public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for pam_limits.

Browse Source 
svn path=/nixos/trunk/; revision=19370
This commit is contained in:
Ludovic Courtès 2010-01-12 11:02:23 +00:00
parent d45a3fbdc9
commit c68f5fbae4
1 changed files with 62 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
modules/security/pam.nix
View File

@ -21,6 +21,14 @@ let
session required pam_deny.so session required pam_deny.so
''; '';
# Create a limits.conf(5) file.
makeLimitsConf = limits:
pkgs.writeText "limits.conf"
(concatStringsSep "\n"
(map ({ domain, type, item, value }:
concatStringsSep " " [ domain type item value ])
limits));
makePAMService = makePAMService =
{ name { name
, # If set, root doesn't need to authenticate (e.g. for the "chsh" , # If set, root doesn't need to authenticate (e.g. for the "chsh"
@ -43,6 +51,8 @@ let
# accounts with hashed empty passwords are always allowed to log # accounts with hashed empty passwords are always allowed to log
# in. # in.
allowNullPassword ? false allowNullPassword ? false
, # The limits, as per limits.conf(5).
limits ? []
}: }:
{ source = pkgs.writeText "${name}.pam" { source = pkgs.writeText "${name}.pam"
@ -81,6 +91,8 @@ let
"session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"} "session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"}
${optionalString forwardXAuth ${optionalString forwardXAuth
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"} "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
${optionalString (limits != [])
"session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf limits}"}
''; '';
target = "pam.d/${name}"; target = "pam.d/${name}";
}; };
@ -93,9 +105,47 @@ in
options = { options = {
security.pam.loginLimits = mkOption {
default = [];
example =
[ { domain = "ftp";
type = "hard";
item = "nproc";
value = "0";
}
{ domain = "@student";
type = "-";
item = "maxlogins";
value = "4";
}
];
description =
'' Define resource limits that should apply to users or groups for the
<command>login</command> service. Each item in the list should be
an attribute set with a <varname>domain</varname>,
<varname>type</varname>, <varname>item</varname>, and
<varname>value</varname> attribute. The syntax and semantics of
these attributes must be that described in the limits.conf(5) man
page.
'';
};
security.pam.services = mkOption { security.pam.services = mkOption {
default = []; default = [];
example = [ { name = "chsh"; rootOK = true; } ]; example = [
{ name = "chsh"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true;
limits = [
{ domain = "ftp";
type = "hard";
item = "nproc";
value = "0";
}
];
}
];
description = description =
'' ''
This option defines the PAM services. A service typically This option defines the PAM services. A service typically
@ -113,6 +163,14 @@ in
whether X authentication keys should be passed from the whether X authentication keys should be passed from the
calling user to the target user (e.g. for calling user to the target user (e.g. for
<command>su</command>). <command>su</command>).
The attribute <varname>limits</varname> defines resource limits
that should apply to users or groups for the service. Each item in
the list should be an attribute set with a
<varname>domain</varname>, <varname>type</varname>,
<varname>item</varname>, and <varname>value</varname> attribute.
The syntax and semantics of these attributes must be that described
in the limits.conf(5) man page.
''; '';
}; };
@ -153,7 +211,9 @@ in
{ name = "useradd"; rootOK = true; } { name = "useradd"; rootOK = true; }
# Used by groupadd etc. # Used by groupadd etc.
{ name = "shadow"; rootOK = true; } { name = "shadow"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true; } { name = "login"; ownDevices = true; allowNullPassword = true;
limits = config.security.pam.loginLimits;
}
]; ];
}; };