From debbugs-submit-bounces@debbugs.gnu.org Fri May 05 13:50:56 2023 Received: (at submit) by debbugs.gnu.org; 5 May 2023 17:50:56 +0000 Received: from localhost ([127.0.0.1]:57400 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1puza4-00080y-6F for submit@debbugs.gnu.org; Fri, 05 May 2023 13:50:56 -0400 Received: from lists.gnu.org ([209.51.188.17]:37968) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1puza2-00080r-4C for submit@debbugs.gnu.org; Fri, 05 May 2023 13:50:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1puza0-0003Nf-LX for guix-patches@gnu.org; Fri, 05 May 2023 13:50:52 -0400 Received: from jpoiret.xyz ([206.189.101.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1puzZy-0003OD-NV for guix-patches@gnu.org; Fri, 05 May 2023 13:50:51 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 5EF9F1851E7; Fri, 5 May 2023 17:50:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1683309048; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=qIaEjc6qGLzSvWdVOJ4+kkEcCLH3c2VZmSWLGqJUBPE=; b=rT12LwpmKrX+mtzFmk1onTbSzmrIjJyQSZN+wO4zxO3VTVv0LrA7NEmQr9gia5d3SxidYg 2P3Tm8Yp8wt/N1bxXOokAalyU+uvlUTrvdKNlHdtZ5f02HHj9/GceT1WCuiTuqxW1Up42I zspHtKzGv0sX5MovzfDmkXeB3ZN8Jkq1GwIlY/dyBhKzC6/BGMd5TsZK1qHwHpbvG184O/ lsD3HjRPNK+YQlaCwDzmUWmvj0Fh2hMnUAjQnFGUs+4EYdj7XrXy0jef5ye1G8q+o3ka1X hrGungLZLhewKIN03aVpbOlEqi3hwel8mXkIByuzHEzeet9lMt4gbTifwIVo6w== From: Josselin Poiret To: guix-patches@gnu.org Subject: [PATCH 0/2] Add PAM shepherd requirements Date: Fri, 5 May 2023 19:50:46 +0200 Message-Id: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: ++++ Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Level: **** Received-SPF: pass client-ip=206.189.101.64; envelope-from=dev@jpoiret.xyz; helo=jpoiret.xyz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.6 (/) X-Debbugs-Envelope-To: submit Cc: Josselin Poiret X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Hi everyone, With shepherd 0.10 incoming, I've been running into a nasty issue: I use elogind and greetd, and greetd, when starting needs to let its greeter log-in through PAM. However, its PAM entry requires pam_elogind.so, which might not work if elogind isn't started yet, and so my greetd would just fail to start. This patch adds a shepherd synchronization point for services needed by PAM, and any PAM-using program should have the synchronization point as a requirement. I've mostly tested this with greetd only, so I would appreciate if other PAM users could try it out. Best, Josselin Poiret (2): system: pam: Let PAM extenders add shepherd requirements. services: elogind: Add elogind as a shepherd PAM requirement. gnu/services/authentication.scm | 28 +++++++++-------- gnu/services/base.scm | 54 +++++++++++++++++--------------- gnu/services/desktop.scm | 45 +++++++++++++++------------ gnu/services/kerberos.scm | 44 +++++++++++++------------- gnu/services/lightdm.scm | 2 +- gnu/services/mail.scm | 4 +-- gnu/services/pam-mount.scm | 23 ++++++++------ gnu/services/sddm.scm | 2 +- gnu/services/ssh.scm | 10 +++--- gnu/services/xorg.scm | 4 +-- gnu/system/pam.scm | 55 ++++++++++++++++++++++++++------- 11 files changed, 161 insertions(+), 110 deletions(-) base-commit: 6922069bcbe5c08da09c00e5aad44e390ebd1cc7 -- 2.39.2 From debbugs-submit-bounces@debbugs.gnu.org Fri May 05 13:51:54 2023 Received: (at 63314) by debbugs.gnu.org; 5 May 2023 17:51:54 +0000 Received: from localhost ([127.0.0.1]:57408 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1puzaz-000835-Jb for submit@debbugs.gnu.org; Fri, 05 May 2023 13:51:54 -0400 Received: from jpoiret.xyz ([206.189.101.64]:44912) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1puzaw-00082p-M5 for 63314@debbugs.gnu.org; Fri, 05 May 2023 13:51:51 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id A5FF2184D43; Fri, 5 May 2023 17:51:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1683309109; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v1ZKY1hyrlmtGiTk8Dpb6XYdBtKoP8o2lmOZwwzBMIE=; b=vlbQXA3WM5nveZPaMDYvPUZIgSkyB/E5egCcFKtbXzTx9PjVipppmJhpjwdYkWwUlikdsZ gfVacx0PKgAMjgJuRYuGIbx8/61ph4eq7hqc8dreH0WpAt0d181TFCPlrHCqdGtxVKc2OV zjFVOtevDA6SkHcYrV7ZOhQVoutV9hgWAHwvgX5ot2kJIwL6IPMa+StfoMosMjPpyARG4r xV0YXtRDHlCVrQYm6nOxixuxUppDGNiIqdyAxpeTv9uUcAAI+lQxuJM8Q81mrTAMEaqNC2 3hWRuZbsabPFJQjrbh6LkiFSMxhHUkd/kbu5K5VFb+HHp/D+mPBVLOanoSXimw== From: Josselin Poiret To: 63314@debbugs.gnu.org Subject: [PATCH 1/2] system: pam: Let PAM extenders add shepherd requirements. Date: Fri, 5 May 2023 19:51:48 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 63314 Cc: Josselin Poiret X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Josselin Poiret * gnu/system/pam.scm (): New record type. (pam-shepherd-service): Add Shepherd synchronization point. * gnu/services/mail.scm (dovecot-shepherd-service) * gnu/services/lightdm.scm (lightdm-shepherd-service) * gnu/services/mail.scm (opensmtpd-shepherd-service) * gnu/services/sddm.scm (sddm-shepherd-service) * gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service) * gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service) * gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement. * gnu/system/pam.scm (/etc-entry, extend-configuration, pam-root-service-type, pam-root-service) * gnu/services/authentication.scm (pam-ldap-pam-service) * gnu/services/base.scm (pam-limits-service-type) (greetd-pam-service) * gnu/services/desktop.scm (pam-gnome-keyring) * gnu/services/kerberos.scm (pam-krb5-pam-service) * gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to pam-extenders. --- gnu/services/authentication.scm | 28 +++++++++-------- gnu/services/base.scm | 54 +++++++++++++++++--------------- gnu/services/desktop.scm | 44 ++++++++++++++------------ gnu/services/kerberos.scm | 44 +++++++++++++------------- gnu/services/lightdm.scm | 2 +- gnu/services/mail.scm | 4 +-- gnu/services/pam-mount.scm | 23 ++++++++------ gnu/services/sddm.scm | 2 +- gnu/services/ssh.scm | 10 +++--- gnu/services/xorg.scm | 4 +-- gnu/system/pam.scm | 55 ++++++++++++++++++++++++++------- 11 files changed, 160 insertions(+), 110 deletions(-) diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm index f7becdfafb..5ec7634789 100644 --- a/gnu/services/authentication.scm +++ b/gnu/services/authentication.scm @@ -506,19 +506,21 @@ (define (pam-ldap-pam-service config) (define pam-ldap-module #~(string-append #$(nslcd-configuration-nss-pam-ldapd config) "/lib/security/pam_ldap.so")) - (lambda (pam) - (if (member (pam-service-name pam) - (nslcd-configuration-pam-services config)) - (let ((sufficient - (pam-entry - (control "sufficient") - (module pam-ldap-module)))) - (pam-service - (inherit pam) - (auth (cons sufficient (pam-service-auth pam))) - (session (cons sufficient (pam-service-session pam))) - (account (cons sufficient (pam-service-account pam))))) - pam))) + (pam-extender + (transformer + (lambda (pam) + (if (member (pam-service-name pam) + (nslcd-configuration-pam-services config)) + (let ((sufficient + (pam-entry + (control "sufficient") + (module pam-ldap-module)))) + (pam-service + (inherit pam) + (auth (cons sufficient (pam-service-auth pam))) + (session (cons sufficient (pam-service-session pam))) + (account (cons sufficient (pam-service-account pam))))) + pam))))) (define (pam-ldap-pam-services config) (list (pam-ldap-pam-service config))) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 4adb551796..eaf5030935 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1608,20 +1608,22 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration))) (define pam-limits-service-type (let ((pam-extension - (lambda (pam) - (let ((pam-limits (pam-entry - (control "required") - (module "pam_limits.so") - (arguments - '("conf=/etc/security/limits.conf"))))) - (if (member (pam-service-name pam) - '("login" "greetd" "su" "slim" "gdm-password" "sddm" - "sudo" "sshd")) - (pam-service - (inherit pam) - (session (cons pam-limits - (pam-service-session pam)))) - pam)))) + (pam-extender + (transformer + (lambda (pam) + (let ((pam-limits (pam-entry + (control "required") + (module "pam_limits.so") + (arguments + '("conf=/etc/security/limits.conf"))))) + (if (member (pam-service-name pam) + '("login" "greetd" "su" "slim" "gdm-password" + "sddm" "sudo" "sshd")) + (pam-service + (inherit pam) + (session (cons pam-limits + (pam-service-session pam)))) + pam)))))) ;; XXX: Using file-like objects is deprecated, use lists instead. ;; This is to be reduced into the list? case when the deprecated @@ -3269,16 +3271,18 @@ (define (greetd-pam-service config) (greetd-allow-empty-passwords? config) #:motd (greetd-motd config)) - (lambda (pam) - (if (member (pam-service-name pam) - '("login" "greetd" "su" "slim" "gdm-password")) - (pam-service - (inherit pam) - (auth (append (pam-service-auth pam) - (list optional-pam-mount))) - (session (append (pam-service-session pam) - (list optional-pam-mount)))) - pam)))) + (pam-extender + (transformer + (lambda (pam) + (if (member (pam-service-name pam) + '("login" "greetd" "su" "slim" "gdm-password")) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list optional-pam-mount))) + (session (append (pam-service-session pam) + (list optional-pam-mount)))) + pam)))))) (define (greetd-shepherd-services config) (map @@ -3290,7 +3294,7 @@ (define (greetd-shepherd-services config) (greetd-vt (greetd-terminal-vt tc))) (shepherd-service (documentation "Minimal and flexible login manager daemon") - (requirement '(user-processes host-name udev virtual-terminal)) + (requirement '(pam user-processes host-name udev virtual-terminal)) (provision (list (symbol-append 'term-tty (string->symbol (greetd-terminal-vt tc))))) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index adea5b38dd..3adcfe8e5d 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1187,10 +1187,12 @@ (define (pam-extension-procedure config) (module (file-append (elogind-package config) "/lib/security/pam_elogind.so")))) - (list (lambda (pam) - (pam-service - (inherit pam) - (session (cons pam-elogind (pam-service-session pam))))))) + (list (pam-extender + (transformer + (lambda (pam) + (pam-service + (inherit pam) + (session (cons pam-elogind (pam-service-session pam))))))))) (define (elogind-shepherd-service config) "Return a Shepherd service to start elogind according to @var{config}." @@ -1703,22 +1705,24 @@ (define (pam-gnome-keyring config) (arguments arguments))) (list - (lambda (service) - (case (assoc-ref (gnome-keyring-pam-services config) - (pam-service-name service)) - ((login) - (pam-service - (inherit service) - (auth (append (pam-service-auth service) - (list (%pam-keyring-entry)))) - (session (append (pam-service-session service) - (list (%pam-keyring-entry "auto_start")))))) - ((passwd) - (pam-service - (inherit service) - (password (append (pam-service-password service) - (list (%pam-keyring-entry)))))) - (else service))))) + (pam-extender + (transformer + (lambda (service) + (case (assoc-ref (gnome-keyring-pam-services config) + (pam-service-name service)) + ((login) + (pam-service + (inherit service) + (auth (append (pam-service-auth service) + (list (%pam-keyring-entry)))) + (session (append (pam-service-session service) + (list (%pam-keyring-entry "auto_start")))))) + ((passwd) + (pam-service + (inherit service) + (password (append (pam-service-password service) + (list (%pam-keyring-entry)))))) + (else service))))))) (define gnome-keyring-service-type (service-type diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm index c3c7872734..0ae7c127d1 100644 --- a/gnu/services/kerberos.scm +++ b/gnu/services/kerberos.scm @@ -428,27 +428,29 @@ (define-record-type* (define (pam-krb5-pam-service config) "Return a PAM service for Kerberos authentication." - (lambda (pam) - (define pam-krb5-module - #~(string-append #$(pam-krb5-configuration-pam-krb5 config) - "/lib/security/pam_krb5.so")) - - (let ((pam-krb5-sufficient - (pam-entry - (control "sufficient") - (module pam-krb5-module) - (arguments - (list - (format #f "minimum_uid=~a" - (pam-krb5-configuration-minimum-uid config))))))) - (pam-service - (inherit pam) - (auth (cons* pam-krb5-sufficient - (pam-service-auth pam))) - (session (cons* pam-krb5-sufficient - (pam-service-session pam))) - (account (cons* pam-krb5-sufficient - (pam-service-account pam))))))) + (pam-extender + (transformer + (lambda (pam) + (define pam-krb5-module + #~(string-append #$(pam-krb5-configuration-pam-krb5 config) + "/lib/security/pam_krb5.so")) + + (let ((pam-krb5-sufficient + (pam-entry + (control "sufficient") + (module pam-krb5-module) + (arguments + (list + (format #f "minimum_uid=~a" + (pam-krb5-configuration-minimum-uid config))))))) + (pam-service + (inherit pam) + (auth (cons* pam-krb5-sufficient + (pam-service-auth pam))) + (session (cons* pam-krb5-sufficient + (pam-service-session pam))) + (account (cons* pam-krb5-sufficient + (pam-service-account pam))))))))) (define (pam-krb5-pam-services config) (list (pam-krb5-pam-service config))) diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm index 0b9094cda1..b966f402d6 100644 --- a/gnu/services/lightdm.scm +++ b/gnu/services/lightdm.scm @@ -616,7 +616,7 @@ (define (lightdm-shepherd-service config) (list (shepherd-service (documentation "LightDM display manager") - (requirement '(dbus-system user-processes host-name)) + (requirement '(pam dbus-system user-processes host-name)) (provision '(lightdm display-manager xorg-server)) (respawn? #f) (start diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index bf4948dcfb..12dcc8e71d 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -1578,7 +1578,7 @@ (define (dovecot-shepherd-service config) (list (shepherd-service (documentation "Run the Dovecot POP3/IMAP mail server.") (provision '(dovecot)) - (requirement '(networking)) + (requirement '(pam networking)) (start #~(make-forkexec-constructor (list (string-append #$dovecot "/sbin/dovecot") "-F"))) @@ -1676,7 +1676,7 @@ (define (opensmtpd-shepherd-service config) (package config-file shepherd-requirement) (list (shepherd-service (provision '(smtpd)) - (requirement `(loopback ,@shepherd-requirement)) + (requirement `(pam loopback ,@shepherd-requirement)) (documentation "Run the OpenSMTPD daemon.") (start (let ((smtpd (file-append package "/sbin/smtpd"))) #~(make-forkexec-constructor diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm index e60781d05b..3e6667af9c 100644 --- a/gnu/services/pam-mount.scm +++ b/gnu/services/pam-mount.scm @@ -88,16 +88,19 @@ (define (pam-mount-pam-service config) (pam-entry (control "optional") (module #~(string-append #$pam-mount "/lib/security/pam_mount.so")))) - (list (lambda (pam) - (if (member (pam-service-name pam) - '("login" "greetd" "su" "slim" "gdm-password" "sddm")) - (pam-service - (inherit pam) - (auth (append (pam-service-auth pam) - (list optional-pam-mount))) - (session (append (pam-service-session pam) - (list optional-pam-mount)))) - pam)))) + (list + (pam-extender + (transformer + (lambda (pam) + (if (member (pam-service-name pam) + '("login" "greetd" "su" "slim" "gdm-password" "sddm")) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list optional-pam-mount))) + (session (append (pam-service-session pam) + (list optional-pam-mount)))) + pam)))))) (define pam-mount-service-type (service-type diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm index 9e02f1cc81..c9a7ba96f4 100644 --- a/gnu/services/sddm.scm +++ b/gnu/services/sddm.scm @@ -169,7 +169,7 @@ (define (sddm-shepherd-service config) (list (shepherd-service (documentation "SDDM display manager.") - (requirement '(user-processes elogind)) + (requirement '(user-processes elogind pam)) (provision '(xorg-server display-manager)) (start #~(make-forkexec-constructor #$sddm-command)) (stop #~(make-kill-destructor))))) diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index b76544c1a8..de5afdaa1a 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -197,9 +197,11 @@ (define (lsh-shepherd-service config) interfaces))))) (define requires - (if (and daemonic? (lsh-configuration-syslog-output? config)) - '(networking syslogd) - '(networking))) + `(networking + pam + ,@(if (and daemonic? (lsh-configuration-syslog-output? config)) + '(syslogd) + '()))) (list (shepherd-service (documentation "GNU lsh SSH server") @@ -566,7 +568,7 @@ (define (openssh-shepherd-service config) (list (shepherd-service (documentation "OpenSSH server.") - (requirement '(syslogd loopback)) + (requirement '(pam syslogd loopback)) (provision '(ssh-daemon ssh sshd)) (start #~(if #$inetd-style? diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 7295a45b59..8b6080fd26 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -667,7 +667,7 @@ (define (slim-shepherd-service config) (list (symbol-append 'xorg-server- (string->symbol vt))))) - (requirement '(user-processes host-name udev)) + (requirement '(pam user-processes host-name udev)) (start #~(lambda () ;; A stale lock file can prevent SLiM from starting, so remove it to @@ -1119,7 +1119,7 @@ (define (gdm-shepherd-service config) (list (shepherd-service (documentation "Xorg display server (GDM)") (provision '(xorg-server)) - (requirement '(dbus-system user-processes host-name udev elogind)) + (requirement '(dbus-system pam user-processes host-name udev elogind)) (start #~(lambda () (fork+exec-command (list #$(file-append (gdm-configuration-gdm config) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index b635681642..6d9a7484c3 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -21,6 +21,7 @@ (define-module (gnu system pam) #:use-module (guix derivations) #:use-module (guix gexp) #:use-module (gnu services) + #:use-module (gnu services shepherd) #:use-module (gnu system setuid) #:use-module (ice-9 match) #:use-module (srfi srfi-1) @@ -55,6 +56,10 @@ (define-module (gnu system pam) session-environment-service session-environment-service-type + pam-extender + pam-extender-transformer + pam-extender-shepherd-requirements + pam-root-service-type pam-root-service)) @@ -347,32 +352,58 @@ (define (session-environment-service vars) ;;; PAM root service. ;;; +;; A PAM transformer consists of a procedure acting on each PAM entry, with an +;; additional list of shepherd-requirements that the meta PAM sheherd service +;; will rely on. +(define-record-type* + pam-extender make-pam-extender pam-extender? + (transformer pam-extender-transformer) + (shepherd-requirements pam-extender-shepherd-requirements + (default '()))) + ;; Overall PAM configuration: a list of services, plus a procedure that takes ;; one and returns a . The procedure is used to ;; implement cross-cutting concerns such as the use of the 'elogind.so' ;; session module that keeps track of logged-in users. (define-record-type* - pam-configuration make-pam-configuration? pam-configuration? + pam-configuration make-pam-configuration pam-configuration? (services pam-configuration-services) ;list of - (transform pam-configuration-transform)) ;procedure + (extenders pam-configuration-extenders)) ;list of (define (/etc-entry config) "Return the /etc/pam.d entry corresponding to CONFIG." (match config - (($ services transform) - (let ((services (map transform services))) + (($ services extenders) + (let ((services + (map + ;; XXX We need to add identity because compose expects at least + ;; one argument for some reason. + (apply compose (cons identity (map pam-extender-transformer extenders))) + services))) `(("pam.d" ,(pam-services->directory services))))))) +(define (pam-shepherd-service config) + (define requirements + (match config + (($ services extenders) + (concatenate (map pam-extender-shepherd-requirements extenders))))) + (list (shepherd-service + (documentation "Synchronization point for services that need to be +started for PAM to work.") + (provision '(pam)) + (requirement requirements) + (start #~(const #t)) + (stop #~(const #t))))) + (define (extend-configuration initial extensions) "Extend INITIAL with NEW." - (let-values (((services procs) + (let-values (((services extenders) (partition pam-service? extensions))) (pam-configuration (services (append (pam-configuration-services initial) services)) - (transform (apply compose - (pam-configuration-transform initial) - procs))))) + (extenders (append (pam-configuration-extenders initial) + extenders))))) (define pam-root-service-type (service-type (name 'pam) @@ -382,7 +413,9 @@ (define pam-root-service-type (lambda (_) (list (file-like->setuid-program (file-append linux-pam "/sbin/unix_chkpwd"))))) - (service-extension etc-service-type /etc-entry))) + (service-extension etc-service-type /etc-entry) + (service-extension shepherd-root-service-type + pam-shepherd-service))) ;; Arguments include as well as procedures. (compose concatenate) @@ -394,7 +427,7 @@ (define pam-root-service-type program may authenticate users or what it should do when opening a new session."))) -(define* (pam-root-service base #:key (transform identity)) +(define* (pam-root-service base #:key (extenders '())) "The \"root\" PAM service, which collects instance and turns them into a /etc/pam.d directory, including the listed in BASE. TRANSFORM is a procedure that takes a and returns a @@ -402,6 +435,6 @@ (define* (pam-root-service base #:key (transform identity)) all the PAM services." (service pam-root-service-type (pam-configuration (services base) - (transform transform)))) + (extenders extenders)))) -- 2.39.2 From debbugs-submit-bounces@debbugs.gnu.org Fri May 05 13:51:54 2023 Received: (at 63314) by debbugs.gnu.org; 5 May 2023 17:51:55 +0000 Received: from localhost ([127.0.0.1]:57410 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1puzb0-000838-L5 for submit@debbugs.gnu.org; Fri, 05 May 2023 13:51:54 -0400 Received: from jpoiret.xyz ([206.189.101.64]:44986) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1puzax-00082r-MG for 63314@debbugs.gnu.org; Fri, 05 May 2023 13:51:52 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id D32DC1851E7; Fri, 5 May 2023 17:51:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1683309111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0i34WidYzFZkQ6JFUxfrc1B7I8UT5wwpVk2icUfElU8=; b=sCtaNYjtU8h6W4OmWVk4EZ/LcxH6YtCKsCtv/kBM1gcpfL/ZQVf06tMvv+PmjECeD2OWRW +bGk9AyfHwv+CvS1TFtZuJpm4ohxWLeNgfOELQoUaOn0qxCMb5cJNsIOaw2tN5VjYDpKfM gZV5UEiOpQDJ8Mstw6Z6Ck7MdB/w2kqR0f1ACUd/tl44nJg9n5XVFIcHmi2cywVvbMeBo7 VmWS3iKe0o2lE4SjC2iBSIyvX9V3Ttv1lG8WswcUcAHrkoL0CyrBp/0S0nQQ5CAjCD+KCv +R0XATn+5ntuTQC3oY2xAm/rOpLZ8XgxyIQsalSkIwgf47HjPlEjI9MnE640CA== From: Josselin Poiret To: 63314@debbugs.gnu.org Subject: [PATCH 2/2] services: elogind: Add elogind as a shepherd PAM requirement. Date: Fri, 5 May 2023 19:51:49 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 63314 Cc: Josselin Poiret X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Josselin Poiret * gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd requirement to the PAM extender. --- gnu/services/desktop.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 3adcfe8e5d..d62536a27e 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config) (lambda (pam) (pam-service (inherit pam) - (session (cons pam-elogind (pam-service-session pam))))))))) + (session (cons pam-elogind (pam-service-session pam)))))) + (shepherd-requirements '(elogind))))) (define (elogind-shepherd-service config) "Return a Shepherd service to start elogind according to @var{config}." -- 2.39.2 From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 05:45:16 2023 Received: (at 63314) by debbugs.gnu.org; 8 May 2023 09:45:16 +0000 Received: from localhost ([127.0.0.1]:39180 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pvxQh-0003oT-P8 for submit@debbugs.gnu.org; Mon, 08 May 2023 05:45:16 -0400 Received: from eggs.gnu.org ([209.51.188.92]:39384) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pvxQg-0003oG-87 for 63314@debbugs.gnu.org; Mon, 08 May 2023 05:45:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pvxQa-0007uN-So; Mon, 08 May 2023 05:45:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=dAWVHQpzHCDjsYPCmyUDBh052nmRJVqeD9JFmNzIVVI=; b=FzEdSm4t5skt6r0bskGq jWlASEX+0c+5EfFlvvf19XpA5zU8rRCaePNqQNU3LyRunpdGuUr09OFIzLaWP5Sx1J70+lCV9jVXS PRIDQOjhU+11tPT6n1pcxjfQ0ZVTLdlL5ym5xFkWulbo8jgf7BTcPPqRSd2OAqSZvR9Jj5kPrtiTf QkxY4PIIwLL94PNrfVcWJUZtQf4+7gDmeStIDlzEYAkgVPKnkfKpSgFdvAREDfAvZsHigvnLoSq64 frcLrbCUnBk284tWh6/mgdss1cC6pWNCDNBvEU894de3/sglifVic55DHEGNLJEm31R1MfuhYxr0G LZlGGEwfBeCO9g==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pvxQa-0008Tt-FI; Mon, 08 May 2023 05:45:08 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Josselin Poiret Subject: Re: bug#63314: [PATCH 0/2] Add PAM shepherd requirements References: Date: Mon, 08 May 2023 11:45:05 +0200 In-Reply-To: (Josselin Poiret's message of "Fri, 5 May 2023 19:51:48 +0200") Message-ID: <87r0rrdun2.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 63314 Cc: 63314@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! Josselin Poiret skribis: > From: Josselin Poiret > > * gnu/system/pam.scm (): New record type. > (pam-shepherd-service): Add Shepherd synchronization point. > > * gnu/services/mail.scm (dovecot-shepherd-service) > * gnu/services/lightdm.scm (lightdm-shepherd-service) > * gnu/services/mail.scm (opensmtpd-shepherd-service) > * gnu/services/sddm.scm (sddm-shepherd-service) > * gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service) > * gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service) > * gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement. > > * gnu/system/pam.scm (/etc-entry, extend-configuration, > pam-root-service-type, pam-root-service) > * gnu/services/authentication.scm (pam-ldap-pam-service) > * gnu/services/base.scm (pam-limits-service-type) > (greetd-pam-service) > * gnu/services/desktop.scm (pam-gnome-keyring) > * gnu/services/kerberos.scm (pam-krb5-pam-service) > * gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to pam-extend= ers. The approach looks reasonable to me, well done! > +;; A PAM transformer consists of a procedure acting on each PAM entry, w= ith an > +;; additional list of shepherd-requirements that the meta PAM sheherd se= rvice > +;; will rely on. > +(define-record-type* > + pam-extender make-pam-extender pam-extender? > + (transformer pam-extender-transformer) > + (shepherd-requirements pam-extender-shepherd-requirements > + (default '()))) I would call it (similar to ). There=E2=80=99s a typo in the comment (=E2=80=9Csheherd=E2=80=9D); s/rely o= n/depend on/. > ;; Overall PAM configuration: a list of services, plus a procedure that = takes > ;; one and returns a . The procedure is used= to > ;; implement cross-cutting concerns such as the use of the 'elogind.so' > ;; session module that keeps track of logged-in users. > (define-record-type* > - pam-configuration make-pam-configuration? pam-configuration? > + pam-configuration make-pam-configuration pam-configuration? > (services pam-configuration-services) ;list of > - (transform pam-configuration-transform)) ;procedure > + (extenders pam-configuration-extenders)) ;list of Instead of storing extensions, we should keep the full configuration here (similar to ). That is, remove =E2=80=98extenders=E2=80=99 and instead add =E2=80=98shepherd-requirements= =E2=80=99. > +(define (pam-shepherd-service config) > + (define requirements > + (match config > + (($ services extenders) > + (concatenate (map pam-extender-shepherd-requirements extenders)))= )) Rather: (append-map =E2=80=A6) Also please add a docstring. > (define (extend-configuration initial extensions) > "Extend INITIAL with NEW." > - (let-values (((services procs) > + (let-values (((services extenders) > (partition pam-service? extensions))) > (pam-configuration > (services (append (pam-configuration-services initial) > services)) > - (transform (apply compose > - (pam-configuration-transform initial) > - procs))))) > + (extenders (append (pam-configuration-extenders initial) > + extenders))))) This would need to be adjusted accordingly. Also, we need to preserve backward compatibility, so we should first do something like: (let ((extensions (map (lambda (extension) (if (pam-extension? extension) extension (begin (warn-about-deprecation =E2=80=A6) (pam-extension (transformer extension))))) extensions))) =E2=80=A6)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20 Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 05:46:27 2023 Received: (at 63314) by debbugs.gnu.org; 8 May 2023 09:46:27 +0000 Received: from localhost ([127.0.0.1]:39188 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pvxRr-0003rB-AB for submit@debbugs.gnu.org; Mon, 08 May 2023 05:46:27 -0400 Received: from eggs.gnu.org ([209.51.188.92]:33434) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pvxRp-0003qt-0Z for 63314@debbugs.gnu.org; Mon, 08 May 2023 05:46:25 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pvxRi-0008CH-Lv; Mon, 08 May 2023 05:46:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=XO+TmTC/vo89UnVFYIn/uBL/DT6pskn7fqe+9ei40cc=; b=o9EU0W9KbSQYWsGqXMwK fBaYy6ABbUr6h9ISg/j51p2RD/ZV8aBw8Qe0ysqGcnc4I7KWowm2xMhEWByAj7/ol7BhsokLfCfJD h5EQjbzToGjx6BBMSCrpx3WmCvs1KmEefpQzgi5wKawhKsoumbkikb8V8zGT7gM6RDfRMK+tvbOn4 vTP1XAn7D9rsrORSl0+0IQMY//vKQqeCjbcVDbV/YfPC8XLRQn26A1AmthNkzDv50WapDIJFi/NmJ KVLG+eTkrab+upzmqdk0QzyC85V+qCvi8vzEZf9S00dsMPJQb2xfdKjk8sliR88hrq1/VqmSn20Bn zd9m9CxfVn1sSg==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pvxRg-0000IK-0m; Mon, 08 May 2023 05:46:18 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Josselin Poiret Subject: Re: bug#63314: [PATCH 0/2] Add PAM shepherd requirements References: Date: Mon, 08 May 2023 11:46:14 +0200 In-Reply-To: (Josselin Poiret's message of "Fri, 5 May 2023 19:51:49 +0200") Message-ID: <87mt2fdul5.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 63314 Cc: 63314@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Josselin Poiret skribis: > From: Josselin Poiret > > * gnu/services/desktop.scm (pam-extension-procedure): Add the elogind she= pherd > requirement to the PAM extender. > --- > gnu/services/desktop.scm | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm > index 3adcfe8e5d..d62536a27e 100644 > --- a/gnu/services/desktop.scm > +++ b/gnu/services/desktop.scm > @@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config) > (lambda (pam) > (pam-service > (inherit pam) > - (session (cons pam-elogind (pam-service-session pam))))))))) > + (session (cons pam-elogind (pam-service-session pam)))))) > + (shepherd-requirements '(elogind))))) LGTM. Should we add a greetd system test that catches the bug? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue May 09 12:45:15 2023 Received: (at 63314) by debbugs.gnu.org; 9 May 2023 16:45:15 +0000 Received: from localhost ([127.0.0.1]:44288 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwQSg-000710-UJ for submit@debbugs.gnu.org; Tue, 09 May 2023 12:45:15 -0400 Received: from jpoiret.xyz ([206.189.101.64]:55532) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwQSd-00070e-Tg for 63314@debbugs.gnu.org; Tue, 09 May 2023 12:45:13 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 6359D184F1E; Tue, 9 May 2023 16:45:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1683650710; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CtyjQNHpqmRTr92t8wLVA+XnEn/ZGbTCz3G1VzjbLAQ=; b=B123YAUCgmk8vBxU4H0Ra+VkitIfnBH9YYO7UGv9JEI2pHbsn5+vCcp7y/ov4pOU2qLCOX +JLcpQIPd99E5UyLJSdXNB94/QydTbn7iWblz54jrhn43e+sAOAT0/LaAvmvxXchM5OOwR QucgHq1ocYOJqmh3IHRLJI9iWjRmnXQigZ47vY0is7c+9hp+131Dnw4pCxL1/qAThaFCTc Vg3FUzW/f9qb5ziPBtsBUoW3jOA2qBO6MmWl+RyiHYgtgmrF2fgPiJMnivNfegraE6f0cV QkxHi6yLfW7Ml+pm1XfYgm37p6qb1TSUzbBmotHJuhpiLqY3fjGLQvEs0hOhSQ== From: Josselin Poiret To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= , Josselin Poiret Subject: [PATCH v2 0/2] Add PAM shepherd requirements Date: Tue, 9 May 2023 18:45:06 +0200 Message-Id: In-Reply-To: <87r0rrdun2.fsf_-_@gnu.org> References: <87r0rrdun2.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: ++++ Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Level: **** X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 63314 Cc: 63314@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ludo, Thanks for the review. Here is an updated patchset with the changes you requested. I don't think it's possible to have a reliable system test to check for the greetd issue, since it is a race problem in the end. Best, Josselin Poiret (2): system: pam: Let PAM extensions add shepherd requirements. services: elogind: Add elogind as a shepherd PAM requirement. gnu/services/authentication.scm | 28 ++++++------ gnu/services/base.scm | 54 +++++++++++----------- gnu/services/desktop.scm | 45 ++++++++++--------- gnu/services/kerberos.scm | 44 +++++++++--------- gnu/services/lightdm.scm | 2 +- gnu/services/mail.scm | 4 +- gnu/services/pam-mount.scm | 23 +++++----- gnu/services/sddm.scm | 2 +- gnu/services/ssh.scm | 10 +++-- gnu/services/xorg.scm | 4 +- gnu/system/pam.scm | 80 +++++++++++++++++++++++++++------ 11 files changed, 184 insertions(+), 112 deletions(-) base-commit: a759cbffafbf67b3a03c80b5bdbe3f3478affc50 -- 2.39.2 From debbugs-submit-bounces@debbugs.gnu.org Tue May 09 12:45:17 2023 Received: (at 63314) by debbugs.gnu.org; 9 May 2023 16:45:17 +0000 Received: from localhost ([127.0.0.1]:44290 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwQSj-00071A-5m for submit@debbugs.gnu.org; Tue, 09 May 2023 12:45:17 -0400 Received: from jpoiret.xyz ([206.189.101.64]:55710) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwQSf-00070n-Oo for 63314@debbugs.gnu.org; Tue, 09 May 2023 12:45:14 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 042D518531A; Tue, 9 May 2023 16:45:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1683650713; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ANQbuL7xbG2Uc89Xz7HJ5OSNYvD3PmHKC7svHUGRWnA=; b=DS1UG1FGPWtGVAL9cdwWlQm4CS6gGzMsGxqNkfmos7/bWfvCdYYQbq4gH6kgNwq6uD3uBj 4QKklQ/I3Cym9kIk2zJwk1R6Y8t5zT/V/FNnrdfW9Mw90F1cDteiAzFAK82yk0aAFWH/93 n2M/wRCFE18E0BvlIqRDyyPVCP7xi5gy6nYYU5VbrlCPCS/nYa0xjBBM0A5WhXMaIVUOH7 bjxzGAT3f2KCCMzu+Hroo3Sq7iA6yDd1fnVUX73sKOTxSuBY7xOwgHtLWx9p8XPM2qYaai uRSWNqTp+pjIS+HU+cVnDk6CZTSOQR9Nst3gejE2Y9R604R4kKa8FZ00Gd4hfQ== From: Josselin Poiret To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= , Josselin Poiret Subject: [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement. Date: Tue, 9 May 2023 18:45:08 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 63314 Cc: 63314@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Josselin Poiret * gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd requirement to the PAM extension. --- gnu/services/desktop.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 6b1b21cf80..64eac1117d 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config) (lambda (pam) (pam-service (inherit pam) - (session (cons pam-elogind (pam-service-session pam))))))))) + (session (cons pam-elogind (pam-service-session pam)))))) + (shepherd-requirements '(elogind))))) (define (elogind-shepherd-service config) "Return a Shepherd service to start elogind according to @var{config}." -- 2.39.2 From debbugs-submit-bounces@debbugs.gnu.org Tue May 09 12:45:18 2023 Received: (at 63314) by debbugs.gnu.org; 9 May 2023 16:45:18 +0000 Received: from localhost ([127.0.0.1]:44292 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwQSj-00071C-Ds for submit@debbugs.gnu.org; Tue, 09 May 2023 12:45:18 -0400 Received: from jpoiret.xyz ([206.189.101.64]:55622) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwQSe-00070g-OY for 63314@debbugs.gnu.org; Tue, 09 May 2023 12:45:14 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 98BA5185317; Tue, 9 May 2023 16:45:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1683650711; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FRrmUKy5Equi7fX79bVbV2c7GLun+mWW1zxEQ1jbSdg=; b=ZP5Npbcav8yy1zqML5g47pbIR22Uf3+GSKqtB9uQepcdpXlx+E0D8iPy3SozRpzf/pnLcR Yab9DBEgHaFrrJrpjxw5AnDeLgBu2C6l5xC2DwLQqbQcz6EojIRXoZz7yxCSQcVrZeQFqS WnePDbUPDtTq8WoV8Kr2Vc1kpudk5ujRHllcJKE+7GpxTcCxu15+wtsoe97c9tEgMogPpy nbPY/l2fKKP+cdASyn3rybp2syFZAIzTGGTblO9nsoagc1PVeSkBIQvrW/QeivjcrAq3lg EvFg1CR3aI/PiNZyPSwdkL8C8BrCGlbM3h8+unvRd+LFrrldKySJbO940tOFcw== From: Josselin Poiret To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= , Josselin Poiret Subject: [PATCH v2 1/2] system: pam: Let PAM extensions add shepherd requirements. Date: Tue, 9 May 2023 18:45:07 +0200 Message-Id: <9371fcad4037f991a3c003f550c8c080f15271f6.1683650554.git.dev@jpoiret.xyz> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 63314 Cc: 63314@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Josselin Poiret * gnu/system/pam.scm (): New record type. (pam-shepherd-service): Add Shepherd synchronization point. * gnu/services/mail.scm (dovecot-shepherd-service) * gnu/services/lightdm.scm (lightdm-shepherd-service) * gnu/services/mail.scm (opensmtpd-shepherd-service) * gnu/services/sddm.scm (sddm-shepherd-service) * gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service) * gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service) * gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement. * gnu/system/pam.scm (/etc-entry, extend-configuration, pam-root-service-type, pam-root-service) * gnu/services/authentication.scm (pam-ldap-pam-service) * gnu/services/base.scm (pam-limits-service-type) (greetd-pam-service) * gnu/services/desktop.scm (pam-gnome-keyring) * gnu/services/kerberos.scm (pam-krb5-pam-service) * gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to use pam-extension. --- gnu/services/authentication.scm | 28 ++++++------ gnu/services/base.scm | 54 +++++++++++----------- gnu/services/desktop.scm | 44 +++++++++--------- gnu/services/kerberos.scm | 44 +++++++++--------- gnu/services/lightdm.scm | 2 +- gnu/services/mail.scm | 4 +- gnu/services/pam-mount.scm | 23 +++++----- gnu/services/sddm.scm | 2 +- gnu/services/ssh.scm | 10 +++-- gnu/services/xorg.scm | 4 +- gnu/system/pam.scm | 80 +++++++++++++++++++++++++++------ 11 files changed, 183 insertions(+), 112 deletions(-) diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm index f7becdfafb..f1ad1b1afe 100644 --- a/gnu/services/authentication.scm +++ b/gnu/services/authentication.scm @@ -506,19 +506,21 @@ (define (pam-ldap-pam-service config) (define pam-ldap-module #~(string-append #$(nslcd-configuration-nss-pam-ldapd config) "/lib/security/pam_ldap.so")) - (lambda (pam) - (if (member (pam-service-name pam) - (nslcd-configuration-pam-services config)) - (let ((sufficient - (pam-entry - (control "sufficient") - (module pam-ldap-module)))) - (pam-service - (inherit pam) - (auth (cons sufficient (pam-service-auth pam))) - (session (cons sufficient (pam-service-session pam))) - (account (cons sufficient (pam-service-account pam))))) - pam))) + (pam-extension + (transformer + (lambda (pam) + (if (member (pam-service-name pam) + (nslcd-configuration-pam-services config)) + (let ((sufficient + (pam-entry + (control "sufficient") + (module pam-ldap-module)))) + (pam-service + (inherit pam) + (auth (cons sufficient (pam-service-auth pam))) + (session (cons sufficient (pam-service-session pam))) + (account (cons sufficient (pam-service-account pam))))) + pam))))) (define (pam-ldap-pam-services config) (list (pam-ldap-pam-service config))) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 4adb551796..a69e99343b 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1608,20 +1608,22 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration))) (define pam-limits-service-type (let ((pam-extension - (lambda (pam) - (let ((pam-limits (pam-entry - (control "required") - (module "pam_limits.so") - (arguments - '("conf=/etc/security/limits.conf"))))) - (if (member (pam-service-name pam) - '("login" "greetd" "su" "slim" "gdm-password" "sddm" - "sudo" "sshd")) - (pam-service - (inherit pam) - (session (cons pam-limits - (pam-service-session pam)))) - pam)))) + (pam-extension + (transformer + (lambda (pam) + (let ((pam-limits (pam-entry + (control "required") + (module "pam_limits.so") + (arguments + '("conf=/etc/security/limits.conf"))))) + (if (member (pam-service-name pam) + '("login" "greetd" "su" "slim" "gdm-password" + "sddm" "sudo" "sshd")) + (pam-service + (inherit pam) + (session (cons pam-limits + (pam-service-session pam)))) + pam)))))) ;; XXX: Using file-like objects is deprecated, use lists instead. ;; This is to be reduced into the list? case when the deprecated @@ -3269,16 +3271,18 @@ (define (greetd-pam-service config) (greetd-allow-empty-passwords? config) #:motd (greetd-motd config)) - (lambda (pam) - (if (member (pam-service-name pam) - '("login" "greetd" "su" "slim" "gdm-password")) - (pam-service - (inherit pam) - (auth (append (pam-service-auth pam) - (list optional-pam-mount))) - (session (append (pam-service-session pam) - (list optional-pam-mount)))) - pam)))) + (pam-extension + (transformer + (lambda (pam) + (if (member (pam-service-name pam) + '("login" "greetd" "su" "slim" "gdm-password")) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list optional-pam-mount))) + (session (append (pam-service-session pam) + (list optional-pam-mount)))) + pam)))))) (define (greetd-shepherd-services config) (map @@ -3290,7 +3294,7 @@ (define (greetd-shepherd-services config) (greetd-vt (greetd-terminal-vt tc))) (shepherd-service (documentation "Minimal and flexible login manager daemon") - (requirement '(user-processes host-name udev virtual-terminal)) + (requirement '(pam user-processes host-name udev virtual-terminal)) (provision (list (symbol-append 'term-tty (string->symbol (greetd-terminal-vt tc))))) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index adea5b38dd..6b1b21cf80 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1187,10 +1187,12 @@ (define (pam-extension-procedure config) (module (file-append (elogind-package config) "/lib/security/pam_elogind.so")))) - (list (lambda (pam) - (pam-service - (inherit pam) - (session (cons pam-elogind (pam-service-session pam))))))) + (list (pam-extension + (transformer + (lambda (pam) + (pam-service + (inherit pam) + (session (cons pam-elogind (pam-service-session pam))))))))) (define (elogind-shepherd-service config) "Return a Shepherd service to start elogind according to @var{config}." @@ -1703,22 +1705,24 @@ (define (pam-gnome-keyring config) (arguments arguments))) (list - (lambda (service) - (case (assoc-ref (gnome-keyring-pam-services config) - (pam-service-name service)) - ((login) - (pam-service - (inherit service) - (auth (append (pam-service-auth service) - (list (%pam-keyring-entry)))) - (session (append (pam-service-session service) - (list (%pam-keyring-entry "auto_start")))))) - ((passwd) - (pam-service - (inherit service) - (password (append (pam-service-password service) - (list (%pam-keyring-entry)))))) - (else service))))) + (pam-extension + (transformer + (lambda (service) + (case (assoc-ref (gnome-keyring-pam-services config) + (pam-service-name service)) + ((login) + (pam-service + (inherit service) + (auth (append (pam-service-auth service) + (list (%pam-keyring-entry)))) + (session (append (pam-service-session service) + (list (%pam-keyring-entry "auto_start")))))) + ((passwd) + (pam-service + (inherit service) + (password (append (pam-service-password service) + (list (%pam-keyring-entry)))))) + (else service))))))) (define gnome-keyring-service-type (service-type diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm index c3c7872734..1a1b37f890 100644 --- a/gnu/services/kerberos.scm +++ b/gnu/services/kerberos.scm @@ -428,27 +428,29 @@ (define-record-type* (define (pam-krb5-pam-service config) "Return a PAM service for Kerberos authentication." - (lambda (pam) - (define pam-krb5-module - #~(string-append #$(pam-krb5-configuration-pam-krb5 config) - "/lib/security/pam_krb5.so")) - - (let ((pam-krb5-sufficient - (pam-entry - (control "sufficient") - (module pam-krb5-module) - (arguments - (list - (format #f "minimum_uid=~a" - (pam-krb5-configuration-minimum-uid config))))))) - (pam-service - (inherit pam) - (auth (cons* pam-krb5-sufficient - (pam-service-auth pam))) - (session (cons* pam-krb5-sufficient - (pam-service-session pam))) - (account (cons* pam-krb5-sufficient - (pam-service-account pam))))))) + (pam-extension + (transformer + (lambda (pam) + (define pam-krb5-module + #~(string-append #$(pam-krb5-configuration-pam-krb5 config) + "/lib/security/pam_krb5.so")) + + (let ((pam-krb5-sufficient + (pam-entry + (control "sufficient") + (module pam-krb5-module) + (arguments + (list + (format #f "minimum_uid=~a" + (pam-krb5-configuration-minimum-uid config))))))) + (pam-service + (inherit pam) + (auth (cons* pam-krb5-sufficient + (pam-service-auth pam))) + (session (cons* pam-krb5-sufficient + (pam-service-session pam))) + (account (cons* pam-krb5-sufficient + (pam-service-account pam))))))))) (define (pam-krb5-pam-services config) (list (pam-krb5-pam-service config))) diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm index 0b9094cda1..b966f402d6 100644 --- a/gnu/services/lightdm.scm +++ b/gnu/services/lightdm.scm @@ -616,7 +616,7 @@ (define (lightdm-shepherd-service config) (list (shepherd-service (documentation "LightDM display manager") - (requirement '(dbus-system user-processes host-name)) + (requirement '(pam dbus-system user-processes host-name)) (provision '(lightdm display-manager xorg-server)) (respawn? #f) (start diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index bf4948dcfb..12dcc8e71d 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -1578,7 +1578,7 @@ (define (dovecot-shepherd-service config) (list (shepherd-service (documentation "Run the Dovecot POP3/IMAP mail server.") (provision '(dovecot)) - (requirement '(networking)) + (requirement '(pam networking)) (start #~(make-forkexec-constructor (list (string-append #$dovecot "/sbin/dovecot") "-F"))) @@ -1676,7 +1676,7 @@ (define (opensmtpd-shepherd-service config) (package config-file shepherd-requirement) (list (shepherd-service (provision '(smtpd)) - (requirement `(loopback ,@shepherd-requirement)) + (requirement `(pam loopback ,@shepherd-requirement)) (documentation "Run the OpenSMTPD daemon.") (start (let ((smtpd (file-append package "/sbin/smtpd"))) #~(make-forkexec-constructor diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm index e60781d05b..21c34ddd61 100644 --- a/gnu/services/pam-mount.scm +++ b/gnu/services/pam-mount.scm @@ -88,16 +88,19 @@ (define (pam-mount-pam-service config) (pam-entry (control "optional") (module #~(string-append #$pam-mount "/lib/security/pam_mount.so")))) - (list (lambda (pam) - (if (member (pam-service-name pam) - '("login" "greetd" "su" "slim" "gdm-password" "sddm")) - (pam-service - (inherit pam) - (auth (append (pam-service-auth pam) - (list optional-pam-mount))) - (session (append (pam-service-session pam) - (list optional-pam-mount)))) - pam)))) + (list + (pam-extension + (transformer + (lambda (pam) + (if (member (pam-service-name pam) + '("login" "greetd" "su" "slim" "gdm-password" "sddm")) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list optional-pam-mount))) + (session (append (pam-service-session pam) + (list optional-pam-mount)))) + pam)))))) (define pam-mount-service-type (service-type diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm index 9e02f1cc81..c9a7ba96f4 100644 --- a/gnu/services/sddm.scm +++ b/gnu/services/sddm.scm @@ -169,7 +169,7 @@ (define (sddm-shepherd-service config) (list (shepherd-service (documentation "SDDM display manager.") - (requirement '(user-processes elogind)) + (requirement '(user-processes elogind pam)) (provision '(xorg-server display-manager)) (start #~(make-forkexec-constructor #$sddm-command)) (stop #~(make-kill-destructor))))) diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index b76544c1a8..de5afdaa1a 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -197,9 +197,11 @@ (define (lsh-shepherd-service config) interfaces))))) (define requires - (if (and daemonic? (lsh-configuration-syslog-output? config)) - '(networking syslogd) - '(networking))) + `(networking + pam + ,@(if (and daemonic? (lsh-configuration-syslog-output? config)) + '(syslogd) + '()))) (list (shepherd-service (documentation "GNU lsh SSH server") @@ -566,7 +568,7 @@ (define (openssh-shepherd-service config) (list (shepherd-service (documentation "OpenSSH server.") - (requirement '(syslogd loopback)) + (requirement '(pam syslogd loopback)) (provision '(ssh-daemon ssh sshd)) (start #~(if #$inetd-style? diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 7295a45b59..8b6080fd26 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -667,7 +667,7 @@ (define (slim-shepherd-service config) (list (symbol-append 'xorg-server- (string->symbol vt))))) - (requirement '(user-processes host-name udev)) + (requirement '(pam user-processes host-name udev)) (start #~(lambda () ;; A stale lock file can prevent SLiM from starting, so remove it to @@ -1119,7 +1119,7 @@ (define (gdm-shepherd-service config) (list (shepherd-service (documentation "Xorg display server (GDM)") (provision '(xorg-server)) - (requirement '(dbus-system user-processes host-name udev elogind)) + (requirement '(dbus-system pam user-processes host-name udev elogind)) (start #~(lambda () (fork+exec-command (list #$(file-append (gdm-configuration-gdm config) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index b635681642..f624064999 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -19,8 +19,11 @@ (define-module (gnu system pam) #:use-module (guix records) #:use-module (guix derivations) + #:use-module (guix diagnostics) #:use-module (guix gexp) + #:use-module (guix i18n) #:use-module (gnu services) + #:use-module (gnu services shepherd) #:use-module (gnu system setuid) #:use-module (ice-9 match) #:use-module (srfi srfi-1) @@ -55,6 +58,10 @@ (define-module (gnu system pam) session-environment-service session-environment-service-type + pam-extension + pam-extension-transformer + pam-extension-shepherd-requirements + pam-root-service-type pam-root-service)) @@ -347,32 +354,76 @@ (define (session-environment-service vars) ;;; PAM root service. ;;; +;; A PAM transformer consists of a procedure acting on each PAM entry, with an +;; additional list of shepherd-requirements that the meta PAM shepherd service +;; will depend on. +(define-record-type* + pam-extension make-pam-extension pam-extension? + (transformer pam-extension-transformer) + (shepherd-requirements pam-extension-shepherd-requirements + (default '()))) + ;; Overall PAM configuration: a list of services, plus a procedure that takes ;; one and returns a . The procedure is used to ;; implement cross-cutting concerns such as the use of the 'elogind.so' ;; session module that keeps track of logged-in users. (define-record-type* - pam-configuration make-pam-configuration? pam-configuration? - (services pam-configuration-services) ;list of - (transform pam-configuration-transform)) ;procedure + pam-configuration make-pam-configuration pam-configuration? + ;list of + (services pam-configuration-services) + ;list of procedures -> + (transformers pam-configuration-transformers) + ;list of symbols + (shepherd-requirements pam-configuration-shepherd-requirements)) (define (/etc-entry config) "Return the /etc/pam.d entry corresponding to CONFIG." (match config - (($ services transform) - (let ((services (map transform services))) + (($ services transformers shepherd-requirements) + (let ((services + (map + ;; XXX We need to add identity because compose expects at least + ;; one argument for some reason. + (apply compose (cons identity transformers)) + services))) `(("pam.d" ,(pam-services->directory services))))))) +(define (pam-shepherd-service config) + "Return the PAM synchronization shepherd service corresponding to CONFIG." + (match config + (($ services transformers shepherd-requirements) + (list (shepherd-service + (documentation "Synchronization point for services that need to be +started for PAM to work.") + (provision '(pam)) + (requirement shepherd-requirements) + (start #~(const #t)) + (stop #~(const #t))))))) + (define (extend-configuration initial extensions) "Extend INITIAL with NEW." - (let-values (((services procs) - (partition pam-service? extensions))) + ;; TODO: Remove deprecation shim. + (define cleaned-extensions + (map + (lambda (ext) + (cond + ((procedure? ext) + (begin + (warning (G_ "pam-root-service-type transformer extensions should\ +now use the record.")) + (pam-extension (transformer ext)))) + (#t ext))) + extensions)) + (let-values (((services pam-extensions) + (partition pam-service? cleaned-extensions))) (pam-configuration (services (append (pam-configuration-services initial) services)) - (transform (apply compose - (pam-configuration-transform initial) - procs))))) + (transformers (append (pam-configuration-transformers initial) + (map pam-extension-transformer pam-extensions))) + (shepherd-requirements + (append (pam-configuration-shepherd-requirements initial) + (append-map pam-extension-shepherd-requirements pam-extensions)))))) (define pam-root-service-type (service-type (name 'pam) @@ -382,7 +433,9 @@ (define pam-root-service-type (lambda (_) (list (file-like->setuid-program (file-append linux-pam "/sbin/unix_chkpwd"))))) - (service-extension etc-service-type /etc-entry))) + (service-extension etc-service-type /etc-entry) + (service-extension shepherd-root-service-type + pam-shepherd-service))) ;; Arguments include as well as procedures. (compose concatenate) @@ -394,7 +447,7 @@ (define pam-root-service-type program may authenticate users or what it should do when opening a new session."))) -(define* (pam-root-service base #:key (transform identity)) +(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '())) "The \"root\" PAM service, which collects instance and turns them into a /etc/pam.d directory, including the listed in BASE. TRANSFORM is a procedure that takes a and returns a @@ -402,6 +455,7 @@ (define* (pam-root-service base #:key (transform identity)) all the PAM services." (service pam-root-service-type (pam-configuration (services base) - (transform transform)))) + (transformers transformers) + (shepherd-requirements shepherd-requirements)))) -- 2.39.2 From debbugs-submit-bounces@debbugs.gnu.org Thu May 11 07:15:54 2023 Received: (at 63314) by debbugs.gnu.org; 11 May 2023 11:15:54 +0000 Received: from localhost ([127.0.0.1]:49867 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1px4H4-0007m9-8S for submit@debbugs.gnu.org; Thu, 11 May 2023 07:15:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:34014) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1px4H2-0007ls-GA for 63314@debbugs.gnu.org; Thu, 11 May 2023 07:15:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1px4Gw-00087Z-VA; Thu, 11 May 2023 07:15:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=FtC54X3BQTOUWYJJ2+XwGCozTbIUTOGn9PMcvuurEDY=; b=GfxE0YVyXhz/HTgDeMOl SvgEQc1P1EWe+aGa+X1fr20ozhotKXxENXyn0ivMyKY5CgmaksBhCDKeh354h1MGe2zWuZVNDOQdg GH7kE7Ek+SXocYcnqtTvokwuuH7zrB8/c2kX+TGGaOaOzQKKbx3gapQelYmw1SvmMj0QUbPR3AMI/ eeHXFnzFQ7cFHynrGbFUS9u4+1bqIIl5KbzH+McVOKmzUgt3MJ2DjcPY6M4neje8P1UFhKLanSfUS mlOI8p+ir+mpX/nBwkUIikNS4ovlJ3IqZ2BKJ0YKitoOJKY0A+yROuYeaNcU1fRCzFFPsCWEhGQtn iJiJyNw+Qf9BWw==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1px4Gu-0001xU-84; Thu, 11 May 2023 07:15:46 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Josselin Poiret Subject: Re: [PATCH v2 1/2] system: pam: Let PAM extensions add shepherd requirements. References: <9371fcad4037f991a3c003f550c8c080f15271f6.1683650554.git.dev@jpoiret.xyz> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Duodi 22 =?utf-8?Q?Flor=C3=A9al?= an 231 de la =?utf-8?Q?R=C3=A9volution=2C?= jour de la Fritillaire X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 11 May 2023 13:15:42 +0200 In-Reply-To: <9371fcad4037f991a3c003f550c8c080f15271f6.1683650554.git.dev@jpoiret.xyz> (Josselin Poiret's message of "Tue, 9 May 2023 18:45:07 +0200") Message-ID: <8735435db5.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 63314 Cc: 63314@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain Hi, Josselin Poiret skribis: > From: Josselin Poiret > > * gnu/system/pam.scm (): New record type. > (pam-shepherd-service): Add Shepherd synchronization point. > > * gnu/services/mail.scm (dovecot-shepherd-service) > * gnu/services/lightdm.scm (lightdm-shepherd-service) > * gnu/services/mail.scm (opensmtpd-shepherd-service) > * gnu/services/sddm.scm (sddm-shepherd-service) > * gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service) > * gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service) > * gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement. > > * gnu/system/pam.scm (/etc-entry, extend-configuration, > pam-root-service-type, pam-root-service) > * gnu/services/authentication.scm (pam-ldap-pam-service) > * gnu/services/base.scm (pam-limits-service-type) > (greetd-pam-service) > * gnu/services/desktop.scm (pam-gnome-keyring) > * gnu/services/kerberos.scm (pam-krb5-pam-service) > * gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to use > pam-extension. Excellent! I committed with the cosmetic changes below: --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index f624064999..adc40c975f 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2013-2017, 2019-2021 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2023 Josselin Poiret ;;; ;;; This file is part of GNU Guix. ;;; @@ -354,9 +355,9 @@ (define (session-environment-service vars) ;;; PAM root service. ;;; =20 -;; A PAM transformer consists of a procedure acting on each PAM entry, wit= h an -;; additional list of shepherd-requirements that the meta PAM shepherd ser= vice -;; will depend on. +;; Extension of the PAM configuration. A PAM transformer consists of a +;; procedure acting on each PAM entry; 'shepherd-requirements' lists servi= ces +;; that the meta 'pam' Shepherd service will depend on. (define-record-type* pam-extension make-pam-extension pam-extension? (transformer pam-extension-transformer) @@ -380,12 +381,8 @@ (define (/etc-entry config) "Return the /etc/pam.d entry corresponding to CONFIG." (match config (($ services transformers shepherd-requirements) - (let ((services - (map - ;; XXX We need to add identity because compose expects at lea= st - ;; one argument for some reason. - (apply compose (cons identity transformers)) - services))) + (let ((services (map (apply compose identity transformers) + services))) `(("pam.d" ,(pam-services->directory services))))))) =20 (define (pam-shepherd-service config) @@ -404,16 +401,15 @@ (define (extend-configuration initial extensions) "Extend INITIAL with NEW." ;; TODO: Remove deprecation shim. (define cleaned-extensions - (map - (lambda (ext) - (cond - ((procedure? ext) - (begin - (warning (G_ "pam-root-service-type transformer extensions shou= ld\ -now use the record.")) - (pam-extension (transformer ext)))) - (#t ext))) - extensions)) + (map (lambda (ext) + (if (procedure? ext) + (begin + (warning (G_ "'pam-root-service-type' extensions should \ +now use the record~%")) + (pam-extension (transformer ext))) + ext)) + extensions)) + (let-values (((services pam-extensions) (partition pam-service? cleaned-extensions))) (pam-configuration --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 DQpMdWRv4oCZLg0K --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu May 11 07:16:46 2023 Received: (at 63314-done) by debbugs.gnu.org; 11 May 2023 11:16:46 +0000 Received: from localhost ([127.0.0.1]:49872 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1px4Ht-0007nz-UH for submit@debbugs.gnu.org; Thu, 11 May 2023 07:16:46 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48910) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1px4Ht-0007nn-55 for 63314-done@debbugs.gnu.org; Thu, 11 May 2023 07:16:45 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1px4Hn-0008Ic-Uh; Thu, 11 May 2023 07:16:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=kgLnEZKTmWWta2UsAoCBJkFAK7DS2Q+5t55kzeyBx+8=; b=m2CD/ObJsqKsey86wcvF 41jPychN03je7dtnnMfhABU4Q3o2LijWOJv4VFw9wcBI0DdWI2eJEYKCA/o/g+zTYEnAdtCuuPFCu UOwG2jw1eOuGXNx4ul/Uz9fFG1WD+c7ILm1n0l/vlKbsHVKpNObVOLoKbC7mR4WENgs4Vzb8sIlBn B2SDa4FrOLSI1zXSK6ULFcYfy1vV9dVP8zefwb9kTYh0m72sC56km23CbwLxo+Ymn1wqf99WxRk8g WbuPGxxXgyltBLV99+AISA1P5CSVyI30NuGZfOFbMDKY/6HAvvqzx16JPj4ro/FUTWJBiG9+7VUMP YmiYlDJ/xUIABw==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1px4Hm-000217-MR; Thu, 11 May 2023 07:16:39 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Josselin Poiret Subject: Re: [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement. References: X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Duodi 22 =?utf-8?Q?Flor=C3=A9al?= an 231 de la =?utf-8?Q?R=C3=A9volution=2C?= jour de la Fritillaire X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 11 May 2023 13:16:36 +0200 In-Reply-To: (Josselin Poiret's message of "Tue, 9 May 2023 18:45:08 +0200") Message-ID: <87y1lv3yp7.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 63314-done Cc: 63314-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Josselin Poiret skribis: > From: Josselin Poiret > > * gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd > requirement to the PAM extension. Applied, thanks! From unknown Mon Aug 11 12:54:25 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 08 Jun 2023 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator