From 44725e50f023af8c5ff74f12085422369b06bc65 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 1 Aug 2011 10:17:18 +0000
Subject: [PATCH] * Apply the resource limits set by security.pam.loginLimits
 to all PAM   services (rather than just login(1)).  It's rather unexpected if
   resource limits are not applied to (say) users logged in via SSH or   X11.

svn path=/nixos/trunk/; revision=28105
---
 modules/programs/shadow.nix |  4 +---
 modules/security/pam.nix    | 16 +++++++---------
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix
index 711156918df..81286d9bb5c 100644
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@@ -87,9 +87,7 @@ in
         { name = "groupmod"; rootOK = true; } 
         { name = "groupmems"; rootOK = true; }
         { name = "groupdel"; rootOK = true; }
-        { name = "login"; ownDevices = true; allowNullPassword = true;
-          limits = config.security.pam.loginLimits;
-        }
+        { name = "login"; ownDevices = true; allowNullPassword = true; }
       ];
       
     security.setuidPrograms = [ "passwd" "chfn" "su" ];
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 589d7a6c6ac..4e50c661460 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -52,7 +52,7 @@ let
       # in.
       allowNullPassword ? false
     , # The limits, as per limits.conf(5).
-      limits ? []
+      limits ? config.security.pam.loginLimits
     }:
 
     { source = pkgs.writeText "${name}.pam"
@@ -132,13 +132,12 @@ in
        ];
 
      description =
-       '' Define resource limits that should apply to users or groups for the
-          <command>login</command> service.  Each item in the list should be
-          an attribute set with a <varname>domain</varname>,
-          <varname>type</varname>, <varname>item</varname>, and
-          <varname>value</varname> attribute.  The syntax and semantics of
-          these attributes must be that described in the limits.conf(5) man
-          page.
+       '' Define resource limits that should apply to users or groups.
+          Each item in the list should be an attribute set with a
+          <varname>domain</varname>, <varname>type</varname>,
+          <varname>item</varname>, and <varname>value</varname>
+          attribute.  The syntax and semantics of these attributes
+          must be that described in the limits.conf(5) man page.
        '';
     };
 
@@ -212,7 +211,6 @@ in
       setuid = true;
     } ];
 
-
     security.pam.services =
       # Most of these should be moved to specific modules.
       [ { name = "cups"; }