service), whereas they would each
need a patch to two files if they are not implemented (one to add the
service, another to have pam-limits-service modify the service's pam
config.

If you think this solution is better design than what we currently
have, and others in this mailing list agree, I will work to provide
these patches.

I previously said adding gdm-password to the list of pam configs
amended by pam-limits-service did not work. I then discovered the
changes in the environment will not work unless I run "make". I don't
know if this is a bug in guix or guile, or if it is intentionally this
way; the manual should be updated to clarify that guix needs to be
built in the environment for the changes to work.

I sent a patch (bug#37405) that fixes this issue for gdm-password. A
simple change can probably fix it for gdm-autologin (not added because
I haven't tested it) and whatever gdm loads when the user logs in with
biometric fingerprints (I don't know the name). When we add ldm and
kdm, I think we can do something similar.

--
-Jesse
J
J
Jesse Gibbons wrote on 19 Sep 2019 04:46
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37380@debbugs.gnu.org)
e96a249f31478c922ada535c5f80230824127c57.camel@gmail.com
On Sat, 2019-09-14 at 17:13 -0600, Jesse Gibbons wrote:
Toggle quote (69 lines)
> On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote:
> > Hi Jesse,
> >
> > > I have been trying to set up ardour, but jackd doesn't start in
> > > real-
> > > time mode. I made an os definition that replicates this issue when
> > > I
> > > use a VM[0].
> > > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h
> > > tml
> > > I asked the gnome and gdm IRC and found out gdm loads the gdm-
> > > password
> > > pam config, which seems untouched by pam-limits-service. My
> > > /etc/pam.d/gdm-password (which should be the default) is attached.
> >
> > I can reproduce this.
> >
> > (I’m sorry for accidentally misleading you earlier. Turns out I used
> > JACK a little longer ago than I initially realized.)
> >
> > I think it should be pretty easy to fix this:
> >
> > 1) we should generate a single file that is used for generic session
> > settings.
> >
> > 2) all login programs (including gdm) should include that file in
> > their
> > PAM settings.
> >
> > 3) the pam-limits-service should extend that single file instead of
> > attempting to update a bunch of PAM files for a selected list of
> > programs.
> >
> > --
> > Ricardo
> >
>
> Is all this best practice?
>
> This solution would have patches for three files:
> - gnu/system/pam.scm (adding the generic session settings file and
> patching the "su" and "login" configurations)
> - gnu/services/base.scm (patching pam-limits-service)
> - gnu/services/desktop.scm (patching the graphical login
> configurations).
>
> All new login services would require a patch to just one file with
> these steps implemented(to add the service), whereas they would each
> need a patch to two files if they are not implemented (one to add the
> service, another to have pam-limits-service modify the service's pam
> config.
>
> If you think this solution is better design than what we currently
> have, and others in this mailing list agree, I will work to provide
> these patches.
>
> I previously said adding gdm-password to the list of pam configs
> amended by pam-limits-service did not work. I then discovered the
> changes in the environment will not work unless I run "make". I don't
> know if this is a bug in guix or guile, or if it is intentionally this
> way; the manual should be updated to clarify that guix needs to be
> built in the environment for the changes to work.
>
> I sent a patch (bug#37405) that fixes this issue for gdm-password. A
> simple change can probably fix it for gdm-autologin (not added because
> I haven't tested it) and whatever gdm loads when the user logs in with
> biometric fingerprints (I don't know the name). When we add ldm and
> kdm, I think we can do something similar.
>
ping
J
J
Jesse Gibbons wrote on 25 Sep 2019 17:47
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37380@debbugs.gnu.org)
c5664c66d4bb289de30afee8721c82b770f8f150.camel@gmail.com
On Sat, 2019-09-14 at 17:13 -0600, Jesse Gibbons wrote:
Toggle quote (69 lines)
> On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote:
> > Hi Jesse,
> >
> > > I have been trying to set up ardour, but jackd doesn't start in
> > > real-
> > > time mode. I made an os definition that replicates this issue when
> > > I
> > > use a VM[0].
> > > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h
> > > tml
> > > I asked the gnome and gdm IRC and found out gdm loads the gdm-
> > > password
> > > pam config, which seems untouched by pam-limits-service. My
> > > /etc/pam.d/gdm-password (which should be the default) is attached.
> >
> > I can reproduce this.
> >
> > (I’m sorry for accidentally misleading you earlier. Turns out I used
> > JACK a little longer ago than I initially realized.)
> >
> > I think it should be pretty easy to fix this:
> >
> > 1) we should generate a single file that is used for generic session
> > settings.
> >
> > 2) all login programs (including gdm) should include that file in
> > their
> > PAM settings.
> >
> > 3) the pam-limits-service should extend that single file instead of
> > attempting to update a bunch of PAM files for a selected list of
> > programs.
> >
> > --
> > Ricardo
> >
>
> Is all this best practice?
>
> This solution would have patches for three files:
> - gnu/system/pam.scm (adding the generic session settings file and
> patching the "su" and "login" configurations)
> - gnu/services/base.scm (patching pam-limits-service)
> - gnu/services/desktop.scm (patching the graphical login
> configurations).
>
> All new login services would require a patch to just one file with
> these steps implemented(to add the service), whereas they would each
> need a patch to two files if they are not implemented (one to add the
> service, another to have pam-limits-service modify the service's pam
> config.
>
> If you think this solution is better design than what we currently
> have, and others in this mailing list agree, I will work to provide
> these patches.
>
> I previously said adding gdm-password to the list of pam configs
> amended by pam-limits-service did not work. I then discovered the
> changes in the environment will not work unless I run "make". I don't
> know if this is a bug in guix or guile, or if it is intentionally this
> way; the manual should be updated to clarify that guix needs to be
> built in the environment for the changes to work.
>
> I sent a patch (bug#37405) that fixes this issue for gdm-password. A
> simple change can probably fix it for gdm-autologin (not added because
> I haven't tested it) and whatever gdm loads when the user logs in with
> biometric fingerprints (I don't know the name). When we add ldm and
> kdm, I think we can do something similar.
>
ping
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 37380@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 37380
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch