From unknown Thu Jun 19 16:24:14 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH] services: base: Deprecate 'pam-limits-service' procedure. Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, guix-patches@gnu.org Resent-Date: Fri, 24 Feb 2023 00:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61744@debbugs.gnu.org Cc: Bruno Victal , ludo@gnu.org X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: ludo@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167719756131737 (code B ref -1); Fri, 24 Feb 2023 00:13:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Feb 2023 00:12:41 +0000 Received: from localhost ([127.0.0.1]:35613 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVLhY-0008Fp-CG for submit@debbugs.gnu.org; Thu, 23 Feb 2023 19:12:40 -0500 Received: from lists.gnu.org ([209.51.188.17]:55930) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVLhV-0008Fg-Kx for submit@debbugs.gnu.org; Thu, 23 Feb 2023 19:12:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVLhV-00014I-FJ for guix-patches@gnu.org; Thu, 23 Feb 2023 19:12:37 -0500 Received: from smtpm7.myservices.hosting ([185.26.105.208]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVLhS-0003zn-PO for guix-patches@gnu.org; Thu, 23 Feb 2023 19:12:36 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpm7.myservices.hosting (Postfix) with ESMTP id 2986320D16 for ; Fri, 24 Feb 2023 01:12:27 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id CB64880097; Fri, 24 Feb 2023 01:12:27 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oO1jCdl9ITqi; Fri, 24 Feb 2023 01:12:27 +0100 (CET) Received: from guix-nuc.home.arpa (bl9-119-177.dsl.telepac.pt [85.242.119.177]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id D6BE780079; Fri, 24 Feb 2023 01:12:26 +0100 (CET) From: Bruno Victal Date: Fri, 24 Feb 2023 00:12:10 +0000 Message-Id: X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 tags: patch Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=185.26.105.208; envelope-from=mirai@makinata.eu; helo=smtpm7.myservices.hosting X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) * doc/guix.texi (Base Services): Replace pam-limits-service with pam-limits-service-type. * gnu/packages/benchmark.scm (python-locust)[description]: Update index anchor to manual. * gnu/services/base.scm (pam-limits-service-type): Accept both lists and file-like objects for compatibility. (pam-limits-service): Deprecate procedure. --- Sending this one for review now since this service is a bit unusual compared to the other ones. doc/guix.texi | 18 ++++++++--------- gnu/packages/benchmark.scm | 2 +- gnu/services/base.scm | 41 +++++++++++++++++++++++++++----------- 3 files changed, 39 insertions(+), 22 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a7ef00f421..9127090d44 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18926,7 +18926,6 @@ Base Services @var{device} does not exist. @end deffn -@anchor{pam-limits-service} @cindex session limits @cindex ulimit @cindex priority @@ -18934,19 +18933,20 @@ Base Services @cindex jackd @cindex nofile @cindex open file descriptors -@deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}] - -Return a service that installs a configuration file for the +@anchor{pam-limits-service-type} +@defvar pam-limits-service-type +Type of the service that installs a configuration file for the @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html, -@code{pam_limits} module}. The procedure optionally takes a list of -@code{pam-limits-entry} values, which can be used to specify +@code{pam_limits} module}. The value for this service type is +a list of @code{pam-limits-entry} values, which can be used to specify @code{ulimit} limits and @code{nice} priority limits to user sessions. +By default, the value is the empty list. The following limits definition sets two hard and soft limits for all login sessions of users in the @code{realtime} group: @lisp -(pam-limits-service +(service pam-limits-service-type (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) @@ -18961,7 +18961,7 @@ Base Services descriptors that can be used: @lisp -(pam-limits-service +(service pam-limits-service-type (list (pam-limits-entry "*" 'both 'nofile 100000))) @end lisp @@ -18972,7 +18972,7 @@ Base Services else the users would be prevented from login in. For more information about the Pluggable Authentication Module (PAM) limits, refer to the @samp{pam_limits} man page from the @code{linux-pam} package. -@end deffn +@end defvar @defvar greetd-service-type @uref{https://git.sr.ht/~kennylevinsen/greetd, @code{greetd}} is a minimal and diff --git a/gnu/packages/benchmark.scm b/gnu/packages/benchmark.scm index 33e2466da9..fd8513f41d 100644 --- a/gnu/packages/benchmark.scm +++ b/gnu/packages/benchmark.scm @@ -458,7 +458,7 @@ (define-public python-locust Note: Locust will complain if the available open file descriptors limit for the user is too low. To raise such limit on a Guix System, refer to -@samp{info guix --index-search=pam-limits-service}.") +@samp{info guix --index-search=pam-limits-service-type}.") (license license:expat))) (define-public interbench diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 35b03a877b..5a2e0263e4 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -40,7 +40,7 @@ (define-module (gnu services base) #:use-module (guix store) #:use-module (guix deprecation) - #:autoload (guix diagnostics) (warning &fix-hint) + #:autoload (guix diagnostics) (warning report-error &fix-hint) #:autoload (guix i18n) (G_) #:use-module (guix combinators) #:use-module (gnu services) @@ -245,7 +245,7 @@ (define-module (gnu services base) kmscon-service-type pam-limits-service-type - pam-limits-service + pam-limits-service ; deprecated greetd-service-type greetd-configuration @@ -1570,17 +1570,13 @@ (define* (syslog-service #:optional (config (syslog-configuration))) (define pam-limits-service-type - (let ((security-limits - ;; Create /etc/security containing the provided "limits.conf" file. - (lambda (limits-file) - `(("security/limits.conf" - ,limits-file)))) - (pam-extension + (let ((pam-extension (lambda (pam) (let ((pam-limits (pam-entry (control "required") (module "pam_limits.so") - (arguments '("conf=/etc/security/limits.conf"))))) + (arguments + '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" "sddm" "sudo" "sshd")) @@ -1588,7 +1584,26 @@ (define pam-limits-service-type (inherit pam) (session (cons pam-limits (pam-service-session pam)))) - pam))))) + pam)))) + + ;; XXX: Using file-like objects is deprecated, use lists instead. + ;; This is to be reduced into the list? case when the deprecated + ;; code gets removed. + ;; Create /etc/security containing the provided "limits.conf" file. + (security-limits + (match-lambda + ((? file-like? obj) + (warning (G_ "Using file-like value for 'pam-limits-service-type' +is deprecated~%")) + obj) + ((? list? lst) + `(("security/limits.conf" + ,(plain-file "limits.conf" + (string-join (map pam-limits-entry->string lst) + "\n" 'suffix))))) + (_ (report-error + (G_ "invalid input for 'pam-limits-service-type'~%")))))) + (service-type (name 'limits) (extensions @@ -1598,9 +1613,11 @@ (define pam-limits-service-type (description "Install the specified resource usage limits by populating @file{/etc/security/limits.conf} and using the @code{pam_limits} -authentication module.")))) +authentication module.") + (default-value '())))) -(define* (pam-limits-service #:optional (limits '())) +(define-deprecated (pam-limits-service #:optional (limits '())) + pam-limits-service-type "Return a service that makes selected programs respect the list of pam-limits-entry specified in LIMITS via pam_limits.so." (service pam-limits-service-type base-commit: 5d10644371abd54d0edcd638691113f0a92de743 -- 2.39.1 From unknown Thu Jun 19 16:24:14 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH v2 1/2] services: base: Deprecate 'pam-limits-service' procedure. References: In-Reply-To: Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 04 Mar 2023 21:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61744@debbugs.gnu.org Cc: Bruno Victal Received: via spool by 61744-submit@debbugs.gnu.org id=B61744.167796466919743 (code B ref 61744); Sat, 04 Mar 2023 21:18:02 +0000 Received: (at 61744) by debbugs.gnu.org; 4 Mar 2023 21:17:49 +0000 Received: from localhost ([127.0.0.1]:37899 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYZGG-00058H-RD for submit@debbugs.gnu.org; Sat, 04 Mar 2023 16:17:49 -0500 Received: from smtpm3.myservices.hosting ([185.26.105.234]:44412) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYZGF-000588-2d for 61744@debbugs.gnu.org; Sat, 04 Mar 2023 16:17:48 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpm3.myservices.hosting (Postfix) with ESMTP id 399D0210B0 for <61744@debbugs.gnu.org>; Sat, 4 Mar 2023 22:17:43 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id DBA6880098; Sat, 4 Mar 2023 22:17:43 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oGUTyUaMW9cr; Sat, 4 Mar 2023 22:17:43 +0100 (CET) Received: from guix-nuc.home.arpa (bl9-119-177.dsl.telepac.pt [85.242.119.177]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id 1BC3980079; Sat, 4 Mar 2023 22:17:43 +0100 (CET) From: Bruno Victal Date: Sat, 4 Mar 2023 21:17:38 +0000 Message-Id: <47849c839cb8acb6909eccd1f050b0316373b377.1677964609.git.mirai@makinata.eu> X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * doc/guix.texi (Base Services): Replace pam-limits-service with pam-limits-service-type. * gnu/packages/benchmark.scm (python-locust)[description]: Update index anchor to manual. * gnu/services/base.scm (pam-limits-service-type): Set default value. (pam-limits-service): Deprecate procedure. --- doc/guix.texi | 37 ++++++++++++++++++++++--------------- gnu/packages/benchmark.scm | 2 +- gnu/services/base.scm | 8 +++++--- 3 files changed, 28 insertions(+), 19 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 74658dbc86..3aa9c0cdf4 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18938,7 +18938,6 @@ Base Services @end table @end deftp -@anchor{pam-limits-service} @cindex session limits @cindex ulimit @cindex priority @@ -18946,22 +18945,28 @@ Base Services @cindex jackd @cindex nofile @cindex open file descriptors -@deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}] - -Return a service that installs a configuration file for the +@anchor{pam-limits-service-type} +@defvar pam-limits-service-type +Type of the service that installs a configuration file for the @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html, -@code{pam_limits} module}. The procedure optionally takes a list of -@code{pam-limits-entry} values, which can be used to specify -@code{ulimit} limits and @code{nice} priority limits to user sessions. +@code{pam_limits} module}. The value for this service type is +a file-like object containing a list of @code{pam-limits-entry} values +which can be used to specify @code{ulimit} limits and @code{nice} +priority limits to user sessions. The following limits definition sets two hard and soft limits for all login sessions of users in the @code{realtime} group: @lisp -(pam-limits-service - (list - (pam-limits-entry "@@realtime" 'both 'rtprio 99) - (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) +(service + pam-limits-service-type + (plain-file + "limits.conf" + (string-join + (map pam-limits-entry->string + (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) + (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) + "\n"))) @end lisp The first entry increases the maximum realtime priority for @@ -18973,9 +18978,11 @@ Base Services descriptors that can be used: @lisp -(pam-limits-service - (list - (pam-limits-entry "*" 'both 'nofile 100000))) +(service + pam-limits-service-type + (plain-file + "limits.conf" + (pam-limits-entry->string (pam-limits-entry "*" 'both 'nofile 100000)))) @end lisp In the above example, the asterisk means the limit should apply to any @@ -18984,7 +18991,7 @@ Base Services else the users would be prevented from login in. For more information about the Pluggable Authentication Module (PAM) limits, refer to the @samp{pam_limits} man page from the @code{linux-pam} package. -@end deffn +@end defvar @defvar greetd-service-type @uref{https://git.sr.ht/~kennylevinsen/greetd, @code{greetd}} is a minimal and diff --git a/gnu/packages/benchmark.scm b/gnu/packages/benchmark.scm index 33e2466da9..fd8513f41d 100644 --- a/gnu/packages/benchmark.scm +++ b/gnu/packages/benchmark.scm @@ -458,7 +458,7 @@ (define-public python-locust Note: Locust will complain if the available open file descriptors limit for the user is too low. To raise such limit on a Guix System, refer to -@samp{info guix --index-search=pam-limits-service}.") +@samp{info guix --index-search=pam-limits-service-type}.") (license license:expat))) (define-public interbench diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 1423ab6767..e5023b8175 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -246,7 +246,7 @@ (define-module (gnu services base) kmscon-service-type pam-limits-service-type - pam-limits-service + pam-limits-service ; deprecated greetd-service-type greetd-configuration @@ -1612,9 +1612,11 @@ (define pam-limits-service-type (description "Install the specified resource usage limits by populating @file{/etc/security/limits.conf} and using the @code{pam_limits} -authentication module.")))) +authentication module.") + (default-value (plain-file "limits.conf" ""))))) -(define* (pam-limits-service #:optional (limits '())) +(define-deprecated (pam-limits-service #:optional (limits '())) + pam-limits-service-type "Return a service that makes selected programs respect the list of pam-limits-entry specified in LIMITS via pam_limits.so." (service pam-limits-service-type -- 2.39.1 From unknown Thu Jun 19 16:24:14 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH v2 2/2] services: pam-limits-service-type: Deprecate file-like object support in favour for lists as service value. Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 04 Mar 2023 21:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61744@debbugs.gnu.org Cc: Bruno Victal Received: via spool by 61744-submit@debbugs.gnu.org id=B61744.167796467219752 (code B ref 61744); Sat, 04 Mar 2023 21:18:02 +0000 Received: (at 61744) by debbugs.gnu.org; 4 Mar 2023 21:17:52 +0000 Received: from localhost ([127.0.0.1]:37901 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYZGJ-00058W-CS for submit@debbugs.gnu.org; Sat, 04 Mar 2023 16:17:52 -0500 Received: from smtpmciv3.myservices.hosting ([185.26.107.239]:46526) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYZGG-00058A-2A for 61744@debbugs.gnu.org; Sat, 04 Mar 2023 16:17:49 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpmciv3.myservices.hosting (Postfix) with ESMTP id 5344E2075E for <61744@debbugs.gnu.org>; Sat, 4 Mar 2023 22:17:47 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id 09E3980079; Sat, 4 Mar 2023 22:17:47 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ydu_tHiogRgg; Sat, 4 Mar 2023 22:17:43 +0100 (CET) Received: from guix-nuc.home.arpa (bl9-119-177.dsl.telepac.pt [85.242.119.177]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id 6EAF580097; Sat, 4 Mar 2023 22:17:43 +0100 (CET) From: Bruno Victal Date: Sat, 4 Mar 2023 21:17:39 +0000 Message-Id: <29b2df64b1a9a857227d573e7d0a1aa1f9ef52d2.1677964609.git.mirai@makinata.eu> X-Mailer: git-send-email 2.39.1 In-Reply-To: <47849c839cb8acb6909eccd1f050b0316373b377.1677964609.git.mirai@makinata.eu> References: <47849c839cb8acb6909eccd1f050b0316373b377.1677964609.git.mirai@makinata.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * doc/guix.texi (Base Services): Document it. * gnu/local.mk: Register test. * gnu/services/base.scm (pam-limits-service-type): Accept both lists and file-like objects. Deprecate file-like object support. * gnu/tests/pam.scm: New file. --- doc/guix.texi | 27 +++++------- gnu/local.mk | 2 + gnu/services/base.scm | 36 +++++++++++----- gnu/tests/pam.scm | 97 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 135 insertions(+), 27 deletions(-) create mode 100644 gnu/tests/pam.scm diff --git a/doc/guix.texi b/doc/guix.texi index 3aa9c0cdf4..5c9a9333b9 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18950,23 +18950,18 @@ Base Services Type of the service that installs a configuration file for the @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html, @code{pam_limits} module}. The value for this service type is -a file-like object containing a list of @code{pam-limits-entry} values -which can be used to specify @code{ulimit} limits and @code{nice} -priority limits to user sessions. +a list of @code{pam-limits-entry} values, which can be used to specify +@code{ulimit} limits and @code{nice} priority limits to user sessions. +By default, the value is the empty list. The following limits definition sets two hard and soft limits for all login sessions of users in the @code{realtime} group: @lisp -(service - pam-limits-service-type - (plain-file - "limits.conf" - (string-join - (map pam-limits-entry->string - (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) - (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) - "\n"))) +(service pam-limits-service-type + (list + (pam-limits-entry "@@realtime" 'both 'rtprio 99) + (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) @end lisp The first entry increases the maximum realtime priority for @@ -18978,11 +18973,9 @@ Base Services descriptors that can be used: @lisp -(service - pam-limits-service-type - (plain-file - "limits.conf" - (pam-limits-entry->string (pam-limits-entry "*" 'both 'nofile 100000)))) +(service pam-limits-service-type + (list + (pam-limits-entry "*" 'both 'nofile 100000))) @end lisp In the above example, the asterisk means the limit should apply to any diff --git a/gnu/local.mk b/gnu/local.mk index 415955bd3f..6291d8a558 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -56,6 +56,7 @@ # Copyright © 2022 Alex Griffin # Copyright © 2022 ( # Copyright © 2022 jgart +# Copyright © 2023 Bruno Victal # # This file is part of GNU Guix. # @@ -778,6 +779,7 @@ GNU_SYSTEM_MODULES = \ %D%/tests/messaging.scm \ %D%/tests/networking.scm \ %D%/tests/package-management.scm \ + %D%/tests/pam.scm \ %D%/tests/reconfigure.scm \ %D%/tests/rsync.scm \ %D%/tests/samba.scm \ diff --git a/gnu/services/base.scm b/gnu/services/base.scm index e5023b8175..80f9607d44 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -40,7 +40,7 @@ (define-module (gnu services base) #:use-module (guix store) #:use-module (guix deprecation) - #:autoload (guix diagnostics) (warning &fix-hint) + #:autoload (guix diagnostics) (warning formatted-message &fix-hint) #:autoload (guix i18n) (G_) #:use-module (guix combinators) #:use-module (gnu services) @@ -1584,17 +1584,13 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration))) (define pam-limits-service-type - (let ((security-limits - ;; Create /etc/security containing the provided "limits.conf" file. - (lambda (limits-file) - `(("security/limits.conf" - ,limits-file)))) - (pam-extension + (let ((pam-extension (lambda (pam) (let ((pam-limits (pam-entry (control "required") (module "pam_limits.so") - (arguments '("conf=/etc/security/limits.conf"))))) + (arguments + '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" "sddm" "sudo" "sshd")) @@ -1602,7 +1598,27 @@ (define pam-limits-service-type (inherit pam) (session (cons pam-limits (pam-service-session pam)))) - pam))))) + pam)))) + + ;; XXX: Using file-like objects is deprecated, use lists instead. + ;; This is to be reduced into the list? case when the deprecated + ;; code gets removed. + ;; Create /etc/security containing the provided "limits.conf" file. + (security-limits + (match-lambda + ((? file-like? obj) + (warning (G_ "Using file-like value for \ +'pam-limits-service-type' is deprecated~%")) + `(("security/limits.conf" ,obj))) + ((? list? lst) + `(("security/limits.conf" + ,(plain-file "limits.conf" + (string-join (map pam-limits-entry->string lst) + "\n" 'suffix))))) + (_ (raise + (formatted-message + (G_ "invalid input for 'pam-limits-service-type'~%"))))))) + (service-type (name 'limits) (extensions @@ -1613,7 +1629,7 @@ (define pam-limits-service-type "Install the specified resource usage limits by populating @file{/etc/security/limits.conf} and using the @code{pam_limits} authentication module.") - (default-value (plain-file "limits.conf" ""))))) + (default-value '())))) (define-deprecated (pam-limits-service #:optional (limits '())) pam-limits-service-type diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm new file mode 100644 index 0000000000..5cf13d97d7 --- /dev/null +++ b/gnu/tests/pam.scm @@ -0,0 +1,97 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2023 Bruno Victal +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu tests pam) + #:use-module (gnu tests) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu system) + #:use-module (gnu system pam) + #:use-module (gnu system vm) + #:use-module (guix gexp) + #:use-module (ice-9 format) + #:export (%test-pam-limits + %test-pam-limits-deprecated)) + + +;;; +;;; pam-limits-service-type +;;; + +(define pam-limit-entries + (list + (pam-limits-entry "@realtime" 'both 'rtprio 99) + (pam-limits-entry "@realtime" 'both 'memlock 'unlimited))) + +(define (run-test-pam-limits config) + "Run tests in a os with pam-limits-service-type configured." + (define os + (marionette-operating-system + (simple-operating-system + (service pam-limits-service-type config)))) + + (define vm + (virtual-machine os)) + + (define name (format #f "pam-limit-service~:[~;-deprecated~]" + (file-like? config))) + + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (gnu build marionette) + (srfi srfi-64)) + + (let ((marionette (make-marionette (list #$vm)))) + + (test-runner-current (system-test-runner #$output)) + + (test-begin #$name) + + (test-assert "/etc/security/limits.conf ready" + (wait-for-file "/etc/security/limits.conf" marionette)) + + (test-equal "/etc/security/limits.conf content matches" + #$(string-join (map pam-limits-entry->string pam-limit-entries) + "\n" 'suffix) + (marionette-eval + '(call-with-input-file "/etc/security/limits.conf" + get-string-all) + marionette)) + + (test-end))))) + + (gexp->derivation (string-append name "-test") test)) + +(define %test-pam-limits + (system-test + (name "pam-limits-service") + (description "Test that pam-limits-service can serialize its config +(as a list) to @file{limits.conf}.") + (value (run-test-pam-limits pam-limit-entries)))) + +(define %test-pam-limits-deprecated + (system-test + (name "pam-limits-service-deprecated") + (description "Test that pam-limits-service can serialize its config +(as a file-like object) to @file{limits.conf}.") + (value (run-test-pam-limits + (plain-file "limits.conf" + (string-join (map pam-limits-entry->string + pam-limit-entries) + "\n" 'suffix)))))) -- 2.39.1 From unknown Thu Jun 19 16:24:14 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH v2 1/2] services: base: Deprecate 'pam-limits-service' procedure. References: In-Reply-To: Resent-From: Ricardo Wurmus Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 10 Mar 2023 18:16:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61744@debbugs.gnu.org Cc: mirai@makinata.eu Received: via spool by 61744-submit@debbugs.gnu.org id=B61744.167847210718948 (code B ref 61744); Fri, 10 Mar 2023 18:16:01 +0000 Received: (at 61744) by debbugs.gnu.org; 10 Mar 2023 18:15:07 +0000 Received: from localhost ([127.0.0.1]:55848 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pahGl-0004vY-20 for submit@debbugs.gnu.org; Fri, 10 Mar 2023 13:15:07 -0500 Received: from sender3-of-o58.zoho.com ([136.143.184.58]:21893) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pahGi-0004vM-Eo for 61744@debbugs.gnu.org; Fri, 10 Mar 2023 13:15:06 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1678472100; cv=none; d=zohomail.com; s=zohoarc; b=l9WgHV4E2fhY22Pn40kC5jMRpwJLkH2tMpQRCebTYSQ0BwPxpWoKHjTESDyxfjqUkbMXfm9QzJOOJYsEnNXDrOAkxz6EM5YlM0VUwuc2Xr3LJACRWZjlLCCfnZEUgLeXGKrwrYdtFJUfYa3SW4LFJZ0clHPmq8zZF1ocmfYfEvI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1678472100; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To; bh=qN0AFjbkfkQ781FuPAn9+5iNywDRecCWyl1ksSuZNXE=; b=cCU6ie0i+/WNBnGctfoy+BVG951Bu7Aw+mAoML97OG2Ozu6KcsAh/pJ24PQPn0QjAf1fTKJnhfGQofpx58DYqTewnIXJ3EJ5SAaB77hP0ktEUUfHBaVTxQvTOhf3vuqT/PpMzsxmifSkE/yfyh6PWJ/GQzNcwMKk30LHm6ekAMA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1678472100; s=zoho; d=elephly.net; i=rekado@elephly.net; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=qN0AFjbkfkQ781FuPAn9+5iNywDRecCWyl1ksSuZNXE=; b=W12No788NAvwM8lpWm7TmFD0X7iBsN9m0+c2ku0YxUZX/WLUzRXyKL1Azt8cftYp UMP+ORLzuS47fOMCHYKcywRIKuWqWvtZgeYYbXZIivSfe/NThhswa8ThuzNZZRHIz4K xoIR9B0FifDxRRFUo+W2M7/lBGir+Y4bOlRa5cZw= Received: from localhost (59-108-142-46.pool.kielnet.net [46.142.108.59]) by mx.zohomail.com with SMTPS id 1678472098625288.8338659484524; Fri, 10 Mar 2023 10:14:58 -0800 (PST) User-agent: mu4e 1.8.13; emacs 28.2 From: Ricardo Wurmus Date: Fri, 10 Mar 2023 18:52:43 +0100 X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Message-ID: <871qlwo4m8.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, thank you for the patches! The effective change looks fine to me, but I=E2=80=99m confused about why t= hese are two patches. The first one introduces this as an example in the docs: +(service + pam-limits-service-type + (plain-file + "limits.conf" + (string-join + (map pam-limits-entry->string + (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) + (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) + "\n"))) But the second removes this again in favour of this prettier form: +(service pam-limits-service-type + (list + (pam-limits-entry "@@realtime" 'both 'rtprio 99) + (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) Which is really close to the original form: -(pam-limits-service - (list - (pam-limits-entry "@@realtime" 'both 'rtprio 99) - (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) Could you merge these two patches to reduce the number of unnecessary changes? I don=E2=80=99t think we should change to file-likes as the argum= ent value for the pam-limits-service-type. Another thing that confused me: + (test-equal "/etc/security/limits.conf content matches" + #$(string-join (map pam-limits-entry->string pam-limit-entri= es) + "\n" 'suffix) + (marionette-eval + '(call-with-input-file "/etc/security/limits.conf" + get-string-all) + marionette)) Why use the gexp with a computed value here instead of using just the plain text of the expected contents of that file? Computing the expected value in a test where the compared value is computed in the same way feels like begging the question. Or perhaps I=E2=80=99m misunderstanding something here? --=20 Ricardo From unknown Thu Jun 19 16:24:14 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH v2 1/2] services: base: Deprecate 'pam-limits-service' procedure. Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 11 Mar 2023 11:26:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ricardo Wurmus Cc: 61744@debbugs.gnu.org, Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 61744-submit@debbugs.gnu.org id=B61744.16785339279820 (code B ref 61744); Sat, 11 Mar 2023 11:26:01 +0000 Received: (at 61744) by debbugs.gnu.org; 11 Mar 2023 11:25:27 +0000 Received: from localhost ([127.0.0.1]:56649 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1paxLq-0002YK-Qv for submit@debbugs.gnu.org; Sat, 11 Mar 2023 06:25:27 -0500 Received: from smtpmciv2.myservices.hosting ([185.26.107.238]:33656) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1paxLo-0002YB-Ob for 61744@debbugs.gnu.org; Sat, 11 Mar 2023 06:25:25 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpmciv2.myservices.hosting (Postfix) with ESMTP id F41A420CEA; Sat, 11 Mar 2023 12:25:18 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id 391218009B; Sat, 11 Mar 2023 12:25:15 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kbGghzecHDC8; Sat, 11 Mar 2023 12:25:14 +0100 (CET) Received: from [192.168.1.239] (unknown [10.192.1.83]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id 6AC4E8009A; Sat, 11 Mar 2023 12:25:14 +0100 (CET) Message-ID: <271039c5-c316-7a12-53a2-152b0b186538@makinata.eu> Date: Sat, 11 Mar 2023 11:25:13 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Content-Language: en-US References: <871qlwo4m8.fsf@elephly.net> From: Bruno Victal In-Reply-To: <871qlwo4m8.fsf@elephly.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -1.1 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.1 (--) Hi Ricardo, On 2023-03-10 17:52, Ricardo Wurmus wrote: > Hi, > > thank you for the patches! > > The effective change looks fine to me, but I’m confused about why these > are two patches. The first one introduces this as an example in the > docs: [...] > > +(service > + pam-limits-service-type > + (plain-file > + "limits.conf" > + (string-join > + (map pam-limits-entry->string > + (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) > + (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) > + "\n"))) > > But the second removes this again in favour of this prettier form: This was to ensure that each commit is "atomic". > > +(service pam-limits-service-type > + (list > + (pam-limits-entry "@@realtime" 'both 'rtprio 99) > + (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) > > Which is really close to the original form: > > -(pam-limits-service > - (list > - (pam-limits-entry "@@realtime" 'both 'rtprio 99) > - (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) > > Could you merge these two patches to reduce the number of unnecessary > changes? I don’t think we should change to file-likes as the argument > value for the pam-limits-service-type. The v2 patch-series are a dis-aggregation of the v1 series (save for a bug fix in the match clauses, test suite and using raise instead of report-error) as indicated in the 10/27 patch-series review from #61789. > > Another thing that confused me: > > + (test-equal "/etc/security/limits.conf content matches" > + #$(string-join (map pam-limits-entry->string pam-limit-entries) > + "\n" 'suffix) > + (marionette-eval > + '(call-with-input-file "/etc/security/limits.conf" > + get-string-all) > + marionette)) > > Why use the gexp with a computed value here instead of using just the > plain text of the expected contents of that file? Computing > the expected value in a test where the compared value is computed in the > same way feels like begging the question. > > Or perhaps I’m misunderstanding something here? > I wrote this test suite to simply check that both deprecated and "new" service-type forms work correctly, i.e. the files are present in their locations. (this actually caught a bug within the match clauses in the v1 patch) Cheers, Bruno From unknown Thu Jun 19 16:24:14 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH] services: base: Deprecate 'pam-limits-service' procedure. References: In-Reply-To: Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 20 Mar 2023 17:50:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61744@debbugs.gnu.org Cc: Ricardo Wurmus , Bruno Victal Received: via spool by 61744-submit@debbugs.gnu.org id=B61744.167933459325807 (code B ref 61744); Mon, 20 Mar 2023 17:50:01 +0000 Received: (at 61744) by debbugs.gnu.org; 20 Mar 2023 17:49:53 +0000 Received: from localhost ([127.0.0.1]:56726 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1peJdo-0006iB-RV for submit@debbugs.gnu.org; Mon, 20 Mar 2023 13:49:53 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:54192) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1peJdn-0006i2-49 for 61744@debbugs.gnu.org; Mon, 20 Mar 2023 13:49:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=c6zEvxU3EgpTkXA 2T2H9kSvqcpa+8je+wbC+MxUJIlI=; h=cc:to:subject:date:from; d=lease-up.com; b=nrvDRJoIMtr/09sjnBsrJQqQt8jqbZ3xnv0MVVPotwPBVU58SZ5D 2KyCsBzgrihqGsgMHz/IG5byaXyVI8IYDpp0oX/v38CugelUIfGCy0g8rMRDl62qpxNXQk suvibTgSRf1w1HSDfB74s9RznKkF2q0Nd1NC7MBXTuMkZ9X4Q= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id f901128a (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) for <61744@debbugs.gnu.org>; Mon, 20 Mar 2023 17:49:49 +0000 (UTC) Received: by mail-lj1-f173.google.com with SMTP id z42so12989059ljq.13 for <61744@debbugs.gnu.org>; Mon, 20 Mar 2023 10:49:48 -0700 (PDT) X-Gm-Message-State: AO0yUKX7OM2yDXFfkoxMezQwCp00D+85ctQ5iArBb6KyctLk6ObSWgGB QQg0ZNX1Mfce2jW72pglDRHDkg1mo4/ED4gcWrM= X-Google-Smtp-Source: AK7set9LloYsANbPQffSr/QdT6jlMsK/QbAHYgkR2MZ5o8AgXuuFXiSrIaJP9FUBzOGeFu62ZqeCKYx2kPgibVcXOXc= X-Received: by 2002:a05:651c:10ce:b0:295:d632:ba22 with SMTP id l14-20020a05651c10ce00b00295d632ba22mr11046ljn.8.1679334586821; Mon, 20 Mar 2023 10:49:46 -0700 (PDT) MIME-Version: 1.0 From: Felix Lechner Date: Mon, 20 Mar 2023 10:49:10 -0700 X-Gmail-Original-Message-ID: Message-ID: Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Bruno, Thanks for this great and important work! Can we refer to the limits.conf file in the store, please? I do not believe we need a copy in /etc/security, and should not keep one there. The "conf=" argument to pam_limits(8) accepts an absolute path. [1] We use that mechanism already (for the default path). Thanks! Kind regards, Felix Lechner [1] https://linux.die.net/man/8/pam_limits From unknown Thu Jun 19 16:24:14 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH] services: base: Deprecate 'pam-limits-service' procedure. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 30 Mar 2023 20:55:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Felix Lechner Cc: Ricardo Wurmus , 61744@debbugs.gnu.org, Bruno Victal Received: via spool by 61744-submit@debbugs.gnu.org id=B61744.168020965120037 (code B ref 61744); Thu, 30 Mar 2023 20:55:01 +0000 Received: (at 61744) by debbugs.gnu.org; 30 Mar 2023 20:54:11 +0000 Received: from localhost ([127.0.0.1]:59563 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1phzHf-0005D6-6x for submit@debbugs.gnu.org; Thu, 30 Mar 2023 16:54:11 -0400 Received: from eggs.gnu.org ([209.51.188.92]:50410) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1phzHc-0005Cq-M4 for 61744@debbugs.gnu.org; Thu, 30 Mar 2023 16:54:09 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1phzHR-0003G9-8v; Thu, 30 Mar 2023 16:54:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=d/BaE+x1IzaJlAW6iUlbKKiRhw4r0OsrvwI//wfd75g=; b=YNo5TP//zpfY7RBiCjtG sjh84+KYuBjF9iZVguN/riG89eWIc7Fab1C04hk52N3UDMWKPKEMFNnjKkJ9sUpWBw+F5orgNJLZW Rakb4jboTUC6HNzr0ZvW7MVrA/AgF/11nfxPJCk6iq0jy2ngKBRsEcdr1qLh8iqStqUeTLVMQl1z4 9LuZrhhAoQJGL8g+o0hsLWN0GA/COqtbRurL0rsJREF+mM4ae8znPCwkUg+DKha1cyDL2k4sUH0cU s6tSjLSTcnW2EFsv8wytuEDtorLC1UXweVJgHRv4FMDr+Qt5szA8Y5peJw3C1oQc5qJ3LMpktnSPY sEcEUrfahukpLw==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1phzHQ-0007En-Dm; Thu, 30 Mar 2023 16:53:56 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: Date: Thu, 30 Mar 2023 22:53:54 +0200 In-Reply-To: (Felix Lechner's message of "Mon, 20 Mar 2023 10:49:10 -0700") Message-ID: <87jzyyhsf1.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Felix, Felix Lechner skribis: > Can we refer to the limits.conf file in the store, please? I do not > believe we need a copy in /etc/security, and should not keep one > there. I=E2=80=99m generally in favor of not populating /etc and instead referring= to store file names. In some cases (maybe this one), this can be a problem though, in particular for upgrades (the module keeps referring to the old config file in the store). So I don=E2=80=99t know, but this needs to be taken in= to account. Ludo=E2=80=99. From unknown Thu Jun 19 16:24:14 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Bruno Victal Subject: bug#61744: closed (Re: bug#61744: [PATCH] services: base: Deprecate 'pam-limits-service' procedure.) Message-ID: References: <875yaihrrd.fsf_-_@gnu.org> X-Gnu-PR-Message: they-closed 61744 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 61744@debbugs.gnu.org Date: Thu, 30 Mar 2023 21:09:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1680210542-21597-1" This is a multi-part message in MIME format... ------------=_1680210542-21597-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #61744: [PATCH] services: base: Deprecate 'pam-limits-service' procedure. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 61744@debbugs.gnu.org. --=20 61744: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D61744 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1680210542-21597-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 61744-done) by debbugs.gnu.org; 30 Mar 2023 21:08:16 +0000 Received: from localhost ([127.0.0.1]:59574 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1phzVH-0005bK-Ve for submit@debbugs.gnu.org; Thu, 30 Mar 2023 17:08:16 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56866) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1phzVG-0005b2-B1 for 61744-done@debbugs.gnu.org; Thu, 30 Mar 2023 17:08:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1phzVA-0005R3-53; Thu, 30 Mar 2023 17:08:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=0qSZio0jkHlZE52dArp43eERDmpr7++DQAHCj/Db83U=; b=hTcO0gpVsZo6D4u/E4GP ol09/wlG2dLoDTTGQqlj9tlm7lFVYwQ9QbLNrtecgg7NJzKRli4KafEFb4unRZWix7ApYSATEwyyT YgU7t5B6Wjo0KGfOFRCNVMgz+oXfHew+uyQP3yawVlLEe2fa4NfMeXaunRxl7iXJoZStOCWrj1ihL jNKt14xwDyOdKk0P0pC8KDKTptMt76JSW5E5zfpBjkpNQnKl5zTEqJVqfMdMrWE9soTGlkmDhcZaa XIOAK/ltkI+DQOWlkadGy+APJcRbFC53vGEgPWUCFmwPtp/i02DpmvKQlrMUGYKCxgvw1i3VhbwuC /YOIm5k9ojcHAg==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1phzV9-0003v9-PX; Thu, 30 Mar 2023 17:08:07 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Bruno Victal Subject: Re: bug#61744: [PATCH] services: base: Deprecate 'pam-limits-service' procedure. References: <871qlwo4m8.fsf@elephly.net> <271039c5-c316-7a12-53a2-152b0b186538@makinata.eu> Date: Thu, 30 Mar 2023 23:08:06 +0200 In-Reply-To: <271039c5-c316-7a12-53a2-152b0b186538@makinata.eu> (Bruno Victal's message of "Sat, 11 Mar 2023 11:25:13 +0000") Message-ID: <875yaihrrd.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61744-done Cc: Ricardo Wurmus , 61744-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Bruno, Thanks for explaining. It seems to me that none of the issues raised is a blocker, so I went ahead and applied these two patches. Thank you, and apologies for the delay! Ludo=E2=80=99. ------------=_1680210542-21597-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 24 Feb 2023 00:12:41 +0000 Received: from localhost ([127.0.0.1]:35613 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVLhY-0008Fp-CG for submit@debbugs.gnu.org; Thu, 23 Feb 2023 19:12:40 -0500 Received: from lists.gnu.org ([209.51.188.17]:55930) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVLhV-0008Fg-Kx for submit@debbugs.gnu.org; Thu, 23 Feb 2023 19:12:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVLhV-00014I-FJ for guix-patches@gnu.org; Thu, 23 Feb 2023 19:12:37 -0500 Received: from smtpm7.myservices.hosting ([185.26.105.208]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVLhS-0003zn-PO for guix-patches@gnu.org; Thu, 23 Feb 2023 19:12:36 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpm7.myservices.hosting (Postfix) with ESMTP id 2986320D16 for ; Fri, 24 Feb 2023 01:12:27 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id CB64880097; Fri, 24 Feb 2023 01:12:27 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oO1jCdl9ITqi; Fri, 24 Feb 2023 01:12:27 +0100 (CET) Received: from guix-nuc.home.arpa (bl9-119-177.dsl.telepac.pt [85.242.119.177]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id D6BE780079; Fri, 24 Feb 2023 01:12:26 +0100 (CET) From: Bruno Victal To: guix-patches@gnu.org Subject: [PATCH] services: base: Deprecate 'pam-limits-service' procedure. Date: Fri, 24 Feb 2023 00:12:10 +0000 Message-Id: X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 X-Debbugs-CC: ludo@gnu.org tags: patch Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=185.26.105.208; envelope-from=mirai@makinata.eu; helo=smtpm7.myservices.hosting X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Bruno Victal X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) * doc/guix.texi (Base Services): Replace pam-limits-service with pam-limits-service-type. * gnu/packages/benchmark.scm (python-locust)[description]: Update index anchor to manual. * gnu/services/base.scm (pam-limits-service-type): Accept both lists and file-like objects for compatibility. (pam-limits-service): Deprecate procedure. --- Sending this one for review now since this service is a bit unusual compared to the other ones. doc/guix.texi | 18 ++++++++--------- gnu/packages/benchmark.scm | 2 +- gnu/services/base.scm | 41 +++++++++++++++++++++++++++----------- 3 files changed, 39 insertions(+), 22 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a7ef00f421..9127090d44 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18926,7 +18926,6 @@ Base Services @var{device} does not exist. @end deffn -@anchor{pam-limits-service} @cindex session limits @cindex ulimit @cindex priority @@ -18934,19 +18933,20 @@ Base Services @cindex jackd @cindex nofile @cindex open file descriptors -@deffn {Scheme Procedure} pam-limits-service [#:limits @code{'()}] - -Return a service that installs a configuration file for the +@anchor{pam-limits-service-type} +@defvar pam-limits-service-type +Type of the service that installs a configuration file for the @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html, -@code{pam_limits} module}. The procedure optionally takes a list of -@code{pam-limits-entry} values, which can be used to specify +@code{pam_limits} module}. The value for this service type is +a list of @code{pam-limits-entry} values, which can be used to specify @code{ulimit} limits and @code{nice} priority limits to user sessions. +By default, the value is the empty list. The following limits definition sets two hard and soft limits for all login sessions of users in the @code{realtime} group: @lisp -(pam-limits-service +(service pam-limits-service-type (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) @@ -18961,7 +18961,7 @@ Base Services descriptors that can be used: @lisp -(pam-limits-service +(service pam-limits-service-type (list (pam-limits-entry "*" 'both 'nofile 100000))) @end lisp @@ -18972,7 +18972,7 @@ Base Services else the users would be prevented from login in. For more information about the Pluggable Authentication Module (PAM) limits, refer to the @samp{pam_limits} man page from the @code{linux-pam} package. -@end deffn +@end defvar @defvar greetd-service-type @uref{https://git.sr.ht/~kennylevinsen/greetd, @code{greetd}} is a minimal and diff --git a/gnu/packages/benchmark.scm b/gnu/packages/benchmark.scm index 33e2466da9..fd8513f41d 100644 --- a/gnu/packages/benchmark.scm +++ b/gnu/packages/benchmark.scm @@ -458,7 +458,7 @@ (define-public python-locust Note: Locust will complain if the available open file descriptors limit for the user is too low. To raise such limit on a Guix System, refer to -@samp{info guix --index-search=pam-limits-service}.") +@samp{info guix --index-search=pam-limits-service-type}.") (license license:expat))) (define-public interbench diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 35b03a877b..5a2e0263e4 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -40,7 +40,7 @@ (define-module (gnu services base) #:use-module (guix store) #:use-module (guix deprecation) - #:autoload (guix diagnostics) (warning &fix-hint) + #:autoload (guix diagnostics) (warning report-error &fix-hint) #:autoload (guix i18n) (G_) #:use-module (guix combinators) #:use-module (gnu services) @@ -245,7 +245,7 @@ (define-module (gnu services base) kmscon-service-type pam-limits-service-type - pam-limits-service + pam-limits-service ; deprecated greetd-service-type greetd-configuration @@ -1570,17 +1570,13 @@ (define* (syslog-service #:optional (config (syslog-configuration))) (define pam-limits-service-type - (let ((security-limits - ;; Create /etc/security containing the provided "limits.conf" file. - (lambda (limits-file) - `(("security/limits.conf" - ,limits-file)))) - (pam-extension + (let ((pam-extension (lambda (pam) (let ((pam-limits (pam-entry (control "required") (module "pam_limits.so") - (arguments '("conf=/etc/security/limits.conf"))))) + (arguments + '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" "sddm" "sudo" "sshd")) @@ -1588,7 +1584,26 @@ (define pam-limits-service-type (inherit pam) (session (cons pam-limits (pam-service-session pam)))) - pam))))) + pam)))) + + ;; XXX: Using file-like objects is deprecated, use lists instead. + ;; This is to be reduced into the list? case when the deprecated + ;; code gets removed. + ;; Create /etc/security containing the provided "limits.conf" file. + (security-limits + (match-lambda + ((? file-like? obj) + (warning (G_ "Using file-like value for 'pam-limits-service-type' +is deprecated~%")) + obj) + ((? list? lst) + `(("security/limits.conf" + ,(plain-file "limits.conf" + (string-join (map pam-limits-entry->string lst) + "\n" 'suffix))))) + (_ (report-error + (G_ "invalid input for 'pam-limits-service-type'~%")))))) + (service-type (name 'limits) (extensions @@ -1598,9 +1613,11 @@ (define pam-limits-service-type (description "Install the specified resource usage limits by populating @file{/etc/security/limits.conf} and using the @code{pam_limits} -authentication module.")))) +authentication module.") + (default-value '())))) -(define* (pam-limits-service #:optional (limits '())) +(define-deprecated (pam-limits-service #:optional (limits '())) + pam-limits-service-type "Return a service that makes selected programs respect the list of pam-limits-entry specified in LIMITS via pam_limits.so." (service pam-limits-service-type base-commit: 5d10644371abd54d0edcd638691113f0a92de743 -- 2.39.1 ------------=_1680210542-21597-1-- From unknown Thu Jun 19 16:24:14 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH] services: base: Deprecate 'pam-limits-service' procedure. Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 30 Mar 2023 21:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Ricardo Wurmus , 61744@debbugs.gnu.org, Bruno Victal Received: via spool by 61744-submit@debbugs.gnu.org id=B61744.168021119032061 (code B ref 61744); Thu, 30 Mar 2023 21:20:02 +0000 Received: (at 61744) by debbugs.gnu.org; 30 Mar 2023 21:19:50 +0000 Received: from localhost ([127.0.0.1]:59604 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1phzgU-0008L2-BG for submit@debbugs.gnu.org; Thu, 30 Mar 2023 17:19:50 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:59588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1phzgR-0008Kr-SL for 61744@debbugs.gnu.org; Thu, 30 Mar 2023 17:19:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=mZXsgyp5nHqNVHB lEeJ1VmHecC6aK554ADz1/Sq+TAE=; h=cc:to:subject:date:from:in-reply-to: references; d=lease-up.com; b=HVI5kStQ/3HBauTvxSaPYvXhGCMW4+/YQ6RU6ZXp AMvcP92JmHJiIaDQ2YuDOfxxh7Ntlg4ediFCrIl0E0trKQKT8+Vv7EJfleAAeF9syig2CK FgBFqcVNVUEUikIS+8DfdgA9W6d/+21HhztPCVfEbthXdoR7AUHDAsO6nWOVI= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id b11fdef4 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) for <61744@debbugs.gnu.org>; Thu, 30 Mar 2023 21:19:45 +0000 (UTC) Received: by mail-lj1-f169.google.com with SMTP id t14so21049690ljd.5 for <61744@debbugs.gnu.org>; Thu, 30 Mar 2023 14:19:45 -0700 (PDT) X-Gm-Message-State: AAQBX9cniV3ShGp/+E4MMvoNzVlfR+tZKjRKg096ATTYgD8VUJD2mlP5 lLYCHpSz5p3s1KhOPtp891IgcSE9cmQnGmwKnaY= X-Google-Smtp-Source: AKy350bBRNhNyGfY5Ghvwq7pPQijAvWpy/v927O9eiBmawRRXyCauFI5IUDD5YVcCWDy/J6lsjQLwFgPwoLUdbCaB7M= X-Received: by 2002:a2e:a0c6:0:b0:298:a7c2:489 with SMTP id f6-20020a2ea0c6000000b00298a7c20489mr7696828ljm.8.1680211183247; Thu, 30 Mar 2023 14:19:43 -0700 (PDT) MIME-Version: 1.0 References: <87jzyyhsf1.fsf_-_@gnu.org> In-Reply-To: <87jzyyhsf1.fsf_-_@gnu.org> From: Felix Lechner Date: Thu, 30 Mar 2023 14:19:06 -0700 X-Gmail-Original-Message-ID: Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ludovic, On Thu, Mar 30, 2023 at 1:54=E2=80=AFPM Ludovic Court=C3=A8s = wrote: > > In some cases (maybe this one), this can be a problem Thanks for pointing that out! I would like to learn more about that. My next suggestion would have been to refer to the core PAM modules, which ship with Linux-PAM, by absolute paths as well. You can see the current inconsistencies in my PAM 'login' service, which I included below. Which breakage do you expect? On a side note, I am also working with the pam_mount maintainer on a store path for /etc/security/pam_mount_conf.xml. [1] (Jan previously accepted another suggestion of mine, and it became popular with users.) Then we can drop the definition of 'greet-pam-mount' [2] which is very nearly a duplicate of the regular 'pam-mount'. [3] Kind regards Felix [1] https://codeberg.org/jengelh/pam_mount/issues/1 [2] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/admin.scm#= n5314 [3] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/admin.scm#= n4709 * * * account required pam_unix.so auth required pam_unix.so nullok auth optional /gnu/store/zb9ns323p7yv8m1m155yfgrxlxaadx3d-greetd-pam-mount-= 2.18/lib/security/pam_mount.so disable_interactive password required pam_unix.so sha512 shadow session required /gnu/store/7sq4qp09fl1pn72jw828ndm13nbpknhv-elogind-246.10/lib/security/pam= _elogind.so session required pam_limits.so conf=3D/etc/security/limits.conf session optional pam_motd.so motd=3D/gnu/store/mrk0km6gqw4zn20az2bqidvajps7yy93-motd session required pam_loginuid.so session required pam_env.so session required pam_unix.so session optional /gnu/store/zb9ns323p7yv8m1m155yfgrxlxaadx3d-greetd-pam-mount-2.18/lib/secur= ity/pam_mount.so disable_interactive