* Apply the resource limits set by security.pam.loginLimits to all PAM

services (rather than just login(1)). It's rather unexpected if resource limits are not applied to (say) users logged in via SSH or X11. svn path=/nixos/trunk/; revision=28105
2024-11-20 04:31:52 +00:00 · 2011-08-01 10:17:18 +00:00 · 2011-08-01 10:17:18 +00:00 · 44725e50f0
parent af22531d38
commit 44725e50f0
2 changed files with 8 additions and 12 deletions
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@ -87,9 +87,7 @@ in
        { name = "groupmod"; rootOK = true; } 
        { name = "groupmems"; rootOK = true; }
        { name = "groupdel"; rootOK = true; }
-        { name = "login"; ownDevices = true; allowNullPassword = true;
-          limits = config.security.pam.loginLimits;
-        }
+        { name = "login"; ownDevices = true; allowNullPassword = true; }
      ];
      
    security.setuidPrograms = [ "passwd" "chfn" "su" ];
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -52,7 +52,7 @@ let
      # in.
      allowNullPassword ? false
    , # The limits, as per limits.conf(5).
-      limits ? []
+      limits ? config.security.pam.loginLimits
    }:

    { source = pkgs.writeText "${name}.pam"
@ -132,13 +132,12 @@ in
       ];

     description =
-       '' Define resource limits that should apply to users or groups for the
-          <command>login</command> service.  Each item in the list should be
-          an attribute set with a <varname>domain</varname>,
-          <varname>type</varname>, <varname>item</varname>, and
-          <varname>value</varname> attribute.  The syntax and semantics of
-          these attributes must be that described in the limits.conf(5) man
-          page.
+       '' Define resource limits that should apply to users or groups.
+          Each item in the list should be an attribute set with a
+          <varname>domain</varname>, <varname>type</varname>,
+          <varname>item</varname>, and <varname>value</varname>
+          attribute.  The syntax and semantics of these attributes
+          must be that described in the limits.conf(5) man page.
       '';
    };

@ -212,7 +211,6 @@ in
      setuid = true;
    } ];

-
    security.pam.services =
      # Most of these should be moved to specific modules.
      [ { name = "cups"; }