GNU bug report logs - #53468
[RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#53468: closed ([RFC PATCH] gnu: linux-pam: Change path to
 unix_chkpwd helper.)
Date: Thu, 10 Feb 2022 22:43:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Thu, 10 Feb 2022 23:42:29 +0100
with message-id <8735kq2vje.fsf_-_ <at> gnu.org>
and subject line Re: bug#53468: [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
has caused the debbugs.gnu.org bug report #53468,
regarding [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
53468: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=53468
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Andrew Tropin <andrew <at> trop.in>
To: guix-patches <at> gnu.org
Subject: [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
Date: Thu, 13 Jan 2022 21:41:58 +0300

[Message part 3 (text/plain, inline)]

* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
The quote from unix_chkpwd.c:
> * This program is designed to run setuid(root) or with sufficient
> * privilege to read all of the unix password databases. It is designed
> * to provide a mechanism for the current user (defined by this
> * process's uid) to verify their own password.

Without suid bit it will fail in various use cases: for example utilities like
xlock or swaylock compiled with pam support won't be able to unlock the
screen.  To fix it I added unix_chkpwd binary to list of Guix System's setuid
programs and added a patch, which hardcodes /run/setuid-programs/unix_chkpwd
path in pam_unix module source code of linux-pam package.  However, I'm not
sure if it's a proper solution, please share your thoughts and conserns.

 gnu/packages/linux.scm                        |  3 +-
 .../patches/change-path-to-unix_chkpwd.patch  | 54 +++++++++++++++++++
 gnu/system/pam.scm                            |  8 ++-
 3 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@ (define-public linux-pam
        (sha256
         (base32
          "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
-       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (patches (search-patches "change-path-to-unix_chkpwd.patch"
+                                "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew <at> trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c       | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+     }
+ 
+     /* exec binary helper */
+-    args[0] = CHKPWD_HELPER;
++    args[0] = "/run/setuid-programs/unix_chkpwd";
+     args[1] = user;
+     args[2] = "chkexpiry";
+ 
+     DIAG_PUSH_IGNORE_CAST_QUAL;
+-    execve(CHKPWD_HELPER, (char *const *) args, envp);
++    execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+     DIAG_POP_IGNORE_CAST_QUAL;
+ 
+     pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	}
+ 
+ 	/* exec binary helper */
+-	args[0] = CHKPWD_HELPER;
++	args[0] = "/run/setuid-programs/unix_chkpwd";
+ 	args[1] = user;
+ 	if (off(UNIX__NONULL, ctrl)) {	/* this means we've succeeded */
+ 	  args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	}
+ 
+ 	DIAG_PUSH_IGNORE_CAST_QUAL;
+-	execve(CHKPWD_HELPER, (char *const *) args, envp);
++	execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ 	DIAG_POP_IGNORE_CAST_QUAL;
+ 
+ 	/* should not get here: exit with error */
+-- 
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..48cd2ebf2c 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -375,8 +375,12 @@ (define (extend-configuration initial extensions)
 
 (define pam-root-service-type
   (service-type (name 'pam)
-                (extensions (list (service-extension etc-service-type
-                                                     /etc-entry)))
+                (extensions
+                 (list (service-extension etc-service-type /etc-entry)
+                       (service-extension
+                        setuid-program-service-type
+                        (list (file-like->setuid-program
+                               (file-append linux-pam "/sbin/unix_chkpwd"))))))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)
-- 
2.34.0

[signature.asc (application/pgp-signature, inline)]

[Message part 5 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: Andrew Tropin <andrew <at> trop.in>
Cc: 53468-done <at> debbugs.gnu.org
Subject: Re: bug#53468: [RFC PATCH] gnu: linux-pam: Change path to
 unix_chkpwd helper.
Date: Thu, 10 Feb 2022 23:42:29 +0100

Hi,

Andrew Tropin <andrew <at> trop.in> skribis:

> From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
> From: Andrew Tropin <andrew <at> trop.in>
> Date: Sun, 6 Feb 2022 08:13:49 +0300
> Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.
>
> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
> * gnu/packages/linux.scm (linux-pam): Add patch.
> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.

LGTM, minor the patch file name as reported by ‘guix lint’ and missing
‘gnu/local.mk’.

However, it looks like my brain wasn’t fully operational when I
previously replied, because:

--8<---------------cut here---------------start------------->8---
$ guix refresh -l linux-pam
Building the following 2418 packages would ensure 6038 dependent
packages are rebuilt: […]
--8<---------------cut here---------------end--------------->8---

So I went ahead, fixed up the issues above, and pushed to
‘core-updates’.

Thanks!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.