751199 – sys-apps/systemd: pam limits are not applied to a user session

Bug 751199 - sys-apps/systemd: pam limits are not applied to a user session

Summary: sys-apps/systemd: pam limits are not applied to a user session

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo systemd Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-10-25 13:58 UTC by Alexander Tsoy
Modified:	2020-11-03 15:48 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Tsoy 2020-10-25 13:58:28 UTC

PAM limits no longer applies to a user session since "gentoo-systemd-user-pam.patch" was dropped. I'm not quite sure why this was done in Gentoo. Other distros still ships their own systemd-user PAM configuration fragments: [1],[2].

This is also covered in the NEWS item for 232 release:

        * The PAM configuration fragment file for "user@.service" shipped with
          systemd (i.e. the --user instance of systemd) has been stripped to
          the minimum necessary to make the system boot. Previously, it
          contained Fedora-specific stanzas that did not apply to other
          distributions. It is expected that downstream distributions add
          additional configuration lines, matching their needs to this file,
          using it only as rough template of what systemd itself needs. Note
          that this reduced fragment does not even include an invocation of
          pam_limits which most distributions probably want to add, even though
          systemd itself does not need it. (There's also the new build time
          option --with-pamconfdir=no to disable installation of the PAM
          fragment entirely.)


[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/systemd-user.pam?h=packages/systemd
[2] https://src.fedoraproject.org/rpms/systemd/blob/master/f/systemd-user

Comment 1 Alexander Tsoy 2020-10-25 14:02:21 UTC

Of course, this can be worked around to some extent. For example, I ended up using this:

$ cat /etc/systemd/system/user@1000.service.d/limits.conf 
[Service]
LimitRTPRIO=99
LimitMEMLOCK=infinity

Comment 2 Mike Gilbert gentoo-dev

2020-10-25 21:40:52 UTC

The patch failed to apply at some point, and I couldn't find the justification for why I added it in the first place.

Comment 3 Larry the Git Cow gentoo-dev

2020-11-03 15:48:24 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38ec013fbbf4b11185706d21fd079881f628f272

commit 38ec013fbbf4b11185706d21fd079881f628f272
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2020-11-03 15:48:10 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-11-03 15:48:10 +0000

    sys-apps/systemd: include system-auth in PAM config
    
    Closes: https://bugs.gentoo.org/751199
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-apps/systemd/files/gentoo-pam.patch | 33 +++++++++++++++++++++++++++++++++
 sys-apps/systemd/systemd-246.6.ebuild   |  1 +
 sys-apps/systemd/systemd-9999.ebuild    |  1 +
 3 files changed, 35 insertions(+)