kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

* Apply the resource limits set by security.pam.loginLimits to all PAM

Browse Source 
services (rather than just login(1)).  It's rather unexpected if
  resource limits are not applied to (say) users logged in via SSH or
  X11.

svn path=/nixos/trunk/; revision=28105
wip/yesman
Eelco Dolstra 13 years ago
parent af22531d38
commit 44725e50f0
2 changed files with 8 additions and 12 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      modules/programs/shadow.nix
  2. 16
      modules/security/pam.nix

4
modules/programs/shadow.nix
Unescape View File

@ -87,9 +87,7 @@ in
{ name = "groupmod"; rootOK = true; } { name = "groupmod"; rootOK = true; }
{ name = "groupmems"; rootOK = true; } { name = "groupmems"; rootOK = true; }
{ name = "groupdel"; rootOK = true; } { name = "groupdel"; rootOK = true; }
{ name = "login"; ownDevices = true; allowNullPassword = true; { name = "login"; ownDevices = true; allowNullPassword = true; }
limits = config.security.pam.loginLimits;
}
]; ];
security.setuidPrograms = [ "passwd" "chfn" "su" ]; security.setuidPrograms = [ "passwd" "chfn" "su" ];

16
modules/security/pam.nix
Unescape View File

@ -52,7 +52,7 @@ let
# in. # in.
allowNullPassword ? false allowNullPassword ? false
, # The limits, as per limits.conf(5). , # The limits, as per limits.conf(5).
limits ? [] limits ? config.security.pam.loginLimits
}: }:
{ source = pkgs.writeText "${name}.pam" { source = pkgs.writeText "${name}.pam"
@ -132,13 +132,12 @@ in
]; ];
description = description =
'' Define resource limits that should apply to users or groups for the '' Define resource limits that should apply to users or groups.
<command>login</command> service. Each item in the list should be Each item in the list should be an attribute set with a
an attribute set with a <varname>domain</varname>, <varname>domain</varname>, <varname>type</varname>,
<varname>type</varname>, <varname>item</varname>, and <varname>item</varname>, and <varname>value</varname>
<varname>value</varname> attribute. The syntax and semantics of attribute. The syntax and semantics of these attributes
these attributes must be that described in the limits.conf(5) man must be that described in the limits.conf(5) man page.
page.
''; '';
}; };
@ -212,7 +211,6 @@ in
setuid = true; setuid = true;
} ]; } ];
security.pam.services = security.pam.services =
# Most of these should be moved to specific modules. # Most of these should be moved to specific modules.
[ { name = "cups"; } [ { name = "cups"; }

Write Preview
Loading…
Cancel
Save