Simon Richter <s...@debian.org> writes: > The way I see it, we want a pam_systemd module that is responsible for > applying *all* settings configured in systemd units, and that is kept in > sync with the unit file parser, and the pam_limits module to handle the > non-systemd setups.
My understanding is that if you're running systemd, systemd does all of this, so there's nothing for the PAM module to do. So I think this proposal reduces to arguing that pam_limits should be disabled on systemd systems. I think there's some merit of simplicity in going that direction on individual systemd systems (I personally like keeping all of a daemon's configuration in one place), but there's a huge transition problem in trying to do this at the Debian level. A lot of people likely have limits configured using the pam_limits mechanism and would need to move those limits into unit files (and in some cases replace init scripts with unit files so that they can do so). That's not a transition that we can easily help with, either. pam_limits also does some things that are unrelated to starting services, such as setting up limits for interactive user sessions, and I think pure systemd systems still rely on that? So I'm not sure this is as simple as just disabling the module or having it do nothing if systemd is init. I see five packages in Debian that ship files in /etc/security/limits.d, which presumably would require changes in your proposed approach to add the same settings to their relevant unit files: corekeeper: /etc/security/limits.d/corekeeper.conf libvma: /etc/security/limits.d/30-libvma-limits.conf lizardfs-common: /etc/security/limits.d/10-lizardfs.conf stenographer-common: /etc/security/limits.d/stenographer.conf uhd-host: /etc/security/limits.d/uhd.conf -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>