public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Apply the resource limits set by security.pam.loginLimits to all PAM

Browse Source 
services (rather than just login(1)).  It's rather unexpected if
  resource limits are not applied to (say) users logged in via SSH or
  X11.

svn path=/nixos/trunk/; revision=28105
This commit is contained in:
Eelco Dolstra 2011-08-01 10:17:18 +00:00
parent af22531d38
commit 44725e50f0
2 changed files with 8 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/programs/shadow.nix
View File

@ -87,9 +87,7 @@ in
{ name = "groupmod"; rootOK = true; } { name = "groupmod"; rootOK = true; }
{ name = "groupmems"; rootOK = true; } { name = "groupmems"; rootOK = true; }
{ name = "groupdel"; rootOK = true; } { name = "groupdel"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true; { name = "login"; ownDevices = true; allowNullPassword = true; }
limits = config.security.pam.loginLimits;
}
]; ];
security.setuidPrograms = [ "passwd" "chfn" "su" ]; security.setuidPrograms = [ "passwd" "chfn" "su" ];

16
modules/security/pam.nix
View File

@ -52,7 +52,7 @@ let
# in. # in.
allowNullPassword ? false allowNullPassword ? false
, # The limits, as per limits.conf(5). , # The limits, as per limits.conf(5).
limits ? [] limits ? config.security.pam.loginLimits
}: }:
{ source = pkgs.writeText "${name}.pam" { source = pkgs.writeText "${name}.pam"
@ -132,13 +132,12 @@ in
]; ];
description = description =
'' Define resource limits that should apply to users or groups for the '' Define resource limits that should apply to users or groups.
<command>login</command> service. Each item in the list should be Each item in the list should be an attribute set with a
an attribute set with a <varname>domain</varname>, <varname>domain</varname>, <varname>type</varname>,
<varname>type</varname>, <varname>item</varname>, and <varname>item</varname>, and <varname>value</varname>
<varname>value</varname> attribute. The syntax and semantics of attribute. The syntax and semantics of these attributes
these attributes must be that described in the limits.conf(5) man must be that described in the limits.conf(5) man page.
page.
''; '';
}; };
@ -212,7 +211,6 @@ in
setuid = true; setuid = true;
} ]; } ];
security.pam.services = security.pam.services =
# Most of these should be moved to specific modules. # Most of these should be moved to specific modules.
[ { name = "cups"; } [ { name = "cups"; }