gdm doesn't load pam-limits

OpenSubmitted by Jesse Gibbons.
Details
2 participants
  • Jesse Gibbons
  • Ricardo Wurmus
Owner
unassigned
Severity
normal
J
J
Jesse Gibbons wrote on 11 Sep 2019 17:12
(name . bug-guix mailing list)(address . bug-guix@gnu.org)
c24fb719e529bfaf92f2a11bbebf08aa49d302cc.camel@gmail.com
I have been trying to set up ardour, but jackd doesn't start in real-time mode. I made an os definition that replicates this issue when Iuse a VM[0].[0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.htmlI asked the gnome and gdm IRC and found out gdm loads the gdm-passwordpam config, which seems untouched by pam-limits-service. My/etc/pam.d/gdm-password (which should be the default) is attached.
Thanks!-- -Jesse
account required pam_unix.so auth required pam_unix.so nullokpassword required pam_unix.so sha512 shadowsession required /gnu/store/90b3ypy5w6si4vd4b17i2nyzy0pfr5j2-elogind-241.3/lib/security/pam_elogind.so session required pam_loginuid.so session required pam_env.so session required pam_unix.so
J
J
Jesse Gibbons wrote on 11 Sep 2019 20:08
(address . 37380@debbugs.gnu.org)
31ed0ff0829f11529996a593da2b712014a6fb00.camel@gmail.com
On Wed, 2019-09-11 at 09:12 -0600, Jesse Gibbons wrote:
Toggle quote (11 lines)> I have been trying to set up ardour, but jackd doesn't start in real-> time mode. I made an os definition that replicates this issue when I> use a VM[0].> [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.htm> l> I asked the gnome and gdm IRC and found out gdm loads the gdm-> password> pam config, which seems untouched by pam-limits-service. My> /etc/pam.d/gdm-password (which should be the default) is attached.> > Thanks!
I'm not sure how to resolve this issue. I tried appending "gdm-password" to the list of pam configs modified by pam-limits-service[1]but it doesn't fix anything when I use ./pre-inst-env to build thevm. gdm-password still does not have a line to load pam_limits.
Whatever the solution, we will probably also want to implement it withother graphical login services like slim and sddm (and eventuallylightdm and kdm).
[1] http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm#n1480-- -Jesse
R
R
Ricardo Wurmus wrote on 11 Sep 2019 21:48
(name . Jesse Gibbons)(address . jgibbons2357@gmail.com)(address . 37380@debbugs.gnu.org)
87sgp2pqbw.fsf@elephly.net
Hi Jesse,
Toggle quote (8 lines)> I have been trying to set up ardour, but jackd doesn't start in real-> time mode. I made an os definition that replicates this issue when I> use a VM[0].> [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.html> I asked the gnome and gdm IRC and found out gdm loads the gdm-password> pam config, which seems untouched by pam-limits-service. My> /etc/pam.d/gdm-password (which should be the default) is attached.
I can reproduce this.
(I’m sorry for accidentally misleading you earlier. Turns out I usedJACK a little longer ago than I initially realized.)
I think it should be pretty easy to fix this:
1) we should generate a single file that is used for generic sessionsettings.
2) all login programs (including gdm) should include that file in theirPAM settings.
3) the pam-limits-service should extend that single file instead ofattempting to update a bunch of PAM files for a selected list ofprograms.
--Ricardo
J
J
Jesse Gibbons wrote on 12 Sep 2019 20:23
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37380@debbugs.gnu.org)
9826a76740c7a7028a2022abd08136b8664c765d.camel@gmail.com
Thanks Ricardo,On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote:
Toggle quote (18 lines)> Hi Jesse,> > > I have been trying to set up ardour, but jackd doesn't start in> > real-> > time mode. I made an os definition that replicates this issue when> > I> > use a VM[0].> > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h> > tml> > I asked the gnome and gdm IRC and found out gdm loads the gdm-> > password> > pam config, which seems untouched by pam-limits-service. My> > /etc/pam.d/gdm-password (which should be the default) is attached.> > I can reproduce this.> > (I’m sorry for accidentally misleading you earlier. Turns out I used> JACK a little longer ago than I initially realized.)
So was there a time when JACK worked realtime after logging in from gdmon a GuixSD install?
Toggle quote (5 lines)> > I think it should be pretty easy to fix this:> > 1) we should generate a single file that is used for generic session> settings.
What should be this file's default contents? Should it be empty unlessthe pam-limits-service is specified?
Toggle quote (4 lines)> > 2) all login programs (including gdm) should include that file in> their> PAM settings.
I suppose this could be done by adding(pam-entry (control "include") (module "standard-session"))
I'm not sure "module" is a good word to describe the file.
Toggle quote (4 lines)> > 3) the pam-limits-service should extend that single file instead of> attempting to update a bunch of PAM files for a selected list of> programs.
Should this file be a part of base-services?
Toggle quote (3 lines)> --> Ricardo>
I have to go to work soon, but I hope I can have this accomplished witha patch series ready by Saturday. I'll check in with a status updateSaturday evening UTC -6.-- -Jesse
J
J
Jesse Gibbons wrote on 15 Sep 2019 01:13
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37380@debbugs.gnu.org)
a47dac236a66eca44357c1ed8a952a4fa850bdab.camel@gmail.com
On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote:
Toggle quote (35 lines)> Hi Jesse,> > > I have been trying to set up ardour, but jackd doesn't start in> > real-> > time mode. I made an os definition that replicates this issue when> > I> > use a VM[0].> > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h> > tml> > I asked the gnome and gdm IRC and found out gdm loads the gdm-> > password> > pam config, which seems untouched by pam-limits-service. My> > /etc/pam.d/gdm-password (which should be the default) is attached.> > I can reproduce this.> > (I’m sorry for accidentally misleading you earlier. Turns out I used> JACK a little longer ago than I initially realized.)> > I think it should be pretty easy to fix this:> > 1) we should generate a single file that is used for generic session> settings.> > 2) all login programs (including gdm) should include that file in> their> PAM settings.> > 3) the pam-limits-service should extend that single file instead of> attempting to update a bunch of PAM files for a selected list of> programs.> > --> Ricardo>
Is all this best practice?
This solution would have patches for three files:- gnu/system/pam.scm (adding the generic session settings file andpatching the "su" and "login" configurations)- gnu/services/base.scm (patching pam-limits-service)- gnu/services/desktop.scm (patching the graphical loginconfigurations).
All new login services would require a patch to just one file withthese steps implemented(to add the service), whereas they would eachneed a patch to two files if they are not implemented (one to add theservice, another to have pam-limits-service modify the service's pamconfig.
If you think this solution is better design than what we currentlyhave, and others in this mailing list agree, I will work to providethese patches.
I previously said adding gdm-password to the list of pam configsamended by pam-limits-service did not work. I then discovered thechanges in the environment will not work unless I run "make". I don'tknow if this is a bug in guix or guile, or if it is intentionally thisway; the manual should be updated to clarify that guix needs to bebuilt in the environment for the changes to work.
I sent a patch (bug#37405) that fixes this issue for gdm-password. Asimple change can probably fix it for gdm-autologin (not added becauseI haven't tested it) and whatever gdm loads when the user logs in withbiometric fingerprints (I don't know the name). When we add ldm andkdm, I think we can do something similar.
-- -Jesse
J
J
Jesse Gibbons wrote on 19 Sep 2019 04:46
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37380@debbugs.gnu.org)
e96a249f31478c922ada535c5f80230824127c57.camel@gmail.com
On Sat, 2019-09-14 at 17:13 -0600, Jesse Gibbons wrote:
Toggle quote (69 lines)> On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote:> > Hi Jesse,> > > > > I have been trying to set up ardour, but jackd doesn't start in> > > real-> > > time mode. I made an os definition that replicates this issue when> > > I> > > use a VM[0].> > > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h> > > tml> > > I asked the gnome and gdm IRC and found out gdm loads the gdm-> > > password> > > pam config, which seems untouched by pam-limits-service. My> > > /etc/pam.d/gdm-password (which should be the default) is attached.> > > > I can reproduce this.> > > > (I’m sorry for accidentally misleading you earlier. Turns out I used> > JACK a little longer ago than I initially realized.)> > > > I think it should be pretty easy to fix this:> > > > 1) we should generate a single file that is used for generic session> > settings.> > > > 2) all login programs (including gdm) should include that file in> > their> > PAM settings.> > > > 3) the pam-limits-service should extend that single file instead of> > attempting to update a bunch of PAM files for a selected list of> > programs.> > > > --> > Ricardo> > > > Is all this best practice?> > This solution would have patches for three files:> - gnu/system/pam.scm (adding the generic session settings file and> patching the "su" and "login" configurations)> - gnu/services/base.scm (patching pam-limits-service)> - gnu/services/desktop.scm (patching the graphical login> configurations).> > All new login services would require a patch to just one file with> these steps implemented(to add the service), whereas they would each> need a patch to two files if they are not implemented (one to add the> service, another to have pam-limits-service modify the service's pam> config.> > If you think this solution is better design than what we currently> have, and others in this mailing list agree, I will work to provide> these patches.> > I previously said adding gdm-password to the list of pam configs> amended by pam-limits-service did not work. I then discovered the> changes in the environment will not work unless I run "make". I don't> know if this is a bug in guix or guile, or if it is intentionally this> way; the manual should be updated to clarify that guix needs to be> built in the environment for the changes to work.> > I sent a patch (bug#37405) that fixes this issue for gdm-password. A> simple change can probably fix it for gdm-autologin (not added because> I haven't tested it) and whatever gdm loads when the user logs in with> biometric fingerprints (I don't know the name). When we add ldm and> kdm, I think we can do something similar.>
ping
J
J
Jesse Gibbons wrote on 25 Sep 2019 17:47
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 37380@debbugs.gnu.org)
c5664c66d4bb289de30afee8721c82b770f8f150.camel@gmail.com
On Sat, 2019-09-14 at 17:13 -0600, Jesse Gibbons wrote:
Toggle quote (69 lines)> On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote:> > Hi Jesse,> > > > > I have been trying to set up ardour, but jackd doesn't start in> > > real-> > > time mode. I made an os definition that replicates this issue when> > > I> > > use a VM[0].> > > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h> > > tml> > > I asked the gnome and gdm IRC and found out gdm loads the gdm-> > > password> > > pam config, which seems untouched by pam-limits-service. My> > > /etc/pam.d/gdm-password (which should be the default) is attached.> > > > I can reproduce this.> > > > (I’m sorry for accidentally misleading you earlier. Turns out I used> > JACK a little longer ago than I initially realized.)> > > > I think it should be pretty easy to fix this:> > > > 1) we should generate a single file that is used for generic session> > settings.> > > > 2) all login programs (including gdm) should include that file in> > their> > PAM settings.> > > > 3) the pam-limits-service should extend that single file instead of> > attempting to update a bunch of PAM files for a selected list of> > programs.> > > > --> > Ricardo> > > > Is all this best practice?> > This solution would have patches for three files:> - gnu/system/pam.scm (adding the generic session settings file and> patching the "su" and "login" configurations)> - gnu/services/base.scm (patching pam-limits-service)> - gnu/services/desktop.scm (patching the graphical login> configurations).> > All new login services would require a patch to just one file with> these steps implemented(to add the service), whereas they would each> need a patch to two files if they are not implemented (one to add the> service, another to have pam-limits-service modify the service's pam> config.> > If you think this solution is better design than what we currently> have, and others in this mailing list agree, I will work to provide> these patches.> > I previously said adding gdm-password to the list of pam configs> amended by pam-limits-service did not work. I then discovered the> changes in the environment will not work unless I run "make". I don't> know if this is a bug in guix or guile, or if it is intentionally this> way; the manual should be updated to clarify that guix needs to be> built in the environment for the changes to work.> > I sent a patch (bug#37405) that fixes this issue for gdm-password. A> simple change can probably fix it for gdm-autologin (not added because> I haven't tested it) and whatever gdm loads when the user logs in with> biometric fingerprints (I don't know the name). When we add ldm and> kdm, I think we can do something similar.>
ping
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 37380@debbugs.gnu.org