From unknown Sun Jun 15 09:02:15 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#62699] [PATCH] services: add pam-mount-volume-service-type Resent-From: Brian Cully Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 06 Apr 2023 16:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62699 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 62699@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16807996188841 (code B ref -1); Thu, 06 Apr 2023 16:47:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Apr 2023 16:46:58 +0000 Received: from localhost ([127.0.0.1]:54905 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pkSlG-0002IX-CY for submit@debbugs.gnu.org; Thu, 06 Apr 2023 12:46:58 -0400 Received: from lists.gnu.org ([209.51.188.17]:58526) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pkSlC-0002IN-KL for submit@debbugs.gnu.org; Thu, 06 Apr 2023 12:46:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pkSl8-0000VY-R7 for guix-patches@gnu.org; Thu, 06 Apr 2023 12:46:52 -0400 Received: from coleridge.kublai.com ([166.84.7.167] helo=mail.spork.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pkSl4-00018w-QN for guix-patches@gnu.org; Thu, 06 Apr 2023 12:46:50 -0400 Received: from psyduck (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id C196AA6A3 for ; Thu, 6 Apr 2023 12:46:26 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1680799586; bh=zCzknVUEYAEUsQwfYmv08DeiZYlwrCtOUqivo4TPFh8=; h=From:To:Subject:Date; b=R5aqH++eB1NtjypUC4kcxcFXeWzrtZEdZG7yjcH0qzz5gAj7RwSnVhvcmoqeIV9pL /H6+03ohB0ylK0+jB8Af8K17zNSu8s7fWyin/HimLR/PtRXU7QshKj+7fVlIYV64Nr s+xP7gG/9DmliChOqynR80OtFh8DkVpm9yn3vH7I= User-agent: mu4e 1.10.0; emacs 28.2 From: Brian Cully Date: Thu, 06 Apr 2023 12:43:55 -0400 Message-ID: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=166.84.7.167; envelope-from=bjc@spork.org; helo=mail.spork.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) This patch allows adding additional volumes to be mounted at login=20 time via PAM by way of =E2=80=98pam-mount-volume-service-type=E2=80=99. As = an=20 example usage, I use it to mount a CIFS share which requires=20 authentication automatically on login without having to type my=20 password twice (since my local system has the same username and=20 password as the system hosting my CIFS share). -bjc From unknown Sun Jun 15 09:02:15 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#62699] [PATCH] services: pam-mount: add pam-mount-volume-service-type References: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> In-Reply-To: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> Resent-From: Brian Cully Original-Sender: "Debbugs-submit" Resent-CC: glv@posteo.net, guix-patches@gnu.org Resent-Date: Thu, 06 Apr 2023 16:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62699 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 62699@debbugs.gnu.org Cc: Brian Cully , glv@posteo.net X-Debbugs-Original-Xcc: glv@posteo.net Received: via spool by 62699-submit@debbugs.gnu.org id=B62699.168080029510985 (code B ref 62699); Thu, 06 Apr 2023 16:59:01 +0000 Received: (at 62699) by debbugs.gnu.org; 6 Apr 2023 16:58:15 +0000 Received: from localhost ([127.0.0.1]:54977 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pkSwA-0002r6-Ak for submit@debbugs.gnu.org; Thu, 06 Apr 2023 12:58:15 -0400 Received: from coleridge.kublai.com ([166.84.7.167]:63374 helo=mail.spork.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pkSw8-0002qy-FU for 62699@debbugs.gnu.org; Thu, 06 Apr 2023 12:58:13 -0400 Received: from psyduck.jhoto.kublai.com (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id 0B236A544; Thu, 6 Apr 2023 12:58:12 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1680800292; bh=6lIpi7ezgFwGVwKweQu6rG5Cw0xtacy67k3G8ocBJF4=; h=From:To:Cc:Subject:Date; b=w00ngoGOQrZLx0J1WlR95/h3W4HyD06EBGND+F/J+xH6AkpCBLLS9+FmRUzKVdqEA b8y/1OwTkHsxBFKGvQ8EtQdwCm2oFvlVgHOKubpqkmdnGCFPtA/ONsuF8Ccidgjpw+ 8BI+Jvx2pzNi0p4DJNvKfvxSWKVP/ozJqfmeJ1E8= From: Brian Cully Date: Thu, 6 Apr 2023 12:57:43 -0400 Message-Id: X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The `pam-mount-volumes-service-type' adds additional volumes to the pam-mount-service-type in addition to any that are already specified in `pam-mount-rules'. * doc/guix.texi (PAM Mount Volume Service): add documentation for `pam-mount-service-type'. * gnu/services/pam-mount.scm (extend-pam-mount-configuration): new procedure (pam-mount-service-type): allow extension by other service-types (field-name->tag): new procedure (serialize-string): new procedure (integer-or-range?): new procedure (serialize-integer-or-range): new procedure (serialize-boolean): new procedure (pam-mount-volume): new configuration (pam-mount-volume->sxml): new procedure (pam-mount-volume-rules): new procedure (pam-mount-volume-service-type): new procedure * Makefile.am: add pam-mount tests * tests/services/pam-mount.scm: new tests --- Makefile.am | 1 + doc/guix.texi | 99 +++++++++++++++++++++++++++++++ gnu/services/pam-mount.scm | 111 ++++++++++++++++++++++++++++++++++- tests/services/pam-mount.scm | 83 ++++++++++++++++++++++++++ 4 files changed, 293 insertions(+), 1 deletion(-) create mode 100644 tests/services/pam-mount.scm diff --git a/Makefile.am b/Makefile.am index 23b939b674..603fa7241f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -548,6 +548,7 @@ SCM_TESTS = \ tests/services/configuration.scm \ tests/services/lightdm.scm \ tests/services/linux.scm \ + tests/services/pam-mount.scm \ tests/services/telephony.scm \ tests/sets.scm \ tests/size.scm \ diff --git a/doc/guix.texi b/doc/guix.texi index 4f72e2f34a..d45df03f57 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -114,6 +114,7 @@ Copyright @copyright{} 2023 Giacomo Leidi@* Copyright @copyright{} 2022 Antero Mejr@* Copyright @copyright{} 2023 Karl Hallsby +Copyright @copyright{} 2023 Brian Cully Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -37010,6 +37011,104 @@ PAM Mount Service @end table @end deftp +@subheading PAM Mount Volume Service +@cindex pam volume mounting + +PAM mount volumes are automatically mounted at login by the PAM login +service according to a set of per-volume rules. Because they are +mounted by PAM the password entered during login may be used directly to +mount authenticated volumes, such as @code{cifs}, using the same +credentials. + +These volumes will be added in addition to any volumes directly +specified in @code{pam-mount-rules}. + +Here is an example of a rule which will mount a remote CIFS share from +@file{//remote-server/share} into a sub-directory of @file{/shares} +named after the user logging in: + +@lisp +(simple-service 'pam-mount-remote-share pam-mount-volume-service-type + (list (pam-mount-volume + (secondary-group "users") + (file-system-type "cifs") + (server "remote-server") + (file-name "share") + (mount-point "/shares/%(USER)") + (options "nosuid,nodev,seal,cifsacl")))) +@end lisp + +@deftp {Data Type} pam-mount-volume-service-type +Configuration for a single volume to be mounted. Any fields not +specified will be omitted from the run-time PAM configuration. See +@uref{http://pam-mount.sourceforge.net/pam_mount.conf.5.html, +the man page} for the default values when unspecified. + +@table @asis +@item @code{user-name} (type: maybe-string) +Mount the volume for the given user. + +@item @code{user-id} (type: maybe-integer-or-range) +Mount the volume for the user with this ID. This field may also be +specified as a cons cell of @code{(start . end)} indicating a range of +user IDs for whom to mount the volume. + +@item @code{primary-group} (type: maybe-string) +Mount the volume for users with this primary group name. + +@item @code{group-id} (type: maybe-integer-or-range) +Mount the volume for the users with this primary group ID. This field +may also be specified as a cons cell of @code{(start . end)} indicating +a range of group ids for whom to mount the volume. + +@item @code{secondary-group} (type: maybe-string) +Mount the volume for users who are members of this group as either a +primary or secondary group. + +@item @code{file-system-type} (type: maybe-string) +The file system type for the volume being mounted (e.g., @code{cifs}) + +@item @code{no-mount-as-root?} (type: maybe-boolean) +Whether or not to mount the volume with root privileges. This is +normally disabled, but may be enabled for mounts of type @code{fuse}, or +other user-level mounts. + +@item @code{server} (type: maybe-string) +The name of the remote server to mount the volume from, when necessary. + +@item @code{file-name} (type: maybe-string) +The location of the volume, either local or remote, depending on the +@code{file-system-type}. + +@item @code{mount-point} (type: maybe-string) +Where to mount the volume in the local file-system. This may be set to +@file{~} to indicate the home directory of the user logging in. If this +field is omitted then @file{/etc/fstab} is consulted for the mount +destination. + +@item @code{options} (type: maybe-string) +The options to be passed as-is to the underlying mount program. + +@item @code{ssh?} (type: maybe-boolean) +Enable this option to pass the login password to SSH for use with mounts +involving SSH (e.g., @code{sshfs}). + +@item @code{cipher} (type: maybe-string) +Cryptsetup cipher name for the volume. To be used with the @code{crypt} +@code{file-system-type}. + +@item @code{file-system-key-cipher} (type: maybe-string) +Cipher name used by the target volume. + +@item @code{file-system-key-hash} (type: maybe-string) +SSL hash name used by the target volume. + +@item @code{file-system-key-file-name} (type: maybe-string) +File name of the file system key for the target volume. + +@end table +@end deftp + @node Guix Services @subsection Guix Services diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm index e60781d05b..3014af8896 100644 --- a/gnu/services/pam-mount.scm +++ b/gnu/services/pam-mount.scm @@ -23,9 +23,15 @@ (define-module (gnu services pam-mount) #:use-module (gnu system pam) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) #:export (pam-mount-configuration pam-mount-configuration? - pam-mount-service-type)) + pam-mount-service-type + + pam-mount-volume + pam-mount-volume? + pam-mount-volume-service-type)) (define %pam-mount-default-configuration `((debug (@ (enable "0"))) @@ -99,6 +105,11 @@ (define (pam-mount-pam-service config) (list optional-pam-mount)))) pam)))) +(define (extend-pam-mount-configuration initial extensions) + "Extends INITIAL with EXTENSIONS." + (pam-mount-configuration (rules (append (pam-mount-configuration-rules + initial) extensions)))) + (define pam-mount-service-type (service-type (name 'pam-mount) @@ -106,6 +117,104 @@ (define pam-mount-service-type pam-mount-etc-service) (service-extension pam-root-service-type pam-mount-pam-service))) + (compose concatenate) + (extend extend-pam-mount-configuration) (default-value (pam-mount-configuration)) (description "Activate PAM-Mount support. It allows mounting volumes for specific users when they log in."))) + +(define (field-name->tag field-name) + "Convert FIELD-NAME to its tag used by the configuration XML." + (match field-name + ('user-name 'user) + ('user-id 'uid) + ('primary-group 'pgrp) + ('group-id 'gid) + ('secondary-group 'sgrp) + ('file-system-type 'fstype) + ('no-mount-as-root? 'noroot) + ('file-name 'path) + ('mount-point 'mountpoint) + ('ssh? 'ssh) + ('file-system-key-cipher 'fskeycipher) + ('file-system-key-hash 'fskeyhash) + ('file-system-key-file-name 'fskeypath) + (_ field-name))) + +(define-maybe string) + +(define (serialize-string field-name value) + (list (field-name->tag field-name) value)) + +(define (integer-or-range? value) + (match value + ((start . end) (and (integer? start) + (integer? end))) + (_ (number? value)))) + +(define-maybe integer-or-range) + +(define (serialize-integer-or-range field-name value) + (let ((value-string (match value + ((start . end) (format #f "~a-~a" start end)) + (_ (number->string value))))) + (list (field-name->tag field-name) value-string))) + +(define-maybe boolean) + +(define (serialize-boolean field-name value) + (let ((value-string (if value "1" "0"))) + (list (field-name->tag field-name) value-string))) + +(define-configuration pam-mount-volume + (user-name maybe-string "User name to match.") + (user-id maybe-integer-or-range + "User ID, or range of user IDs, in the form of @code{(start . end)} to\nmatch.") + (primary-group maybe-string "Primary group name to match.") + (group-id maybe-integer-or-range + "Group ID, or range of group IDs, in the form of @code{(start . end)} to\nmatch.") + (secondary-group maybe-string + "Match users who belong to this group name as either a primary or secondary\ngroup.") + (file-system-type maybe-string "File system type of volume being mounted.") + (no-mount-as-root? maybe-boolean + "Do not use super user privileges to mount this volume.") + (server maybe-string "Remote server this volume resides on.") + (file-name maybe-string "Location of the volume to be mounted.") + (mount-point maybe-string + "Where to mount the volume in the local file system.") + (options maybe-string "Options to pass to the underlying mount program.") + (ssh? maybe-boolean "Whether to pass the login password to SSH.") + (cipher maybe-string "Cryptsetup cipher named used by volume.") + (file-system-key-cipher maybe-string + "Cipher name used by the target volume.") + (file-system-key-hash maybe-string + "SSL hash name used by the target volume.") + (file-system-key-file-name maybe-string + "File name for the file system key used by the target volume.")) + +(define (pam-mount-volume->sxml volume) + ;; Convert a list of configuration fields into an SXML-compatible attribute + ;; list. + (define xml-attrs + (filter-map (lambda (field) + (let* ((accessor (configuration-field-getter field)) + (value (accessor volume))) + (and (not (eq? value %unset-value)) + (list (field-name->tag (configuration-field-name + field)) value)))) + pam-mount-volume-fields)) + + `(volume (@ ,@xml-attrs))) + +(define (pam-mount-volume-rules volumes) + (map pam-mount-volume->sxml volumes)) + +(define pam-mount-volume-service-type + (service-type (name 'pam-mount-volume) + (extensions (list (service-extension pam-mount-service-type + pam-mount-volume-rules))) + (compose concatenate) + (extend append) + (default-value '()) + (description + "Volumes to be mounted during PAM-assisted login."))) diff --git a/tests/services/pam-mount.scm b/tests/services/pam-mount.scm new file mode 100644 index 0000000000..bfbd15967f --- /dev/null +++ b/tests/services/pam-mount.scm @@ -0,0 +1,83 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2023 Brian Cully +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (tests services pam-mount) + #:use-module (gnu services pam-mount) + #:use-module (gnu system pam) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (guix derivations) + #:use-module (guix gexp) + #:use-module (guix grafts) + #:use-module (guix store) + #:use-module (guix tests) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-64)) + +(define pam-mount-volume-fields (@@ (gnu services pam-mount) + pam-mount-volume-fields)) +(define field-name->tag (@@ (gnu services pam-mount) + field-name->tag)) + +(define pam-mount-volume->sxml (@@ (gnu services pam-mount) + pam-mount-volume->sxml)) + +(test-begin "services-pam-mount") + +(test-group "field-name->tag" + (let ((field-map '((user-name user) + (user-id uid) + (primary-group pgrp) + (group-id gid) + (secondary-group sgrp) + (file-system-type fstype) + (no-mount-as-root? noroot) + (server server) + (file-name path) + (mount-point mountpoint) + (options options) + (ssh? ssh) + (cipher cipher) + (file-system-key-cipher fskeycipher) + (file-system-key-hash fskeyhash) + (file-system-key-file-name fskeypath)))) + + (test-equal "all fields accounted for" + (map car field-map) + (map configuration-field-name pam-mount-volume-fields)) + + (for-each (match-lambda + ((field-name tag-name) + (test-eq (format #f "~a -> ~a" field-name tag-name) + (field-name->tag field-name) tag-name))) + field-map))) + +(let ((tmpfs-volume (pam-mount-volume + (secondary-group "users") + (file-system-type "tmpfs") + (mount-point "/run/user/%(USERUID)") + (options "someoptions")))) + (test-equal "tmpfs" + '(volume (@ (sgrp "users") + (fstype "tmpfs") + (mountpoint "/run/user/%(USERUID)") + (options "someoptions"))) + (pam-mount-volume->sxml tmpfs-volume))) + +(test-end "services-pam-mount") -- 2.39.2 From unknown Sun Jun 15 09:02:15 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#62699] [PATCH] services: add pam-mount-volume-service-type Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 18 Jun 2023 21:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62699 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Brian Cully Cc: glv@posteo.net, 62699@debbugs.gnu.org Received: via spool by 62699-submit@debbugs.gnu.org id=B62699.16871232328600 (code B ref 62699); Sun, 18 Jun 2023 21:21:02 +0000 Received: (at 62699) by debbugs.gnu.org; 18 Jun 2023 21:20:32 +0000 Received: from localhost ([127.0.0.1]:55106 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qAzp2-0002Ed-37 for submit@debbugs.gnu.org; Sun, 18 Jun 2023 17:20:32 -0400 Received: from eggs.gnu.org ([209.51.188.92]:46812) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qAzp0-0002EP-0x for 62699@debbugs.gnu.org; Sun, 18 Jun 2023 17:20:30 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qAzou-0008IT-Pp; Sun, 18 Jun 2023 17:20:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=/1y2xFXlT18EC766Ihu+0evQ3rZ+6Len/pvYxa8Y5tc=; b=iQwDMKf5NfVjhX8aSg6e G8rbiBmJ7U/NM15StdSEZc3GA+wTPI9ZZWUUNu0MRpZklWU7j9aSm8ypEGjHB01uDd8nttDD6jiWD KM328gjFEOyPQo2s3cytfAPTyNPFStLr31JgTUE6x7nej6B+fNB4Vtt8tKSzQee6krmY0exUB0uL8 mV/DEnmkhsJw2twI2QyVAxwSWiYyluxlEylWru8CBU6ouSAUii4KMGjD5P936DNyFLFQpk1Ot987f Bo3Ue9xm1hVtePfi02Cz7t9OP0ciO5rKJoarXja6r5joa5c4YN3YPB83vSOFEdrqKazYESehnoUz3 ey86wCFLPDqk0g==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qAzou-0006rD-DM; Sun, 18 Jun 2023 17:20:24 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> Date: Sun, 18 Jun 2023 23:20:22 +0200 In-Reply-To: (Brian Cully's message of "Thu, 6 Apr 2023 12:57:43 -0400") Message-ID: <87352opiw9.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi! Brian Cully skribis: > The `pam-mount-volumes-service-type' adds additional volumes to the > pam-mount-service-type in addition to any that are already specified in > `pam-mount-rules'. > > * doc/guix.texi (PAM Mount Volume Service): add documentation for > `pam-mount-service-type'. > * gnu/services/pam-mount.scm (extend-pam-mount-configuration): new proced= ure > (pam-mount-service-type): allow extension by other service-types > (field-name->tag): new procedure > (serialize-string): new procedure > (integer-or-range?): new procedure > (serialize-integer-or-range): new procedure > (serialize-boolean): new procedure > (pam-mount-volume): new configuration > (pam-mount-volume->sxml): new procedure > (pam-mount-volume-rules): new procedure > (pam-mount-volume-service-type): new procedure > * Makefile.am: add pam-mount tests > * tests/services/pam-mount.scm: new tests This looks useful! Nitpick: for new files like =E2=80=98pam-mount.scm=E2=80=99 in this case, i= t=E2=80=99s enough to write =E2=80=9CNew file=E2=80=9D (relief :-)). I=E2=80=99ve never used PAM mount before so I can only comment on the implementation and doc (maybe Guillaume is more familiar with it?). > Copyright @copyright{} 2022 Antero Mejr@* > Copyright @copyright{} 2023 Karl Hallsby > +Copyright @copyright{} 2023 Brian Cully Please add @* on the previous line to insert a line break. > +@item @code{user-id} (type: maybe-integer-or-range) > +Mount the volume for the user with this ID. This field may also be > +specified as a cons cell of @code{(start . end)} indicating a range of Use the term =E2=80=9Cpair=E2=80=9D rather than =E2=80=9Ccons cell=E2=80=9D= (throughout the section), for consistency with the rest of the manual and to make it more approachable. > +(test-end "services-pam-mount") Neat. How hard would it be to also have a system tests under (gnu tests =E2=80=A6= )? Seems like it would better cover functionality. Thanks! Ludo=E2=80=99. From unknown Sun Jun 15 09:02:15 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#62699] [PATCH] services: add pam-mount-volume-service-type Resent-From: Brian Cully Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 20 Jun 2023 14:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62699 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: glv@posteo.net, 62699@debbugs.gnu.org Received: via spool by 62699-submit@debbugs.gnu.org id=B62699.16872708005787 (code B ref 62699); Tue, 20 Jun 2023 14:20:02 +0000 Received: (at 62699) by debbugs.gnu.org; 20 Jun 2023 14:20:00 +0000 Received: from localhost ([127.0.0.1]:59502 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qBcDA-0001VG-3b for submit@debbugs.gnu.org; Tue, 20 Jun 2023 10:20:00 -0400 Received: from coleridge.kublai.com ([166.84.7.167]:59471 helo=mail.spork.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qBcD8-0001V8-Pp for 62699@debbugs.gnu.org; Tue, 20 Jun 2023 10:19:59 -0400 Received: from psyduck (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id 5170EF1B1; Tue, 20 Jun 2023 10:19:53 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1687270798; bh=GuRGoOLThWVCxY2I+m1km4MiQrAkKzK+nANRfYATnZw=; h=References:From:To:Cc:Subject:Date:In-reply-to; b=cdY+PVX20HLTXhKKU2Vx2PSQPlW4H+1kg/zDkW96qSrGoxsKEu7Qk7GZLXWElxnWR Y7uLg6J3562UnOGSHLHbTCiNJNeANecNKjuIx129PW1HwsAFSgpp0HnmLhtSS9cCsP SqMcYjPVX2cbIDrN5zWVHg1SOwoBWCX/yAUc/VLE= References: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> <87352opiw9.fsf_-_@gnu.org> User-agent: mu4e 1.10.2; emacs 29.0.91 From: Brian Cully Date: Tue, 20 Jun 2023 10:14:59 -0400 In-reply-to: <87352opiw9.fsf_-_@gnu.org> Message-ID: <87v8ficj1y.fsf@psyduck.jhoto.kublai.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s writes: > Nitpick: for new files like =E2=80=98pam-mount.scm=E2=80=99 in this case,= it=E2=80=99s=20 > enough to > write =E2=80=9CNew file=E2=80=9D (relief :-)). Fixed. > Please add @* on the previous line to insert a line break. Fixed. FWIW, I tried looking through the manual (both Guix' and=20 TexInfo's) to see what this sigil meant, I couldn't figure it out,=20 so I just guessed. Is this documented somewhere? > Use the term =E2=80=9Cpair=E2=80=9D rather than =E2=80=9Ccons cell=E2=80= =9D (throughout the=20 > section), > for consistency with the rest of the manual and to make it more > approachable. Fixed. > How hard would it be to also have a system tests under (gnu=20 > tests =E2=80=A6)? > Seems like it would better cover functionality. I'm not sure. I've never done integration tests on an entire=20 operating system before, so it'd take some doing just to learn the=20 ropes. I'll go through the existing tests and see what I can come=20 up with. Would it be okay to do that as a separate patch, though? Given how=20 long I expect this work to take, I would like to avoid that extra=20 delay in having the current patch set (plus the above changes)=20 committed. -bjc From unknown Sun Jun 15 09:02:15 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#62699] [PATCH] services: add pam-mount-volume-service-type Resent-From: Brian Cully Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 18 Jul 2023 14:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62699 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: glv@posteo.net, 62699@debbugs.gnu.org Received: via spool by 62699-submit@debbugs.gnu.org id=B62699.168968889621250 (code B ref 62699); Tue, 18 Jul 2023 14:02:02 +0000 Received: (at 62699) by debbugs.gnu.org; 18 Jul 2023 14:01:36 +0000 Received: from localhost ([127.0.0.1]:53656 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLlGh-0005Wg-TG for submit@debbugs.gnu.org; Tue, 18 Jul 2023 10:01:36 -0400 Received: from coleridge.kublai.com ([166.84.7.167]:58693 helo=mail.spork.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLlGg-0005WZ-GY for 62699@debbugs.gnu.org; Tue, 18 Jul 2023 10:01:35 -0400 Received: from psyduck (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id D232A37BC; Tue, 18 Jul 2023 10:01:01 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1689688864; bh=P1/hy5EHej44xzy0riXYGxIMslxFNIsW9UzKQt55nac=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=I1iPQitIO8vpWxiSYof0QXeSi1XuNOB2V2wtWD9AJaF8fWNwKYAfPKe+9MDWoDvgj Row3uynDlY2Iw9NQdQ57M5AjQtXz3DCnD+NY/rwWQXwdChduTsA4Bsf4k9P2dSZeE+ ghuROcrArPR1CdYic4aaKpA4gXwIguFJ5CkL274Y= From: Brian Cully In-Reply-To: <87v8ficj1y.fsf@psyduck.jhoto.kublai.com> (Brian Cully's message of "Tue, 20 Jun 2023 10:14:59 -0400") References: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> <87352opiw9.fsf_-_@gnu.org> <87v8ficj1y.fsf@psyduck.jhoto.kublai.com> Date: Tue, 18 Jul 2023 10:01:01 -0400 Message-ID: <875y6h1fqa.fsf_-_@psyduck.jhoto.kublai.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This patch lacks integration tests, but otherwise should be complete. I did spend some time trying to figure out how to set up the integration tests, but it's quite complex for this case and I'd rather not hold this up until they're done. I'd like to submit them separately when I can dedicate more time to their creation. -bjc From unknown Sun Jun 15 09:02:15 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#62699] [PATCH v2] services: add pam-mount-volume-service-type Resent-From: Brian Cully Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 18 Jul 2023 14:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62699 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: glv@posteo.net, 62699@debbugs.gnu.org Received: via spool by 62699-submit@debbugs.gnu.org id=B62699.168968921321735 (code B ref 62699); Tue, 18 Jul 2023 14:07:02 +0000 Received: (at 62699) by debbugs.gnu.org; 18 Jul 2023 14:06:53 +0000 Received: from localhost ([127.0.0.1]:53660 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLlLo-0005eU-Jr for submit@debbugs.gnu.org; Tue, 18 Jul 2023 10:06:53 -0400 Received: from coleridge.kublai.com ([166.84.7.167]:62105 helo=mail.spork.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qLlLj-0005eI-CS for 62699@debbugs.gnu.org; Tue, 18 Jul 2023 10:06:51 -0400 Received: from psyduck (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id D6282367F; Tue, 18 Jul 2023 10:06:16 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1689689176; bh=M02ChYF/Jn9ZhJ5p7yNqGj6pLctFeNbQ8ilJ7SSPxCI=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=tJxnc1e3/R6ADrDLK72KQYmn8QI72uk5t6YPsvYKGH92L7hRd8TWPofHt8g5Rn06a a3WiSAMZ92ci1HYJ6QKq4W2gPExzCEfa2U7VjF0OASfHI1UHK/ksI6SE6jBqZ94oet CTVM32/zafYZfcnB/SCL244KcbIOZHA61DDG/MBo= From: Brian Cully In-Reply-To: <875y6h1fqa.fsf_-_@psyduck.jhoto.kublai.com> (Brian Cully's message of "Tue, 18 Jul 2023 10:01:01 -0400") References: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> <87352opiw9.fsf_-_@gnu.org> <87v8ficj1y.fsf@psyduck.jhoto.kublai.com> <875y6h1fqa.fsf_-_@psyduck.jhoto.kublai.com> Date: Tue, 18 Jul 2023 10:06:16 -0400 Message-ID: <87351l1fhj.fsf_-_@psyduck.jhoto.kublai.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=v2-0001-services-pam-mount-add-pam-mount-volume-service-t.patch Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The `pam-mount-volumes-service-type' adds additional volumes to the pam-mount-service-type in addition to any that are already specified in `pam-mount-rules'. * doc/guix.texi (PAM Mount Volume Service): add documentation for `pam-mount-service-type'. * gnu/services/pam-mount.scm: new file. * Makefile.am: add pam-mount tests * tests/services/pam-mount.scm: new tests --- Makefile.am | 1 + doc/guix.texi | 99 +++++++++++++++++++++++++++++++ gnu/services/pam-mount.scm | 111 ++++++++++++++++++++++++++++++++++- tests/services/pam-mount.scm | 83 ++++++++++++++++++++++++++ 4 files changed, 293 insertions(+), 1 deletion(-) create mode 100644 tests/services/pam-mount.scm diff --git a/Makefile.am b/Makefile.am index d680c8c76c..de239d7fca 100644 --- a/Makefile.am +++ b/Makefile.am @@ -557,6 +557,7 @@ SCM_TESTS =3D \ tests/services/configuration.scm \ tests/services/lightdm.scm \ tests/services/linux.scm \ + tests/services/pam-mount.scm \ tests/services/telephony.scm \ tests/sets.scm \ tests/size.scm \ diff --git a/doc/guix.texi b/doc/guix.texi index ee03de04dc..2c1ac6d090 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -116,6 +116,7 @@ Copyright @copyright{} 2023 Karl Hallsby@* Copyright @copyright{} 2023 Nathaniel Nicandro@* Copyright @copyright{} 2023 Tanguy Le Carrour@* +Copyright @copyright{} 2023 Brian Cully@* =20 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -37752,6 +37753,104 @@ PAM Mount Service @end table @end deftp =20 +@subheading PAM Mount Volume Service +@cindex pam volume mounting + +PAM mount volumes are automatically mounted at login by the PAM login +service according to a set of per-volume rules. Because they are +mounted by PAM the password entered during login may be used directly to +mount authenticated volumes, such as @code{cifs}, using the same +credentials. + +These volumes will be added in addition to any volumes directly +specified in @code{pam-mount-rules}. + +Here is an example of a rule which will mount a remote CIFS share from +@file{//remote-server/share} into a sub-directory of @file{/shares} +named after the user logging in: + +@lisp +(simple-service 'pam-mount-remote-share pam-mount-volume-service-type + (list (pam-mount-volume + (secondary-group "users") + (file-system-type "cifs") + (server "remote-server") + (file-name "share") + (mount-point "/shares/%(USER)") + (options "nosuid,nodev,seal,cifsacl")))) +@end lisp + +@deftp {Data Type} pam-mount-volume-service-type +Configuration for a single volume to be mounted. Any fields not +specified will be omitted from the run-time PAM configuration. See +@uref{http://pam-mount.sourceforge.net/pam_mount.conf.5.html, +the man page} for the default values when unspecified. + +@table @asis +@item @code{user-name} (type: maybe-string) +Mount the volume for the given user. + +@item @code{user-id} (type: maybe-integer-or-range) +Mount the volume for the user with this ID. This field may also be +specified as a pair of @code{(start . end)} indicating a range of user +IDs for whom to mount the volume. + +@item @code{primary-group} (type: maybe-string) +Mount the volume for users with this primary group name. + +@item @code{group-id} (type: maybe-integer-or-range) +Mount the volume for the users with this primary group ID. This field +may also be specified as a cons cell of @code{(start . end)} indicating +a range of group ids for whom to mount the volume. + +@item @code{secondary-group} (type: maybe-string) +Mount the volume for users who are members of this group as either a +primary or secondary group. + +@item @code{file-system-type} (type: maybe-string) +The file system type for the volume being mounted (e.g., @code{cifs}) + +@item @code{no-mount-as-root?} (type: maybe-boolean) +Whether or not to mount the volume with root privileges. This is +normally disabled, but may be enabled for mounts of type @code{fuse}, or +other user-level mounts. + +@item @code{server} (type: maybe-string) +The name of the remote server to mount the volume from, when necessary. + +@item @code{file-name} (type: maybe-string) +The location of the volume, either local or remote, depending on the +@code{file-system-type}. + +@item @code{mount-point} (type: maybe-string) +Where to mount the volume in the local file-system. This may be set to +@file{~} to indicate the home directory of the user logging in. If this +field is omitted then @file{/etc/fstab} is consulted for the mount +destination. + +@item @code{options} (type: maybe-string) +The options to be passed as-is to the underlying mount program. + +@item @code{ssh?} (type: maybe-boolean) +Enable this option to pass the login password to SSH for use with mounts +involving SSH (e.g., @code{sshfs}). + +@item @code{cipher} (type: maybe-string) +Cryptsetup cipher name for the volume. To be used with the @code{crypt} +@code{file-system-type}. + +@item @code{file-system-key-cipher} (type: maybe-string) +Cipher name used by the target volume. + +@item @code{file-system-key-hash} (type: maybe-string) +SSL hash name used by the target volume. + +@item @code{file-system-key-file-name} (type: maybe-string) +File name of the file system key for the target volume. + +@end table +@end deftp + =20 @node Guix Services @subsection Guix Services diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm index 21c34ddd61..8a38d6b1cc 100644 --- a/gnu/services/pam-mount.scm +++ b/gnu/services/pam-mount.scm @@ -23,9 +23,15 @@ (define-module (gnu services pam-mount) #:use-module (gnu system pam) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) #:export (pam-mount-configuration pam-mount-configuration? - pam-mount-service-type)) + pam-mount-service-type + + pam-mount-volume + pam-mount-volume? + pam-mount-volume-service-type)) =20 (define %pam-mount-default-configuration `((debug (@ (enable "0"))) @@ -102,6 +108,11 @@ (define (pam-mount-pam-service config) (list optional-pam-mount)))) pam)))))) =20 +(define (extend-pam-mount-configuration initial extensions) + "Extends INITIAL with EXTENSIONS." + (pam-mount-configuration (rules (append (pam-mount-configuration-rules + initial) extensions)))) + (define pam-mount-service-type (service-type (name 'pam-mount) @@ -109,6 +120,104 @@ (define pam-mount-service-type pam-mount-etc-service) (service-extension pam-root-service-type pam-mount-pam-service))) + (compose concatenate) + (extend extend-pam-mount-configuration) (default-value (pam-mount-configuration)) (description "Activate PAM-Mount support. It allows mounting volumes f= or specific users when they log in."))) + +(define (field-name->tag field-name) + "Convert FIELD-NAME to its tag used by the configuration XML." + (match field-name + ('user-name 'user) + ('user-id 'uid) + ('primary-group 'pgrp) + ('group-id 'gid) + ('secondary-group 'sgrp) + ('file-system-type 'fstype) + ('no-mount-as-root? 'noroot) + ('file-name 'path) + ('mount-point 'mountpoint) + ('ssh? 'ssh) + ('file-system-key-cipher 'fskeycipher) + ('file-system-key-hash 'fskeyhash) + ('file-system-key-file-name 'fskeypath) + (_ field-name))) + +(define-maybe string) + +(define (serialize-string field-name value) + (list (field-name->tag field-name) value)) + +(define (integer-or-range? value) + (match value + ((start . end) (and (integer? start) + (integer? end))) + (_ (number? value)))) + +(define-maybe integer-or-range) + +(define (serialize-integer-or-range field-name value) + (let ((value-string (match value + ((start . end) (format #f "~a-~a" start end)) + (_ (number->string value))))) + (list (field-name->tag field-name) value-string))) + +(define-maybe boolean) + +(define (serialize-boolean field-name value) + (let ((value-string (if value "1" "0"))) + (list (field-name->tag field-name) value-string))) + +(define-configuration pam-mount-volume + (user-name maybe-string "User name to match.") + (user-id maybe-integer-or-range + "User ID, or range of user IDs, in the form of @code{(start . end)} to\= nmatch.") + (primary-group maybe-string "Primary group name to match.") + (group-id maybe-integer-or-range + "Group ID, or range of group IDs, in the form of @code{(start . end)} t= o\nmatch.") + (secondary-group maybe-string + "Match users who belong to this group name as either a primary or secon= dary\ngroup.") + (file-system-type maybe-string "File system type of volume being mounted= .") + (no-mount-as-root? maybe-boolean + "Do not use super user privileges to mount this volum= e.") + (server maybe-string "Remote server this volume resides on.") + (file-name maybe-string "Location of the volume to be mounted.") + (mount-point maybe-string + "Where to mount the volume in the local file system.") + (options maybe-string "Options to pass to the underlying mount program.") + (ssh? maybe-boolean "Whether to pass the login password to SSH.") + (cipher maybe-string "Cryptsetup cipher named used by volume.") + (file-system-key-cipher maybe-string + "Cipher name used by the target volume.") + (file-system-key-hash maybe-string + "SSL hash name used by the target volume.") + (file-system-key-file-name maybe-string + "File name for the file system key used by the target volume.")) + +(define (pam-mount-volume->sxml volume) + ;; Convert a list of configuration fields into an SXML-compatible attrib= ute + ;; list. + (define xml-attrs + (filter-map (lambda (field) + (let* ((accessor (configuration-field-getter field)) + (value (accessor volume))) + (and (not (eq? value %unset-value)) + (list (field-name->tag (configuration-field-name + field)) value)))) + pam-mount-volume-fields)) + + `(volume (@ ,@xml-attrs))) + +(define (pam-mount-volume-rules volumes) + (map pam-mount-volume->sxml volumes)) + +(define pam-mount-volume-service-type + (service-type (name 'pam-mount-volume) + (extensions (list (service-extension pam-mount-service-type + pam-mount-volume-rule= s))) + (compose concatenate) + (extend append) + (default-value '()) + (description + "Volumes to be mounted during PAM-assisted login."))) diff --git a/tests/services/pam-mount.scm b/tests/services/pam-mount.scm new file mode 100644 index 0000000000..bfbd15967f --- /dev/null +++ b/tests/services/pam-mount.scm @@ -0,0 +1,83 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright =C2=A9 2023 Brian Cully +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (tests services pam-mount) + #:use-module (gnu services pam-mount) + #:use-module (gnu system pam) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (guix derivations) + #:use-module (guix gexp) + #:use-module (guix grafts) + #:use-module (guix store) + #:use-module (guix tests) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-64)) + +(define pam-mount-volume-fields (@@ (gnu services pam-mount) + pam-mount-volume-fields)) +(define field-name->tag (@@ (gnu services pam-mount) + field-name->tag)) + +(define pam-mount-volume->sxml (@@ (gnu services pam-mount) + pam-mount-volume->sxml)) + +(test-begin "services-pam-mount") + +(test-group "field-name->tag" + (let ((field-map '((user-name user) + (user-id uid) + (primary-group pgrp) + (group-id gid) + (secondary-group sgrp) + (file-system-type fstype) + (no-mount-as-root? noroot) + (server server) + (file-name path) + (mount-point mountpoint) + (options options) + (ssh? ssh) + (cipher cipher) + (file-system-key-cipher fskeycipher) + (file-system-key-hash fskeyhash) + (file-system-key-file-name fskeypath)))) + + (test-equal "all fields accounted for" + (map car field-map) + (map configuration-field-name pam-mount-volume-fields)) + + (for-each (match-lambda + ((field-name tag-name) + (test-eq (format #f "~a -> ~a" field-name tag-name) + (field-name->tag field-name) tag-name))) + field-map))) + +(let ((tmpfs-volume (pam-mount-volume + (secondary-group "users") + (file-system-type "tmpfs") + (mount-point "/run/user/%(USERUID)") + (options "someoptions")))) + (test-equal "tmpfs" + '(volume (@ (sgrp "users") + (fstype "tmpfs") + (mountpoint "/run/user/%(USERUID)") + (options "someoptions"))) + (pam-mount-volume->sxml tmpfs-volume))) + +(test-end "services-pam-mount") base-commit: a8c79839d57acf96df720630b8e6ddee8a8c2cf8 --=20 2.41.0 From unknown Sun Jun 15 09:02:15 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Brian Cully Subject: bug#62699: closed (Re: bug#62699: [PATCH v2] services: add pam-mount-volume-service-type) Message-ID: References: <87fs4spkxs.fsf@gnu.org> <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> X-Gnu-PR-Message: they-closed 62699 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 62699@debbugs.gnu.org Date: Wed, 09 Aug 2023 10:31:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1691577062-22953-1" This is a multi-part message in MIME format... ------------=_1691577062-22953-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #62699: [PATCH] services: add pam-mount-volume-service-type which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 62699@debbugs.gnu.org. --=20 62699: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D62699 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1691577062-22953-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 62699-done) by debbugs.gnu.org; 9 Aug 2023 10:30:46 +0000 Received: from localhost ([127.0.0.1]:38341 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qTgSj-0005Q5-Np for submit@debbugs.gnu.org; Wed, 09 Aug 2023 06:30:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35748) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qTgSh-00059a-KN for 62699-done@debbugs.gnu.org; Wed, 09 Aug 2023 06:30:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qTgSb-00070U-TN; Wed, 09 Aug 2023 06:30:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=1tvjkDxBr3V5nUx9ohsQj35nBUtbpT9osHTW2pmLvZw=; b=ForDV5tgRwZ9ylsMTZd8 LA7ougcY8Xtqm/yI7jyAGC93a5/wFdie1FAKuAnK1INjPFzf5t5rV1/ZwoN5Zjsjs+dCMhl0s8lE2 2SlQ+UlL/D40fnUw8I0bMC6hKgxhAmpqfL3XRFQ5XEk+JQxX8c+uKALdsI5OnSW1UESfTbTaowqtJ CQKcloKEhMgBcxc4xBQ6bWIVhyIy5WBruoHZjSYI/g/Tb+VmZsLEWMO5WG9nrK76uHFIynfFAzppy /yau7AjthT8sD3MGkEg4L+nrAQcadTB1BlSlUos4NALAJvKc0iufSTwPc9EPIuyOASqqR0mC+apcW BCgMkmIApHPY1g==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Brian Cully Subject: Re: bug#62699: [PATCH v2] services: add pam-mount-volume-service-type References: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> <87352opiw9.fsf_-_@gnu.org> <87v8ficj1y.fsf@psyduck.jhoto.kublai.com> <875y6h1fqa.fsf_-_@psyduck.jhoto.kublai.com> <87351l1fhj.fsf_-_@psyduck.jhoto.kublai.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Duodi 22 Thermidor an 231 de la =?utf-8?Q?R=C3=A9vol?= =?utf-8?Q?ution=2C?= jour du =?utf-8?Q?C=C3=A2prier?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 09 Aug 2023 12:30:23 +0200 In-Reply-To: <87351l1fhj.fsf_-_@psyduck.jhoto.kublai.com> (Brian Cully's message of "Tue, 18 Jul 2023 10:06:16 -0400") Message-ID: <87fs4spkxs.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 62699-done Cc: glv@posteo.net, 62699-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Brian Cully skribis: > The `pam-mount-volumes-service-type' adds additional volumes to the > pam-mount-service-type in addition to any that are already specified in > `pam-mount-rules'. > > * doc/guix.texi (PAM Mount Volume Service): add documentation for > `pam-mount-service-type'. > * gnu/services/pam-mount.scm: new file. > * Makefile.am: add pam-mount tests > * tests/services/pam-mount.scm: new tests Applied with the changes below. Thanks! Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm index 8a38d6b1cc..dbb9d0285f 100644 --- a/gnu/services/pam-mount.scm +++ b/gnu/services/pam-mount.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2019 Guillaume Le Vaillant +;;; Copyright =C2=A9 2023 Brian Cully ;;; ;;; This file is part of GNU Guix. ;;; @@ -220,4 +221,6 @@ (define pam-mount-volume-service-type (extend append) (default-value '()) (description - "Volumes to be mounted during PAM-assisted login."))) + "Mount remote volumes such as CIFS shares @i{via} +@acronym{PAM, Pluggable Authentication Modules} when logging in, using log= in +credentials."))) --=-=-=-- ------------=_1691577062-22953-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 6 Apr 2023 16:46:58 +0000 Received: from localhost ([127.0.0.1]:54905 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pkSlG-0002IX-CY for submit@debbugs.gnu.org; Thu, 06 Apr 2023 12:46:58 -0400 Received: from lists.gnu.org ([209.51.188.17]:58526) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pkSlC-0002IN-KL for submit@debbugs.gnu.org; Thu, 06 Apr 2023 12:46:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pkSl8-0000VY-R7 for guix-patches@gnu.org; Thu, 06 Apr 2023 12:46:52 -0400 Received: from coleridge.kublai.com ([166.84.7.167] helo=mail.spork.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pkSl4-00018w-QN for guix-patches@gnu.org; Thu, 06 Apr 2023 12:46:50 -0400 Received: from psyduck (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id C196AA6A3 for ; Thu, 6 Apr 2023 12:46:26 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1680799586; bh=zCzknVUEYAEUsQwfYmv08DeiZYlwrCtOUqivo4TPFh8=; h=From:To:Subject:Date; b=R5aqH++eB1NtjypUC4kcxcFXeWzrtZEdZG7yjcH0qzz5gAj7RwSnVhvcmoqeIV9pL /H6+03ohB0ylK0+jB8Af8K17zNSu8s7fWyin/HimLR/PtRXU7QshKj+7fVlIYV64Nr s+xP7gG/9DmliChOqynR80OtFh8DkVpm9yn3vH7I= User-agent: mu4e 1.10.0; emacs 28.2 From: Brian Cully To: guix-patches@gnu.org Subject: [PATCH] services: add pam-mount-volume-service-type Date: Thu, 06 Apr 2023 12:43:55 -0400 Message-ID: <87lej5x8ke.fsf@psyduck.jhoto.kublai.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=166.84.7.167; envelope-from=bjc@spork.org; helo=mail.spork.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) This patch allows adding additional volumes to be mounted at login=20 time via PAM by way of =E2=80=98pam-mount-volume-service-type=E2=80=99. As = an=20 example usage, I use it to mount a CIFS share which requires=20 authentication automatically on login without having to type my=20 password twice (since my local system has the same username and=20 password as the system hosting my CIFS share). -bjc ------------=_1691577062-22953-1--