[PATCH] Services: Check and modify gdm-password in pam-limits

OpenSubmitted by Jesse Gibbons.
Details
2 participants
  • Danny Milosavljevic
  • Jesse Gibbons
Owner
unassigned
Severity
normal
J
J
Jesse Gibbons wrote on 15 Sep 2019 01:10
(name . guix-patches mailing list)(address . guix-patches@gnu.org)
73e46631970b385218a1b067e545bd8e7ef21ddf.camel@gmail.com
Fixes bug #37380
From 6a0ced2a9ce956071290ea8bba2a74f8c9c8e5f5 Mon Sep 17 00:00:00 2001From: Jesse Gibbons <jgibbons2357+guix@gmail.com>Date: Sat, 14 Sep 2019 16:35:39 -0600Subject: [PATCH] Services: Check and modify gdm-password in pam-limits-service
--- gnu/services/base.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Toggle diff (15 lines)diff --git a/gnu/services/base.scm b/gnu/services/base.scmindex 25716ef152..6ab7b110ec 100644--- a/gnu/services/base.scm+++ b/gnu/services/base.scm@@ -1478,7 +1478,7 @@ information on the configuration file syntax." (module "pam_limits.so") (arguments '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam)- '("login" "su" "slim"))+ '("login" "su" "slim" "gdm-password")) (pam-service (inherit pam) (session (cons pam-limits-- 2.23.0
J
J
Jesse Gibbons wrote on 19 Sep 2019 04:46
(address . 37405@debbugs.gnu.org)
14cd3e26c2dae4de79a2bc87fb8614c8f737e629.camel@gmail.com
J
J
Jesse Gibbons wrote on 25 Sep 2019 17:47
(address . 37405@debbugs.gnu.org)
461364c376c0c54f0bfff80ed7727d182400671f.camel@gmail.com
On Wed, 2019-09-18 at 20:46 -0600, Jesse Gibbons wrote:
Toggle quote (2 lines)> ping> https://lists.gnu.org/archive/html/guix-patches/2019-09/msg00357.html
ping
D
D
Danny Milosavljevic wrote on 2 Oct 2019 01:00
(name . Jesse Gibbons)(address . jgibbons2357@gmail.com)(address . 37405@debbugs.gnu.org)
20191002010032.1f01e2b0@scratchpost.org
Hi,
thanks for the patch.
I'm not thrilled about that approach (arguably Guix already does it wronganyway).
But since the manual of pam_limits does describe that one should use itlike that, I have applied it as a stop-gap fix to guix master ascommit 0bf7d34d77ffca40be9e04586195054e9f2c7a13.
Long term, we should really make pam entries first class and show up in theoperating-system record--that's what they are FOR: to let the administrator(and thus the organization) choose how they want to do userauthorization/session handling etc. Why do we decide for them?
Bug report kept open for obvious reasons.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl2T2pAACgkQ5xo1VCwwuqWlngf/UKMtNSKEbEGkkUEDqY0mx4JorRQJ9TQr3rc1EJzmudieoz8JScnRYF4MNm7JIbroSuxZNbtx9TIJD+gbJdySrc57u6xTaY7TVlGthtgamYuLh9HSKEb/z0WSsGV5C/5qqVdQqyNMOS/D+DSb+Yk4BA98F9FAzB79AYEUR6xNNaNPPTboO5exG7/BZWnhmfQt890pNPD5Ik0RaAG1zCr+9ZbD+qyDqKxIF79JQzW/gGARagqgAeGFCTS175kqqVaFBb2ISjgqyajsl60iKm/+sWMq14KeSczYt/GrbvI3luYw31SKJCcU9Y3BYkfVjpUljE1CG1AtJIg4r78LWeqbHQ===DZSK-----END PGP SIGNATURE-----

J
J
Jesse Gibbons wrote on 2 Oct 2019 16:53
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 37405@debbugs.gnu.org)
b8ac867abc140429d1e41e1174084edb893c30d1.camel@gmail.com
On Wed, 2019-10-02 at 01:00 +0200, Danny Milosavljevic wrote:
Toggle quote (6 lines)> Hi,> > thanks for the patch.> > I'm not thrilled about that approach (arguably Guix already does it wrong> anyway).
I think you should start a thread on the guix-devel list expressing yourconcerns, and we can discuss how to improve guix from there.
Toggle quote (4 lines)> > But since the manual of pam_limits does describe that one should use it> like that, I have applied it as a stop-gap fix to guix master as> commit 0bf7d34d77ffca40be9e04586195054e9f2c7a13.
Thanks!
Toggle quote (7 lines)> > Long term, we should really make pam entries first class and show up in> the> operating-system record--that's what they are FOR: to let the> administrator> (and thus the organization) choose how they want to do user> authorization/session handling etc.
If PAM configurations should be up to the administrator, there should bedocumentation to teach the administrator how to use them. The manual doesn'tsay anything about how to use pam-services in operating-system, so Isubmitted a bug report (bug #37583) requesting documentation.
Toggle quote (1 lines)> Why do we decide for them?
I think I agree with your point that if a non-default configuration isdesired, administrators should be able to modify it, just like any otherpart of the configuration. Ideally they can always opt-out of details theydon't want.
I do not agree that we are deciding for the admins. This is just like thediscussion about whether GuixSD should include the /usr/bin/env and /bin/shspecial files by default, except there isn't any documentation on how toopt out of or extend the default PAM services.
There must be a default for every detail. If a detail is found practicalmost of the time, I think it is good to either have it as a default (like/usr/bin/sh) or have a ready example of how to implement it viewable fromthe install environment (like what we do with desktop environments) so mostusers don't have to look up how to add it. That does not negate the abilityof power users and administrators to opt out in the operating-systemconfiguration.
In the context of this patch, pam-limits is still opt-in. Perhaps a moreflexible fix would be to make the pam-limits-service-type accept an optionallist of strings identifying the configurations to create or modify to usepam-limits, with the default being %default-pam-limits-service-namesdefined as '("login" "su") which could then be appended to %slim-pam-service-names '("slim") or %gdm-pam-service-names '("gdm-password" ...). Ifyou or anyone else wants to implement that proposal and update thedocumentation so admins will know how to configure it, feel free.
I hope I did not misunderstand your comments. We can discuss this and yourother concerns in a guix-devel thread.-- -Jesse
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 37405@debbugs.gnu.org