bug#37380: gdm doesn't load pam-limits
On Sat, 2019-09-14 at 17:13 -0600, Jesse Gibbons wrote: > On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote: > > Hi Jesse, > > > > > I have been trying to set up ardour, but jackd doesn't start in > > > real- > > > time mode. I made an os definition that replicates this issue when > > > I > > > use a VM[0]. > > > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h > > > tml > > > I asked the gnome and gdm IRC and found out gdm loads the gdm- > > > password > > > pam config, which seems untouched by pam-limits-service. My > > > /etc/pam.d/gdm-password (which should be the default) is attached. > > > > I can reproduce this. > > > > (I’m sorry for accidentally misleading you earlier. Turns out I used > > JACK a little longer ago than I initially realized.) > > > > I think it should be pretty easy to fix this: > > > > 1) we should generate a single file that is used for generic session > > settings. > > > > 2) all login programs (including gdm) should include that file in > > their > > PAM settings. > > > > 3) the pam-limits-service should extend that single file instead of > > attempting to update a bunch of PAM files for a selected list of > > programs. > > > > -- > > Ricardo > > > > Is all this best practice? > > This solution would have patches for three files: > - gnu/system/pam.scm (adding the generic session settings file and > patching the "su" and "login" configurations) > - gnu/services/base.scm (patching pam-limits-service) > - gnu/services/desktop.scm (patching the graphical login > configurations). > > All new login services would require a patch to just one file with > these steps implemented(to add the service), whereas they would each > need a patch to two files if they are not implemented (one to add the > service, another to have pam-limits-service modify the service's pam > config. > > If you think this solution is better design than what we currently > have, and others in this mailing list agree, I will work to provide > these patches. > > I previously said adding gdm-password to the list of pam configs > amended by pam-limits-service did not work. I then discovered the > changes in the environment will not work unless I run "make". I don't > know if this is a bug in guix or guile, or if it is intentionally this > way; the manual should be updated to clarify that guix needs to be > built in the environment for the changes to work. > > I sent a patch (bug#37405) that fixes this issue for gdm-password. A > simple change can probably fix it for gdm-autologin (not added because > I haven't tested it) and whatever gdm loads when the user logs in with > biometric fingerprints (I don't know the name). When we add ldm and > kdm, I think we can do something similar. > ping
bug#37380: gdm doesn't load pam-limits
On Sat, 2019-09-14 at 17:13 -0600, Jesse Gibbons wrote: > On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote: > > Hi Jesse, > > > > > I have been trying to set up ardour, but jackd doesn't start in > > > real- > > > time mode. I made an os definition that replicates this issue when > > > I > > > use a VM[0]. > > > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h > > > tml > > > I asked the gnome and gdm IRC and found out gdm loads the gdm- > > > password > > > pam config, which seems untouched by pam-limits-service. My > > > /etc/pam.d/gdm-password (which should be the default) is attached. > > > > I can reproduce this. > > > > (I’m sorry for accidentally misleading you earlier. Turns out I used > > JACK a little longer ago than I initially realized.) > > > > I think it should be pretty easy to fix this: > > > > 1) we should generate a single file that is used for generic session > > settings. > > > > 2) all login programs (including gdm) should include that file in > > their > > PAM settings. > > > > 3) the pam-limits-service should extend that single file instead of > > attempting to update a bunch of PAM files for a selected list of > > programs. > > > > -- > > Ricardo > > > > Is all this best practice? > > This solution would have patches for three files: > - gnu/system/pam.scm (adding the generic session settings file and > patching the "su" and "login" configurations) > - gnu/services/base.scm (patching pam-limits-service) > - gnu/services/desktop.scm (patching the graphical login > configurations). > > All new login services would require a patch to just one file with > these steps implemented(to add the service), whereas they would each > need a patch to two files if they are not implemented (one to add the > service, another to have pam-limits-service modify the service's pam > config. > > If you think this solution is better design than what we currently > have, and others in this mailing list agree, I will work to provide > these patches. > > I previously said adding gdm-password to the list of pam configs > amended by pam-limits-service did not work. I then discovered the > changes in the environment will not work unless I run "make". I don't > know if this is a bug in guix or guile, or if it is intentionally this > way; the manual should be updated to clarify that guix needs to be > built in the environment for the changes to work. > > I sent a patch (bug#37405) that fixes this issue for gdm-password. A > simple change can probably fix it for gdm-autologin (not added because > I haven't tested it) and whatever gdm loads when the user logs in with > biometric fingerprints (I don't know the name). When we add ldm and > kdm, I think we can do something similar. > ping
bug#37380: gdm doesn't load pam-limits
On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote: > Hi Jesse, > > > I have been trying to set up ardour, but jackd doesn't start in > > real- > > time mode. I made an os definition that replicates this issue when > > I > > use a VM[0]. > > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h > > tml > > I asked the gnome and gdm IRC and found out gdm loads the gdm- > > password > > pam config, which seems untouched by pam-limits-service. My > > /etc/pam.d/gdm-password (which should be the default) is attached. > > I can reproduce this. > > (I’m sorry for accidentally misleading you earlier. Turns out I used > JACK a little longer ago than I initially realized.) > > I think it should be pretty easy to fix this: > > 1) we should generate a single file that is used for generic session > settings. > > 2) all login programs (including gdm) should include that file in > their > PAM settings. > > 3) the pam-limits-service should extend that single file instead of > attempting to update a bunch of PAM files for a selected list of > programs. > > -- > Ricardo > Is all this best practice? This solution would have patches for three files: - gnu/system/pam.scm (adding the generic session settings file and patching the "su" and "login" configurations) - gnu/services/base.scm (patching pam-limits-service) - gnu/services/desktop.scm (patching the graphical login configurations). All new login services would require a patch to just one file with these steps implemented(to add the service), whereas they would each need a patch to two files if they are not implemented (one to add the service, another to have pam-limits-service modify the service's pam config. If you think this solution is better design than what we currently have, and others in this mailing list agree, I will work to provide these patches. I previously said adding gdm-password to the list of pam configs amended by pam-limits-service did not work. I then discovered the changes in the environment will not work unless I run "make". I don't know if this is a bug in guix or guile, or if it is intentionally this way; the manual should be updated to clarify that guix needs to be built in the environment for the changes to work. I sent a patch (bug#37405) that fixes this issue for gdm-password. A simple change can probably fix it for gdm-autologin (not added because I haven't tested it) and whatever gdm loads when the user logs in with biometric fingerprints (I don't know the name). When we add ldm and kdm, I think we can do something similar. -- -Jesse
bug#37380: gdm doesn't load pam-limits
Thanks Ricardo, On Wed, 2019-09-11 at 21:48 +0200, Ricardo Wurmus wrote: > Hi Jesse, > > > I have been trying to set up ardour, but jackd doesn't start in > > real- > > time mode. I made an os definition that replicates this issue when > > I > > use a VM[0]. > > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.h > > tml > > I asked the gnome and gdm IRC and found out gdm loads the gdm- > > password > > pam config, which seems untouched by pam-limits-service. My > > /etc/pam.d/gdm-password (which should be the default) is attached. > > I can reproduce this. > > (I’m sorry for accidentally misleading you earlier. Turns out I used > JACK a little longer ago than I initially realized.) So was there a time when JACK worked realtime after logging in from gdm on a GuixSD install? > > I think it should be pretty easy to fix this: > > 1) we should generate a single file that is used for generic session > settings. What should be this file's default contents? Should it be empty unless the pam-limits-service is specified? > > 2) all login programs (including gdm) should include that file in > their > PAM settings. I suppose this could be done by adding (pam-entry (control "include") (module "standard-session")) I'm not sure "module" is a good word to describe the file. > > 3) the pam-limits-service should extend that single file instead of > attempting to update a bunch of PAM files for a selected list of > programs. Should this file be a part of base-services? > -- > Ricardo > I have to go to work soon, but I hope I can have this accomplished with a patch series ready by Saturday. I'll check in with a status update Saturday evening UTC -6. -- -Jesse
bug#37380: gdm doesn't load pam-limits
Hi Jesse, > I have been trying to set up ardour, but jackd doesn't start in real- > time mode. I made an os definition that replicates this issue when I > use a VM[0]. > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.html > I asked the gnome and gdm IRC and found out gdm loads the gdm-password > pam config, which seems untouched by pam-limits-service. My > /etc/pam.d/gdm-password (which should be the default) is attached. I can reproduce this. (I’m sorry for accidentally misleading you earlier. Turns out I used JACK a little longer ago than I initially realized.) I think it should be pretty easy to fix this: 1) we should generate a single file that is used for generic session settings. 2) all login programs (including gdm) should include that file in their PAM settings. 3) the pam-limits-service should extend that single file instead of attempting to update a bunch of PAM files for a selected list of programs. -- Ricardo
bug#37380: gdm doesn't load pam-limits
On Wed, 2019-09-11 at 09:12 -0600, Jesse Gibbons wrote: > I have been trying to set up ardour, but jackd doesn't start in real- > time mode. I made an os definition that replicates this issue when I > use a VM[0]. > [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.htm > l > I asked the gnome and gdm IRC and found out gdm loads the gdm- > password > pam config, which seems untouched by pam-limits-service. My > /etc/pam.d/gdm-password (which should be the default) is attached. > > Thanks! I'm not sure how to resolve this issue. I tried appending "gdm- password" to the list of pam configs modified by pam-limits-service[1] but it doesn't fix anything when I use ./pre-inst-env to build the vm. gdm-password still does not have a line to load pam_limits. Whatever the solution, we will probably also want to implement it with other graphical login services like slim and sddm (and eventually lightdm and kdm). [1] http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.sc m#n1480 -- -Jesse
bug#37380: gdm doesn't load pam-limits
I have been trying to set up ardour, but jackd doesn't start in real- time mode. I made an os definition that replicates this issue when I use a VM[0]. [0] https://lists.gnu.org/archive/html/help-guix/2019-09/msg00065.html I asked the gnome and gdm IRC and found out gdm loads the gdm-password pam config, which seems untouched by pam-limits-service. My /etc/pam.d/gdm-password (which should be the default) is attached. Thanks! -- -Jesseaccount required pam_unix.so auth required pam_unix.so nullok password required pam_unix.so sha512 shadow session required /gnu/store/90b3ypy5w6si4vd4b17i2nyzy0pfr5j2-elogind-241.3/lib/security/pam_elogind.so session required pam_loginuid.so session required pam_env.so session required pam_unix.so