From patchwork Sat Mar 4 21:17:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Bruno Victal X-Patchwork-Id: 47656 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 006AE16D48; Sat, 4 Mar 2023 21:18:29 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7E2EB16B8B for ; Sat, 4 Mar 2023 21:18:28 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pYZGa-0005T6-JE; Sat, 04 Mar 2023 16:18:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pYZGV-0005S6-AR for guix-patches@gnu.org; Sat, 04 Mar 2023 16:18:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pYZGV-00031C-0v for guix-patches@gnu.org; Sat, 04 Mar 2023 16:18:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pYZGU-000594-Q8 for guix-patches@gnu.org; Sat, 04 Mar 2023 16:18:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#61744] [PATCH v2 2/2] services: pam-limits-service-type: Deprecate file-like object support in favour for lists as service value. Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 04 Mar 2023 21:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61744 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61744@debbugs.gnu.org Cc: Bruno Victal Received: via spool by 61744-submit@debbugs.gnu.org id=B61744.167796467219752 (code B ref 61744); Sat, 04 Mar 2023 21:18:02 +0000 Received: (at 61744) by debbugs.gnu.org; 4 Mar 2023 21:17:52 +0000 Received: from localhost ([127.0.0.1]:37901 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYZGJ-00058W-CS for submit@debbugs.gnu.org; Sat, 04 Mar 2023 16:17:52 -0500 Received: from smtpmciv3.myservices.hosting ([185.26.107.239]:46526) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pYZGG-00058A-2A for 61744@debbugs.gnu.org; Sat, 04 Mar 2023 16:17:49 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpmciv3.myservices.hosting (Postfix) with ESMTP id 5344E2075E for <61744@debbugs.gnu.org>; Sat, 4 Mar 2023 22:17:47 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id 09E3980079; Sat, 4 Mar 2023 22:17:47 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ydu_tHiogRgg; Sat, 4 Mar 2023 22:17:43 +0100 (CET) Received: from guix-nuc.home.arpa (bl9-119-177.dsl.telepac.pt [85.242.119.177]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id 6EAF580097; Sat, 4 Mar 2023 22:17:43 +0100 (CET) From: Bruno Victal Date: Sat, 4 Mar 2023 21:17:39 +0000 Message-Id: <29b2df64b1a9a857227d573e7d0a1aa1f9ef52d2.1677964609.git.mirai@makinata.eu> X-Mailer: git-send-email 2.39.1 In-Reply-To: <47849c839cb8acb6909eccd1f050b0316373b377.1677964609.git.mirai@makinata.eu> References: <47849c839cb8acb6909eccd1f050b0316373b377.1677964609.git.mirai@makinata.eu> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix.texi (Base Services): Document it. * gnu/local.mk: Register test. * gnu/services/base.scm (pam-limits-service-type): Accept both lists and file-like objects. Deprecate file-like object support. * gnu/tests/pam.scm: New file. --- doc/guix.texi | 27 +++++------- gnu/local.mk | 2 + gnu/services/base.scm | 36 +++++++++++----- gnu/tests/pam.scm | 97 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 135 insertions(+), 27 deletions(-) create mode 100644 gnu/tests/pam.scm diff --git a/doc/guix.texi b/doc/guix.texi index 3aa9c0cdf4..5c9a9333b9 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18950,23 +18950,18 @@ Base Services Type of the service that installs a configuration file for the @uref{http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html, @code{pam_limits} module}. The value for this service type is -a file-like object containing a list of @code{pam-limits-entry} values -which can be used to specify @code{ulimit} limits and @code{nice} -priority limits to user sessions. +a list of @code{pam-limits-entry} values, which can be used to specify +@code{ulimit} limits and @code{nice} priority limits to user sessions. +By default, the value is the empty list. The following limits definition sets two hard and soft limits for all login sessions of users in the @code{realtime} group: @lisp -(service - pam-limits-service-type - (plain-file - "limits.conf" - (string-join - (map pam-limits-entry->string - (list (pam-limits-entry "@@realtime" 'both 'rtprio 99) - (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) - "\n"))) +(service pam-limits-service-type + (list + (pam-limits-entry "@@realtime" 'both 'rtprio 99) + (pam-limits-entry "@@realtime" 'both 'memlock 'unlimited))) @end lisp The first entry increases the maximum realtime priority for @@ -18978,11 +18973,9 @@ Base Services descriptors that can be used: @lisp -(service - pam-limits-service-type - (plain-file - "limits.conf" - (pam-limits-entry->string (pam-limits-entry "*" 'both 'nofile 100000)))) +(service pam-limits-service-type + (list + (pam-limits-entry "*" 'both 'nofile 100000))) @end lisp In the above example, the asterisk means the limit should apply to any diff --git a/gnu/local.mk b/gnu/local.mk index 415955bd3f..6291d8a558 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -56,6 +56,7 @@ # Copyright © 2022 Alex Griffin # Copyright © 2022 ( # Copyright © 2022 jgart +# Copyright © 2023 Bruno Victal # # This file is part of GNU Guix. # @@ -778,6 +779,7 @@ GNU_SYSTEM_MODULES = \ %D%/tests/messaging.scm \ %D%/tests/networking.scm \ %D%/tests/package-management.scm \ + %D%/tests/pam.scm \ %D%/tests/reconfigure.scm \ %D%/tests/rsync.scm \ %D%/tests/samba.scm \ diff --git a/gnu/services/base.scm b/gnu/services/base.scm index e5023b8175..80f9607d44 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -40,7 +40,7 @@ (define-module (gnu services base) #:use-module (guix store) #:use-module (guix deprecation) - #:autoload (guix diagnostics) (warning &fix-hint) + #:autoload (guix diagnostics) (warning formatted-message &fix-hint) #:autoload (guix i18n) (G_) #:use-module (guix combinators) #:use-module (gnu services) @@ -1584,17 +1584,13 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration))) (define pam-limits-service-type - (let ((security-limits - ;; Create /etc/security containing the provided "limits.conf" file. - (lambda (limits-file) - `(("security/limits.conf" - ,limits-file)))) - (pam-extension + (let ((pam-extension (lambda (pam) (let ((pam-limits (pam-entry (control "required") (module "pam_limits.so") - (arguments '("conf=/etc/security/limits.conf"))))) + (arguments + '("conf=/etc/security/limits.conf"))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" "sddm" "sudo" "sshd")) @@ -1602,7 +1598,27 @@ (define pam-limits-service-type (inherit pam) (session (cons pam-limits (pam-service-session pam)))) - pam))))) + pam)))) + + ;; XXX: Using file-like objects is deprecated, use lists instead. + ;; This is to be reduced into the list? case when the deprecated + ;; code gets removed. + ;; Create /etc/security containing the provided "limits.conf" file. + (security-limits + (match-lambda + ((? file-like? obj) + (warning (G_ "Using file-like value for \ +'pam-limits-service-type' is deprecated~%")) + `(("security/limits.conf" ,obj))) + ((? list? lst) + `(("security/limits.conf" + ,(plain-file "limits.conf" + (string-join (map pam-limits-entry->string lst) + "\n" 'suffix))))) + (_ (raise + (formatted-message + (G_ "invalid input for 'pam-limits-service-type'~%"))))))) + (service-type (name 'limits) (extensions @@ -1613,7 +1629,7 @@ (define pam-limits-service-type "Install the specified resource usage limits by populating @file{/etc/security/limits.conf} and using the @code{pam_limits} authentication module.") - (default-value (plain-file "limits.conf" ""))))) + (default-value '())))) (define-deprecated (pam-limits-service #:optional (limits '())) pam-limits-service-type diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm new file mode 100644 index 0000000000..5cf13d97d7 --- /dev/null +++ b/gnu/tests/pam.scm @@ -0,0 +1,97 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2023 Bruno Victal +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu tests pam) + #:use-module (gnu tests) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu system) + #:use-module (gnu system pam) + #:use-module (gnu system vm) + #:use-module (guix gexp) + #:use-module (ice-9 format) + #:export (%test-pam-limits + %test-pam-limits-deprecated)) + + +;;; +;;; pam-limits-service-type +;;; + +(define pam-limit-entries + (list + (pam-limits-entry "@realtime" 'both 'rtprio 99) + (pam-limits-entry "@realtime" 'both 'memlock 'unlimited))) + +(define (run-test-pam-limits config) + "Run tests in a os with pam-limits-service-type configured." + (define os + (marionette-operating-system + (simple-operating-system + (service pam-limits-service-type config)))) + + (define vm + (virtual-machine os)) + + (define name (format #f "pam-limit-service~:[~;-deprecated~]" + (file-like? config))) + + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (gnu build marionette) + (srfi srfi-64)) + + (let ((marionette (make-marionette (list #$vm)))) + + (test-runner-current (system-test-runner #$output)) + + (test-begin #$name) + + (test-assert "/etc/security/limits.conf ready" + (wait-for-file "/etc/security/limits.conf" marionette)) + + (test-equal "/etc/security/limits.conf content matches" + #$(string-join (map pam-limits-entry->string pam-limit-entries) + "\n" 'suffix) + (marionette-eval + '(call-with-input-file "/etc/security/limits.conf" + get-string-all) + marionette)) + + (test-end))))) + + (gexp->derivation (string-append name "-test") test)) + +(define %test-pam-limits + (system-test + (name "pam-limits-service") + (description "Test that pam-limits-service can serialize its config +(as a list) to @file{limits.conf}.") + (value (run-test-pam-limits pam-limit-entries)))) + +(define %test-pam-limits-deprecated + (system-test + (name "pam-limits-service-deprecated") + (description "Test that pam-limits-service can serialize its config +(as a file-like object) to @file{limits.conf}.") + (value (run-test-pam-limits + (plain-file "limits.conf" + (string-join (map pam-limits-entry->string + pam-limit-entries) + "\n" 'suffix))))))