<div>Hi,<br></div><div><br></div><div>So I might be wrong about this but I don't think Squeak needs to use pam. Pam is used for authentication and authorization.<br></div><div><br></div><div>So on my linux systems there are files in /etc/pam.d with names like sshd, su, sudo and assorted login and screen saver programs. <br></div><div><br></div><div>These are all programs which have to either run something that does authorization or does authentication, or both. Squeak needs neither because we run squeak after you are logged in and the program which logged you in has taken care of the authentication and authorization. And of course setting limits.<br></div><div><br></div><div>For the users rtprio to be set to something other than the default we both need the /etc/security/limits.d/squeak.conf file, AND we need what ever is doing the "login" to call the limits shared library of pam to set the limits.<br></div><div><br></div><div>This is why the problem is complex since it is hard to know which program has done the "login"<br></div><div><br></div><div>In my test case I had to reboot the system to get the normal console login to run the new limits. Before I rebooted it did not set the rtprio from the normal console login but did set it when I used ssh to connect.<br></div><div><br></div><div>So which program and which config file is the one who does my console login? Is it login? Is it common-session? Is it light-dm? My bet is on light-dm but maybe not.<br></div><div><br></div><div>cheers<br></div><div><br></div><div>bruce<br></div><div><br></div><div ><br></div><div class="ik_mail_quote"><div>On 2021-09-29T17:28:52.000+02:00, Phil B <pbpublist@gmail.com> wrote:</div><blockquote class="ws-ng-quote"><div class="ws-ng-mail-style--469952eJzz9HPyjwAABGYBgQ"><hr><div dir="ltr"><div dir="ltr">Tobias,</div><br></div></div><div class="gmail_quote-469952eJzz9HPyjwAABGYBgQ"><div dir="ltr" class="gmail_attr-469952eJzz9HPyjwAABGYBgQ">On Wed, Sep 29, 2021 at 10:59 AM Tobias Pape <<a class="defaultMailLink" href="mailto:Das.Linux@gmx.de" target="_blank" rel="noopener noreferrer">Das.Linux@gmx.de</a>> wrote:<br></div><blockquote class="gmail_quote-469952eJzz9HPyjwAABGYBgQ" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;"> <br>
Hi<br>
<br>
<br>
> On 29. Sep 2021, at 15:59, Phil B <<a class="defaultMailLink" href="mailto:pbpublist@gmail.com" target="_blank" rel="noopener noreferrer">pbpublist@gmail.com</a>> wrote:<br>
> <br>
> A tangential FYI: the Debian packaging will be taking care of this as part of the installation.<br>
<br>
that's what I hoped for.<br></blockquote><div><br></div><div>You can see all of the 'global' system changes I'm making in the common package currently at <a class="defaultMailLink" href="https://github.com/pbella/squeak-common" target="_blank" rel="noopener noreferrer" data-ik="ik-secure">https://github.com/pbella/squeak-common</a></div><div> </div><blockquote class="gmail_quote-469952eJzz9HPyjwAABGYBgQ" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;">
<br>
> Currently it installs the /etc/security/limits.d/squeak.conf file and I'll look into adding the pam.d part as well.<br>
<br>
Noooo don't change pam_d stuff. :D<br>
Debian has now its own pam management stuff and we should not mess with it.<br></blockquote><div><br></div><div>Don't worry, that's why I only said I'd look into it. I won't try to slam a generic PAM config as part of the install as I know we'd need to tread carefully here.</div><div><br></div><blockquote class="gmail_quote-469952eJzz9HPyjwAABGYBgQ" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;">
<br>
I was actually only curious whether tim's /etc/pam.d/* contains a reference to pam_limits, to see whether limits are applied in the first place.<br>
Since a reboot helped, the answer is, yes, pam_limits applied.<br>
<br>
So let's not get ahead of ourselves and let pam be :)<br>
<br></blockquote><div><br></div><div>All I was thinking is that perhaps I could drop a squeak file in /etc/pam.d with any (perhaps commented out?) settings that apply to the VM along with any relevant documentation. So basically keep it non-invasive but try to provide a pointer if this is a source of potential issues. I'd also need to check Debian policy to see if this is something that should even be done as I know PAM is a touchy area re: system security and may have specific policy considerations.</div><div><br></div><div> </div><blockquote class="gmail_quote-469952eJzz9HPyjwAABGYBgQ" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;">
> <br>
> Of course if there's a way to get the functionality without the config tweaking, that would be even better. If not, well that's one of the many reasons we have packages ;-)<br>
<br>
Exactly.<br>
<br>
Best regards<br>
-Tobias<br></blockquote><div><br></div><div>Thanks,</div><div>Phil</div><div> </div><blockquote class="gmail_quote-469952eJzz9HPyjwAABGYBgQ" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;">
> <br>
> On Wed, Sep 29, 2021 at 2:24 AM Tobias Pape <<a class="defaultMailLink" href="mailto:Das.Linux@gmx.de" target="_blank" rel="noopener noreferrer">Das.Linux@gmx.de</a>> wrote:<br>
> <br>
> Hi<br>
> <br>
> <br>
> > On 29. Sep 2021, at 00:12, tim Rowledge <<a class="defaultMailLink" href="mailto:tim@rowledge.org" target="_blank" rel="noopener noreferrer">tim@rowledge.org</a>> wrote:<br>
> > <br>
> > <br>
> > This reminds me to ask (probably again) if anyone actually understands ubuntu and getting the rtprio settings to 'take'.<br>
> > <br>
> > I have the suggested /etc/security/limits.d/squeak.conf etc but it appears to be ignored - at least the VM complains about it. Since `ulimit -a` tells me that rtprio is 0, I suspect it is correct to complain.<br>
> > I've spent way too long trying to make sense of what I find with googling. This has been going on for ages (so, yes, the machine has been rebooted) and every now and then I try to make some sense of it. <br>
> <br>
> <br>
> this file only takes action when pam_limits is used.<br>
> can you grep your /etc/pam.d for limits?<br>
> <br>
> Best regards<br>
> -Tobias<br>
> <br>
> PS: I hate to say it, but it seems the neat architecture of the heartbeat-VM is not appreciated by<br>
> current linux distros. There is just too much to do for the average user to make use of it.<br>
> Also, users need some kind of Root to be able to enable the rtprio, which is not a good idea.<br>
> Is there any way to get away without changing rtprio?<br>
> <br>
> <br>
> <br>
> <br>
<br>
<br>
</blockquote></div></blockquote></div>