From unknown Fri Jun 20 05:29:32 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#63383 <63383@debbugs.gnu.org>
To: bug#63383 <63383@debbugs.gnu.org>
Subject: Status: [PATCH 0/4] Various PAM improvements
Reply-To: bug#63383 <63383@debbugs.gnu.org>
Date: Fri, 20 Jun 2025 12:29:32 +0000

retitle 63383 [PATCH 0/4] Various PAM improvements
reassign 63383 guix-patches
submitter 63383 Felix Lechner <felix.lechner@lease-up.com>
severity 63383 normal
tag 63383 patch

thanks


From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 20:56:53 2023
Received: (at submit) by debbugs.gnu.org; 9 May 2023 00:56:53 +0000
Received: from localhost ([127.0.0.1]:41955 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pwBeu-00060X-Pb
	for submit@debbugs.gnu.org; Mon, 08 May 2023 20:56:53 -0400
Received: from lists.gnu.org ([209.51.188.17]:45836)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pwBet-00060P-3z
 for submit@debbugs.gnu.org; Mon, 08 May 2023 20:56:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <felix.lechner@us-core.com>)
 id 1pwBes-0004Nz-HW
 for guix-patches@gnu.org; Mon, 08 May 2023 20:56:50 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <felix.lechner@us-core.com>)
 id 1pwBeq-00021r-LA
 for guix-patches@gnu.org; Mon, 08 May 2023 20:56:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=4BYLdWGgp/tRKHx
 Gzzso1mmj+VXHItn8BjoCv8hsoGw=; h=date:subject:cc:to:from;
 d=lease-up.com; b=MVqOi7OjnBc/yTLSSO/7rukbcCG0GLvU89s7tdWDAMA3gP8ihWxc
 rmUuS4EgQXkgTJrjEJDtIuuzVvcsZDo56X3n3i4ig3BH8qUapDrdDx5S04GdFZLrOEwQ7S
 +YjVtCo1xWKIhazukTj7TWuwCJOb4UsTA3tpkwaJzwmyP6Pkc=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 290c2e98
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Tue, 9 May 2023 00:56:42 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 54cf8e71;
 Tue, 9 May 2023 00:56:41 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: guix-patches@gnu.org
Subject: [PATCH 0/4] Various PAM improvements
Date: Mon,  8 May 2023 17:56:31 -0700
Message-Id: <cover.1683593547.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=208.82.101.137;
 envelope-from=felix.lechner@us-core.com; helo=sail-ipv4.us-core.com
X-Spam_score_int: -17
X-Spam_score: -1.8
X-Spam_bar: -
X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
 UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

This commit series makes several improvements to the way Linux-PAM is used in
Guix. Most notably, it employs absolute paths into the store where
possible. The series also improves significantly on the system test for
pam_limits.

These commits have been tested and already being deployed in production.

Additional details are in the commit messages.

Felix Lechner (4):
  In PAM test, confirm ulimits actually imposed instead of comparing
    config files.
  Drop limits.conf from /etc/security; use directly in
    pam-limits-service-type.
  Refer to the built-in Linux-PAM modules by their absolute paths.
  Use more file-append.

 gnu/services/authentication.scm |  2 +-
 gnu/services/base.scm           | 65 +++++++++++++++---------------
 gnu/services/kerberos.scm       |  2 +-
 gnu/services/lightdm.scm        | 60 ++++++++++++++++++++--------
 gnu/services/pam-mount.scm      |  2 +-
 gnu/services/sddm.scm           | 33 ++++++++--------
 gnu/services/xorg.scm           |  5 ++-
 gnu/system/pam.scm              | 20 +++++-----
 gnu/tests/pam.scm               | 70 ++++++++++++++++++---------------
 9 files changed, 146 insertions(+), 113 deletions(-)


base-commit: d1aba42ad4e1909faa21d484975c5954c778e002
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 20:58:19 2023
Received: (at 63383) by debbugs.gnu.org; 9 May 2023 00:58:19 +0000
Received: from localhost ([127.0.0.1]:41960 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pwBgJ-00063c-84
	for submit@debbugs.gnu.org; Mon, 08 May 2023 20:58:19 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:34338)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pwBgH-00063S-OK
 for 63383@debbugs.gnu.org; Mon, 08 May 2023 20:58:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=ZxUSorVWTRXnXxD
 c9S9j3OUlEN8jlw3cPvZ6YIlMIFs=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=mrfVeG7tQRjIgbyBslKAfxMT+YuFlZE8/h1cINuW
 QBVWIhRmu2AWOLMe+AvB0eYc9oOJRr+RrSyLjK+kSe0HK558PVW0CNJRZSk6ADHQ9GycK6
 dNkp8qT66dDf+i1Fme1DllCfhNu6myAdn5X1TVeS1bf4YmUrR6M66ClFloZ18=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id facd70fc
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Tue, 9 May 2023 00:58:16 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 02ff15ea;
 Tue, 9 May 2023 00:58:16 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: [PATCH 1/4] In PAM test,
 confirm ulimits actually imposed instead of comparing config files.
Date: Mon,  8 May 2023 17:58:06 -0700
Message-Id: <7d190e341e90198108b783f2b2c1b0654c48b049.1683593547.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1683593547.git.felix.lechner@lease-up.com>
References: <cover.1683593547.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 63383
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

This revised system test is superior to the one accepted when Bug#61744 was
closed because it confirms whether the configured limits are actually being
enforced upon login.

The previous test merely validated the serialization of one particular config
in the config file.

* gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on
login.
---
 gnu/tests/pam.scm | 70 +++++++++++++++++++++++++----------------------
 1 file changed, 38 insertions(+), 32 deletions(-)

diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm
index 1654396e42..fa480e69ff 100644
--- a/gnu/tests/pam.scm
+++ b/gnu/tests/pam.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -25,8 +26,7 @@ (define-module (gnu tests pam)
   #:use-module (gnu system vm)
   #:use-module (guix gexp)
   #:use-module (ice-9 format)
-  #:export (%test-pam-limits
-            %test-pam-limits-deprecated))
+  #:export (%test-pam-limits))
 
 
 ;;;
@@ -35,26 +35,29 @@ (define-module (gnu tests pam)
 
 (define pam-limit-entries
   (list
-   (pam-limits-entry "@realtime" 'both 'rtprio 99)
-   (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
+   ;; make sure the limits apply to root (uid 0)
+   (pam-limits-entry ":0" 'both 'rtprio 99)               ;default is 0
+   (pam-limits-entry ":0" 'both 'memlock 'unlimited)))    ;default is 8192 kbytes
 
 (define (run-test-pam-limits config)
   "Run tests in a os with pam-limits-service-type configured."
   (define os
     (marionette-operating-system
      (simple-operating-system
-      (service pam-limits-service-type config))))
+      (service pam-limits-service-type config))
+     #:imported-modules '((gnu services herd))))
 
   (define vm
     (virtual-machine os))
 
-  (define name (format #f "pam-limit-service~:[~;-deprecated~]"
-                       (file-like? config)))
+  (define name "pam-limits-service")
 
   (define test
-    (with-imported-modules '((gnu build marionette))
+    (with-imported-modules '((gnu build marionette)
+                             (guix build syscalls))
       #~(begin
           (use-modules (gnu build marionette)
+                       (guix build syscalls)
                        (srfi srfi-64))
 
           (let ((marionette (make-marionette (list #$vm))))
@@ -63,18 +66,32 @@ (define test
 
             (test-begin #$name)
 
-            (test-assert "/etc/security/limits.conf ready"
-              (wait-for-file "/etc/security/limits.conf" marionette))
+            (test-equal "log in on tty1 and read limits"
+              '(("99")                  ;real-time priority
+                ("unlimited"))          ;max locked memory
 
-            (test-equal "/etc/security/limits.conf content matches"
-              #$(string-join (map pam-limits-entry->string pam-limit-entries)
-                             "\n" 'suffix)
-              (marionette-eval
-               '(begin
-                  (use-modules (rnrs io ports))
-                  (call-with-input-file "/etc/security/limits.conf"
-                    get-string-all))
-               marionette))
+              (begin
+                ;; Wait for tty1.
+                (marionette-eval '(begin
+                                    (use-modules (gnu services herd))
+                                    (start-service 'term-tty1))
+                                 marionette)
+
+                (marionette-control "sendkey ctrl-alt-f1" marionette)
+
+                ;; Now we can type.
+                (marionette-type "root\n" marionette)
+                (marionette-type "ulimit -r > real-time-priority\n" marionette)
+                (marionette-type "ulimit -l > max-locked-memory\n" marionette)
+
+                ;; Read the two files.
+                (marionette-eval '(use-modules (rnrs io ports)) marionette)
+                (let ((guest-file (lambda (file)
+                                    (string-tokenize
+                                     (wait-for-file file marionette
+                                                    #:read 'get-string-all)))))
+                  (list (guest-file "/root/real-time-priority")
+                        (guest-file "/root/max-locked-memory")))))
 
             (test-end)))))
 
@@ -83,17 +100,6 @@ (define test
 (define %test-pam-limits
   (system-test
    (name "pam-limits-service")
-   (description "Test that pam-limits-service can serialize its config
-(as a list) to @file{limits.conf}.")
+   (description "Test that pam-limits-service actually sets the limits as
+configured.")
    (value (run-test-pam-limits pam-limit-entries))))
-
-(define %test-pam-limits-deprecated
-  (system-test
-   (name "pam-limits-service-deprecated")
-   (description "Test that pam-limits-service can serialize its config
-(as a file-like object) to @file{limits.conf}.")
-   (value (run-test-pam-limits
-           (plain-file "limits.conf"
-                       (string-join (map pam-limits-entry->string
-                                         pam-limit-entries)
-                                    "\n" 'suffix))))))
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 20:58:22 2023
Received: (at 63383) by debbugs.gnu.org; 9 May 2023 00:58:22 +0000
Received: from localhost ([127.0.0.1]:41964 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pwBgL-00063q-Or
	for submit@debbugs.gnu.org; Mon, 08 May 2023 20:58:22 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:34338)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pwBgJ-00063S-LX
 for 63383@debbugs.gnu.org; Mon, 08 May 2023 20:58:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=cX9d0wMejgWBq2w
 lnxu8JRYxnDXwoWc1jZF+JmagTuI=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=X+TEpieMyp4NdMLbpZQ76tuuXJ/20U8P/rTw7e6x
 PVmfpLozVp/KL+KljhWllQenaZY4xGVH/dzkBEih2OyUKn1p2MJFcoWQ26KdHFLY1hnw4u
 2mcR1vjMEqETLxBBT4W/suKhDG4+paCs9HN5bWEgtmeAevdbEfNRodPCMbJEY=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id e545b596
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Tue, 9 May 2023 00:58:18 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 1957fc71;
 Tue, 9 May 2023 00:58:18 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: [PATCH 2/4] Drop limits.conf from /etc/security;
 use directly in pam-limits-service-type.
Date: Mon,  8 May 2023 17:58:07 -0700
Message-Id: <02c2307e7a2d256b6d2da12a8c3ac4a9bfa390b0.1683593547.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1683593547.git.felix.lechner@lease-up.com>
References: <cover.1683593547.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 63383
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

This commit was tested and is already deployed in production.

* gnu/services/base.scm: Drop config file limits.conf from /etc; use absolute
path in store instead.
---
 gnu/services/base.scm | 59 ++++++++++++++++++++-----------------------
 1 file changed, 28 insertions(+), 31 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4adb551796..16dcc55483 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1608,36 +1608,34 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
 
 (define pam-limits-service-type
   (let ((pam-extension
-         (lambda (pam)
-           (let ((pam-limits (pam-entry
-                              (control "required")
-                              (module "pam_limits.so")
-                              (arguments
-                               '("conf=/etc/security/limits.conf")))))
-             (if (member (pam-service-name pam)
-                         '("login" "greetd" "su" "slim" "gdm-password" "sddm"
-                           "sudo" "sshd"))
-                 (pam-service
-                  (inherit pam)
-                  (session (cons pam-limits
-                                 (pam-service-session pam))))
-                 pam))))
-
-        ;; XXX: Using file-like objects is deprecated, use lists instead.
-        ;;      This is to be reduced into the list? case when the deprecated
-        ;;      code gets removed.
-        ;; Create /etc/security containing the provided "limits.conf" file.
-        (security-limits
+         (lambda (limits-file)
+           (lambda (pam)
+             (let ((pam-limits (pam-entry
+                                (control "required")
+                                (module "pam_limits.so")
+                                (arguments
+                                 (list #~(string-append "conf=" #$limits-file))))))
+               (if (member (pam-service-name pam)
+                           '("login" "greetd" "su" "slim" "gdm-password" "sddm"
+                             "sudo" "sshd"))
+                   (pam-service
+                    (inherit pam)
+                    (session (cons pam-limits
+                                   (pam-service-session pam))))
+                   pam)))))
+        (make-limits-file
          (match-lambda
+           ;; XXX: Using file-like objects is deprecated, use lists instead.
+           ;;      This is to be reduced into the list? case when the deprecated
+           ;;      code gets removed.
            ((? file-like? obj)
             (warning (G_ "Using file-like value for \
 'pam-limits-service-type' is deprecated~%"))
-            `(("security/limits.conf" ,obj)))
+            obj)
            ((? list? lst)
-            `(("security/limits.conf"
-               ,(plain-file "limits.conf"
-                            (string-join (map pam-limits-entry->string lst)
-                                         "\n" 'suffix)))))
+            (plain-file "limits.conf"
+                        (string-join (map pam-limits-entry->string lst)
+                                     "\n" 'suffix)))
            (_ (raise
                (formatted-message
                 (G_ "invalid input for 'pam-limits-service-type'~%")))))))
@@ -1645,13 +1643,12 @@ (module "pam_limits.so")
     (service-type
      (name 'limits)
      (extensions
-      (list (service-extension etc-service-type security-limits)
-            (service-extension pam-root-service-type
-                               (lambda _ (list pam-extension)))))
+      (list (service-extension pam-root-service-type
+                               (lambda (config)
+                                 (list (pam-extension (make-limits-file config)))))))
      (description
-      "Install the specified resource usage limits by populating
-@file{/etc/security/limits.conf} and using the @code{pam_limits}
-authentication module.")
+      "Use the @code{pam_limits} authentication module to set the specified
+resource usage limits.")
      (default-value '()))))
 
 (define-deprecated (pam-limits-service #:optional (limits '()))
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 20:58:24 2023
Received: (at 63383) by debbugs.gnu.org; 9 May 2023 00:58:24 +0000
Received: from localhost ([127.0.0.1]:41967 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pwBgN-000649-BO
	for submit@debbugs.gnu.org; Mon, 08 May 2023 20:58:24 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:34338)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pwBgK-00063S-V4
 for 63383@debbugs.gnu.org; Mon, 08 May 2023 20:58:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=dZybOmh3c5q/Ijk
 k5ERW1DhWXhjJQF5KgPuHNQKYe5Y=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=TLnNsP1/0nQ8spXDt1IlnJ9xiHl+xrAxcPNHxjOe
 XLN6ZURsNgXdrBrVXOf84VK678QjmRklWfoC7fpB+SOcRqLcdkA7P8n0EK8kSuAGVeqv3U
 ymsuVcc1Zup6l90M6SHhvIfWw9+vSSV80hPk1ag3UQG1aPhWRWHc8nWKr5BgQ=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id b80556a7
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Tue, 9 May 2023 00:58:19 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 77b3ad71;
 Tue, 9 May 2023 00:58:19 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute
 paths.
Date: Mon,  8 May 2023 17:58:08 -0700
Message-Id: <1642be1ee49d66939d092d80289518ed6ed578e2.1683593547.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1683593547.git.felix.lechner@lease-up.com>
References: <cover.1683593547.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 63383
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.

An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.

[1] https://issues.guix.gnu.org/61744#6

This commit was tested and is already being deployed in production.

* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
 gnu/services/base.scm    |  6 ++--
 gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
 gnu/services/sddm.scm    | 33 +++++++++++-----------
 gnu/services/xorg.scm    |  5 ++--
 gnu/system/pam.scm       | 20 +++++++-------
 5 files changed, 77 insertions(+), 47 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 16dcc55483..9f1671e142 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
   #:use-module (gnu packages admin)
   #:use-module ((gnu packages linux)
                 #:select (alsa-utils btrfs-progs crda eudev
-                          e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
-                          util-linux xfsprogs))
+                          e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+                          rng-tools util-linux xfsprogs))
   #:use-module (gnu packages bash)
   #:use-module ((gnu packages base)
                 #:select (coreutils glibc glibc-utf8-locales tar
@@ -1612,7 +1612,7 @@ (define pam-limits-service-type
            (lambda (pam)
              (let ((pam-limits (pam-entry
                                 (control "required")
-                                (module "pam_limits.so")
+                                (module (file-append linux-pam "/lib/security/pam_limits.so"))
                                 (arguments
                                  (list #~(string-append "conf=" #$limits-file))))))
                (if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index 0b9094cda1..b820c7dcf3 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
   #:use-module (gnu packages display-managers)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages gnome)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages vnc)
   #:use-module (gnu packages xorg)
   #:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
    (name "lightdm-greeter")
    (auth (list
           ;; Load environment from /etc/environment and ~/.pam_environment.
-          (pam-entry (control "required") (module "pam_env.so"))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_env.so")))
           ;; Always let the greeter start without authentication.
-          (pam-entry (control "required") (module "pam_permit.so"))))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; No action required for account management
-   (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+   (account (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; Prohibit changing password.
-   (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+   (password (list
+              (pam-entry
+               (control "required")
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    ;; Setup session.
-   (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+   (session (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (lightdm-autologin-pam-service)
   "Return a PAM service for @command{lightdm-autologin}}."
   (pam-service
    (name "lightdm-autologin")
-   (auth
-    (list
-     ;; Block login if user is globally disabled.
-     (pam-entry (control "required") (module "pam_nologin.so"))
-     (pam-entry (control "required") (module "pam_succeed_if.so")
-                (arguments (list "uid >= 1000")))
-     ;; Allow access without authentication.
-     (pam-entry (control "required") (module "pam_permit.so"))))
+   (auth (list
+          ;; Block login if user is globally disabled.
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+           (arguments (list "uid >= 1000")))
+          ;; Allow access without authentication.
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; Stop autologin if account requires action.
-   (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+   (account (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    ;; Prohibit changing password.
-   (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+   (password (list
+              (pam-entry
+               (control "required")
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    ;; Setup session.
-   (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+   (session (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (lightdm-pam-services config)
   (list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 9e02f1cc81..6138a31f0d 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages display-managers)
   #:use-module (gnu packages freedesktop)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages xorg)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
     (list
      (pam-entry
       (control "requisite")
-      (module "pam_nologin.so"))
+      (module (file-append linux-pam "/lib/security/pam_nologin.so")))
      (pam-entry
       (control "required")
-      (module "pam_env.so"))
+      (module (file-append linux-pam "/lib/security/pam_env.so")))
      (pam-entry
       (control "required")
-      (module "pam_succeed_if.so")
+      (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
       (arguments (list (string-append "uid >= "
                                       (number->string (sddm-configuration-minimum-uid config)))
                        "quiet")))
      ;; should be factored out into system-auth
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    (account
     (list
      ;; should be factored out into system-account
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    (password
     (list
      ;; should be factored out into system-password
      (pam-entry
       (control "required")
-      (module "pam_unix.so")
+      (module (file-append linux-pam "/lib/security/pam_unix.so"))
       (arguments (list "sha512" "shadow" "try_first_pass")))))
    (session
     (list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
      ;; should be factored out into system-session
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (sddm-greeter-pam-service)
   "Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
      ;; Load environment from /etc/environment and ~/.pam_environment
      (pam-entry
       (control "required")
-      (module "pam_env.so"))
+      (module (file-append linux-pam "/lib/security/pam_env.so")))
      ;; Always let the greeter start without authentication
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (account
     (list
      ;; No action required for account management
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (password
     (list
      ;; Can't change password
      (pam-entry
       (control "required")
-      (module "pam_deny.so"))))
+      (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    (session
     (list
      ;; Setup session
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (sddm-autologin-pam-service config)
   "Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
     (list
      (pam-entry
       (control "requisite")
-      (module "pam_nologin.so"))
+      (module (file-append linux-pam "/lib/security/pam_nologin.so")))
      (pam-entry
       (control "required")
-      (module "pam_succeed_if.so")
+      (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
       (arguments (list (string-append "uid >= "
                                       (number->string (sddm-configuration-minimum-uid config)))
                        "quiet")))
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (account
     (list
      (pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
     (list
      (pam-entry
       (control "required")
-      (module "pam_deny.so"))))
+      (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    (session
     (list
      (pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..878a336d0d 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages gnustep)
   #:use-module (gnu packages gnome)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages bash)
   #:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
                                       "/lib/security/pam_gdm.so")))
                 (pam-entry
                  (control "sufficient")
-                 (module "pam_permit.so")))))
+                 (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
    (pam-service
     (inherit (unix-pam-service "gdm-launch-environment"))
     (auth (list (pam-entry
                  (control "required")
-                 (module "pam_permit.so")))))
+                 (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
    (unix-pam-service "gdm-password"
                      #:login-uid? #t
                      #:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index b635681642..5e6a209caf 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -194,7 +194,7 @@ (define %pam-other-services
   ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
   (let ((deny (pam-entry
                (control "required")
-               (module "pam_deny.so"))))
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
     (pam-service
      (name "other")
      (account (list deny))
@@ -205,10 +205,10 @@ (module "pam_deny.so"))))
 (define unix-pam-service
   (let ((unix (pam-entry
                (control "required")
-               (module "pam_unix.so")))
+               (module (file-append linux-pam "/lib/security/pam_unix.so"))))
         (env  (pam-entry ; to honor /etc/environment.
                (control "required")
-               (module "pam_env.so"))))
+               (module (file-append linux-pam "/lib/security/pam_env.so")))))
     (lambda* (name #:key allow-empty-passwords? allow-root? motd
               login-uid? gnupg?)
       "Return a standard Unix-style PAM service for NAME.  When
@@ -226,12 +226,12 @@ (module "pam_env.so"))))
        (auth (append (if allow-root?
                          (list (pam-entry
                                 (control "sufficient")
-                                (module "pam_rootok.so")))
+                                (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
                          '())
                      (list (if allow-empty-passwords?
                                (pam-entry
                                 (control "required")
-                                (module "pam_unix.so")
+                                (module (file-append linux-pam "/lib/security/pam_unix.so"))
                                 (arguments '("nullok")))
                                unix))
                      (if gnupg?
@@ -241,20 +241,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
                          '())))
        (password (list (pam-entry
                         (control "required")
-                        (module "pam_unix.so")
+                        (module (file-append linux-pam "/lib/security/pam_unix.so"))
                         ;; Store SHA-512 encrypted passwords in /etc/shadow.
                         (arguments '("sha512" "shadow")))))
        (session `(,@(if motd
                         (list (pam-entry
                                (control "optional")
-                               (module "pam_motd.so")
+                               (module (file-append linux-pam "/lib/security/pam_motd.so"))
                                (arguments
                                 (list #~(string-append "motd=" #$motd)))))
                         '())
                   ,@(if login-uid?
                         (list (pam-entry       ;to fill in /proc/self/loginuid
                                (control "required")
-                               (module "pam_loginuid.so")))
+                               (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
                         '())
                   ,@(if gnupg?
                         (list (pam-entry
@@ -268,13 +268,13 @@ (define (rootok-pam-service command)
 authenticate to run COMMAND."
   (let ((unix (pam-entry
                (control "required")
-               (module "pam_unix.so"))))
+               (module (file-append linux-pam "/lib/security/pam_unix.so")))))
     (pam-service
      (name command)
      (account (list unix))
      (auth (list (pam-entry
                   (control "sufficient")
-                  (module "pam_rootok.so"))))
+                  (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
      (password (list unix))
      (session (list unix)))))
 
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Mon May 08 20:58:25 2023
Received: (at 63383) by debbugs.gnu.org; 9 May 2023 00:58:25 +0000
Received: from localhost ([127.0.0.1]:41969 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pwBgP-00064I-80
	for submit@debbugs.gnu.org; Mon, 08 May 2023 20:58:25 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:34338)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pwBgM-00063S-LF
 for 63383@debbugs.gnu.org; Mon, 08 May 2023 20:58:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=fBeB5flGnLHavpt
 qvJmYFbBx32WfELhCH39moZugqx4=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=LtAA/oT2NcJUaa+Pzv4/QH+cVhwp9aufiqVyoLzJ
 wAp4U8MVJdR/ahyTIAVE55cExjbzIGUKe5ZAvema/2p0Rqx7K2tWIRxzVKCQe8cSAqIC8y
 7MtFqnM/u9r66k+sZ6931+jg2Kg+FxFMxbSkXDqM1wdbeFstMY6EbJKzZkq+U=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 63ec3877
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Tue, 9 May 2023 00:58:22 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 8d9cc6c0;
 Tue, 9 May 2023 00:58:21 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: [PATCH 4/4] Use more file-append.
Date: Mon,  8 May 2023 17:58:09 -0700
Message-Id: <da0f14cc9e3e7645873e89d4e439e8da84504ea0.1683593547.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1683593547.git.felix.lechner@lease-up.com>
References: <cover.1683593547.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 63383
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Based on the author's review of the code base as well as past commits, similar
invocations are in the process of being changed over from string-append to
file-append.

* gnu/services/authentication.scm
* gnu/services/base.scm
* gnu/services/kerberos.scm
* gnu/services/pam-mount.scm: Use more file-append instead of string-append.
---
 gnu/services/authentication.scm | 2 +-
 gnu/services/base.scm           | 2 +-
 gnu/services/kerberos.scm       | 2 +-
 gnu/services/pam-mount.scm      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f7becdfafb..7c8900a280 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -504,7 +504,7 @@ (define (nslcd-shepherd-service config)
 (define (pam-ldap-pam-service config)
   "Return a PAM service for LDAP authentication."
   (define pam-ldap-module
-    #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
+    (file-append (nslcd-configuration-nss-pam-ldapd config)
                      "/lib/security/pam_ldap.so"))
   (lambda (pam)
     (if (member (pam-service-name pam)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 9f1671e142..9555dc3a46 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3256,7 +3256,7 @@ (define (greetd-pam-service config)
   (define optional-pam-mount
     (pam-entry
      (control "optional")
-     (module #~(string-append #$greetd-pam-mount "/lib/security/pam_mount.so"))
+     (module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
      (arguments '("disable_interactive"))))
 
   (list
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index c3c7872734..38e78a8014 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -430,7 +430,7 @@ (define (pam-krb5-pam-service config)
   "Return a PAM service for Kerberos authentication."
   (lambda (pam)
     (define pam-krb5-module
-      #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
+      (file-append (pam-krb5-configuration-pam-krb5 config)
                        "/lib/security/pam_krb5.so"))
 
     (let ((pam-krb5-sufficient
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index e60781d05b..1be209dff5 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -87,7 +87,7 @@ (define (pam-mount-pam-service config)
   (define optional-pam-mount
     (pam-entry
      (control "optional")
-     (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
+     (module (file-append pam-mount "/lib/security/pam_mount.so"))))
   (list (lambda (pam)
           (if (member (pam-service-name pam)
                       '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Fri May 12 14:52:03 2023
Received: (at 63383) by debbugs.gnu.org; 12 May 2023 18:52:03 +0000
Received: from localhost ([127.0.0.1]:32965 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pxXs2-0003Xu-TX
	for submit@debbugs.gnu.org; Fri, 12 May 2023 14:52:03 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:58338)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@lease-up.com>) id 1pxXs0-0003XV-Ri
 for 63383@debbugs.gnu.org; Fri, 12 May 2023 14:52:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=m2E1KoTWVET6Z7d
 i/ey0+AAWk7V/PxjJdh1eEM3U+Q4=; h=date:subject:cc:to:from;
 d=lease-up.com; b=VfCB1qdQb5O2sqXdeJ26Z/DDh7+PQ1YLHJZtnRy6rl20/9gz5Ed0
 thIw8eJOqNJ9Eh/DiPKW39O1z+9Y96AupcZ10gbTDnEo7tb5mZ6N335T/paCwbjjdxDGDZ
 lPRdF9Mm3S9+iPf2enEZv1WMDEW7k6P5lf2vPQkgBqUiu9IQk=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 2528dba7
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO)
 for <63383@debbugs.gnu.org>; Fri, 12 May 2023 18:52:00 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: rebased
Date: Fri, 12 May 2023 11:51:59 -0700
Message-ID: <87a5y9v0vk.fsf@lease-up.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63383
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This patch series was rebased due to changes on the 'master' branch.




From debbugs-submit-bounces@debbugs.gnu.org Fri May 12 14:52:56 2023
Received: (at 63383) by debbugs.gnu.org; 12 May 2023 18:52:56 +0000
Received: from localhost ([127.0.0.1]:32977 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pxXst-0003Zc-Rb
	for submit@debbugs.gnu.org; Fri, 12 May 2023 14:52:56 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:38686)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pxXsr-0003ZR-Rk
 for 63383@debbugs.gnu.org; Fri, 12 May 2023 14:52:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=pBMlwsVShVtr65+
 oqHkbzPSxaE9LhVN378V64plIAlc=; h=date:subject:cc:to:from;
 d=lease-up.com; b=epVbXEuTeSmsR/L8+MmNH3pKZi3VsoGNoRrYB93YsljAH4AmLV9b
 AW88YLNB6UEmwzESqN2AVCPewvOKwjGgikfzuKNEan2ONkEmRqVxKuyNbi8qPb8BJryZ3j
 HNdUeF22L7umMM4bZ4ftGORoC4ydNF7UsJy33wOYleEg7raU0=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 305f4144
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Fri, 12 May 2023 18:52:52 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 5533b954;
 Fri, 12 May 2023 18:52:52 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: [PATCH v2 1/4] In PAM test,
 confirm ulimits actually imposed instead of comparing config files.
Date: Fri, 12 May 2023 11:52:47 -0700
Message-Id: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 63383
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

This revised system test is superior to the one accepted when Bug#61744 was
closed because it confirms whether the configured limits are actually being
enforced upon login.

The previous test merely validated the serialization of one particular config
in the config file.

* gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on
login.
---
 gnu/tests/pam.scm | 70 +++++++++++++++++++++++++----------------------
 1 file changed, 38 insertions(+), 32 deletions(-)

diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm
index 1654396e42..fa480e69ff 100644
--- a/gnu/tests/pam.scm
+++ b/gnu/tests/pam.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -25,8 +26,7 @@ (define-module (gnu tests pam)
   #:use-module (gnu system vm)
   #:use-module (guix gexp)
   #:use-module (ice-9 format)
-  #:export (%test-pam-limits
-            %test-pam-limits-deprecated))
+  #:export (%test-pam-limits))
 
 
 ;;;
@@ -35,26 +35,29 @@ (define-module (gnu tests pam)
 
 (define pam-limit-entries
   (list
-   (pam-limits-entry "@realtime" 'both 'rtprio 99)
-   (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
+   ;; make sure the limits apply to root (uid 0)
+   (pam-limits-entry ":0" 'both 'rtprio 99)               ;default is 0
+   (pam-limits-entry ":0" 'both 'memlock 'unlimited)))    ;default is 8192 kbytes
 
 (define (run-test-pam-limits config)
   "Run tests in a os with pam-limits-service-type configured."
   (define os
     (marionette-operating-system
      (simple-operating-system
-      (service pam-limits-service-type config))))
+      (service pam-limits-service-type config))
+     #:imported-modules '((gnu services herd))))
 
   (define vm
     (virtual-machine os))
 
-  (define name (format #f "pam-limit-service~:[~;-deprecated~]"
-                       (file-like? config)))
+  (define name "pam-limits-service")
 
   (define test
-    (with-imported-modules '((gnu build marionette))
+    (with-imported-modules '((gnu build marionette)
+                             (guix build syscalls))
       #~(begin
           (use-modules (gnu build marionette)
+                       (guix build syscalls)
                        (srfi srfi-64))
 
           (let ((marionette (make-marionette (list #$vm))))
@@ -63,18 +66,32 @@ (define test
 
             (test-begin #$name)
 
-            (test-assert "/etc/security/limits.conf ready"
-              (wait-for-file "/etc/security/limits.conf" marionette))
+            (test-equal "log in on tty1 and read limits"
+              '(("99")                  ;real-time priority
+                ("unlimited"))          ;max locked memory
 
-            (test-equal "/etc/security/limits.conf content matches"
-              #$(string-join (map pam-limits-entry->string pam-limit-entries)
-                             "\n" 'suffix)
-              (marionette-eval
-               '(begin
-                  (use-modules (rnrs io ports))
-                  (call-with-input-file "/etc/security/limits.conf"
-                    get-string-all))
-               marionette))
+              (begin
+                ;; Wait for tty1.
+                (marionette-eval '(begin
+                                    (use-modules (gnu services herd))
+                                    (start-service 'term-tty1))
+                                 marionette)
+
+                (marionette-control "sendkey ctrl-alt-f1" marionette)
+
+                ;; Now we can type.
+                (marionette-type "root\n" marionette)
+                (marionette-type "ulimit -r > real-time-priority\n" marionette)
+                (marionette-type "ulimit -l > max-locked-memory\n" marionette)
+
+                ;; Read the two files.
+                (marionette-eval '(use-modules (rnrs io ports)) marionette)
+                (let ((guest-file (lambda (file)
+                                    (string-tokenize
+                                     (wait-for-file file marionette
+                                                    #:read 'get-string-all)))))
+                  (list (guest-file "/root/real-time-priority")
+                        (guest-file "/root/max-locked-memory")))))
 
             (test-end)))))
 
@@ -83,17 +100,6 @@ (define test
 (define %test-pam-limits
   (system-test
    (name "pam-limits-service")
-   (description "Test that pam-limits-service can serialize its config
-(as a list) to @file{limits.conf}.")
+   (description "Test that pam-limits-service actually sets the limits as
+configured.")
    (value (run-test-pam-limits pam-limit-entries))))
-
-(define %test-pam-limits-deprecated
-  (system-test
-   (name "pam-limits-service-deprecated")
-   (description "Test that pam-limits-service can serialize its config
-(as a file-like object) to @file{limits.conf}.")
-   (value (run-test-pam-limits
-           (plain-file "limits.conf"
-                       (string-join (map pam-limits-entry->string
-                                         pam-limit-entries)
-                                    "\n" 'suffix))))))
-- 
2.40.1





From debbugs-submit-bounces@debbugs.gnu.org Fri May 12 14:52:57 2023
Received: (at 63383) by debbugs.gnu.org; 12 May 2023 18:52:58 +0000
Received: from localhost ([127.0.0.1]:32981 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pxXsv-0003Zq-Hu
	for submit@debbugs.gnu.org; Fri, 12 May 2023 14:52:57 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:38686)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pxXst-0003ZR-MD
 for 63383@debbugs.gnu.org; Fri, 12 May 2023 14:52:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=dP9G5Ny4UxL1dix
 5Pe+7Rp79X6H7e9XQQXcZJdrlIrg=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=bNhENMZeiYjFFABkUYVqrQwykCThZ8YXJovdF0sy
 kaXXGXLJEfTNQkS36//31xPrLwCn3nxATdgc68Phw4ULZcApMk3kbEPtR5xVsoAVhTnpXg
 VqiAsEuk80uOP9I3ABcZwRFpy+5O4pZMiWi76+QuKO/XWOktxwsaqy8BmHt1w=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 7d17977e
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Fri, 12 May 2023 18:52:55 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 5edbc1d3;
 Fri, 12 May 2023 18:52:54 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: [PATCH v2 2/4] Drop limits.conf from /etc/security;
 use directly in pam-limits-service-type.
Date: Fri, 12 May 2023 11:52:48 -0700
Message-Id: <664a326ae17afabd71301893f1c56ff4e9d01c68.1683917556.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
References: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 63383
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

This commit was tested and is already deployed in production.

* gnu/services/base.scm: Drop config file limits.conf from /etc; use absolute
path in store instead.
---
 gnu/services/base.scm | 63 +++++++++++++++++++++----------------------
 1 file changed, 30 insertions(+), 33 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index fdc2c8c764..4bef781977 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1603,38 +1603,36 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
 
 (define pam-limits-service-type
   (let ((pam-extension
-         (pam-extension
-          (transformer
-           (lambda (pam)
-             (let ((pam-limits (pam-entry
-                                (control "required")
-                                (module "pam_limits.so")
-                                (arguments
-                                 '("conf=/etc/security/limits.conf")))))
-               (if (member (pam-service-name pam)
-                           '("login" "greetd" "su" "slim" "gdm-password"
-                             "sddm" "sudo" "sshd"))
-                   (pam-service
-                    (inherit pam)
-                    (session (cons pam-limits
-                                   (pam-service-session pam))))
-                   pam))))))
-
-        ;; XXX: Using file-like objects is deprecated, use lists instead.
-        ;;      This is to be reduced into the list? case when the deprecated
-        ;;      code gets removed.
-        ;; Create /etc/security containing the provided "limits.conf" file.
-        (security-limits
+         (lambda (limits-file)
+           (pam-extension
+            (transformer
+             (lambda (pam)
+               (let ((pam-limits (pam-entry
+                                  (control "required")
+                                  (module "pam_limits.so")
+                                  (arguments
+                                   (list #~(string-append "conf=" #$limits-file))))))
+                 (if (member (pam-service-name pam)
+                             '("login" "greetd" "su" "slim" "gdm-password" "sddm"
+                               "sudo" "sshd"))
+                     (pam-service
+                      (inherit pam)
+                      (session (cons pam-limits
+                                     (pam-service-session pam))))
+                     pam)))))))
+        (make-limits-file
          (match-lambda
+           ;; XXX: Using file-like objects is deprecated, use lists instead.
+           ;;      This is to be reduced into the list? case when the deprecated
+           ;;      code gets removed.
            ((? file-like? obj)
             (warning (G_ "Using file-like value for \
 'pam-limits-service-type' is deprecated~%"))
-            `(("security/limits.conf" ,obj)))
+            obj)
            ((? list? lst)
-            `(("security/limits.conf"
-               ,(plain-file "limits.conf"
-                            (string-join (map pam-limits-entry->string lst)
-                                         "\n" 'suffix)))))
+            (plain-file "limits.conf"
+                        (string-join (map pam-limits-entry->string lst)
+                                     "\n" 'suffix)))
            (_ (raise
                (formatted-message
                 (G_ "invalid input for 'pam-limits-service-type'~%")))))))
@@ -1642,13 +1640,12 @@ (module "pam_limits.so")
     (service-type
      (name 'limits)
      (extensions
-      (list (service-extension etc-service-type security-limits)
-            (service-extension pam-root-service-type
-                               (lambda _ (list pam-extension)))))
+      (list (service-extension pam-root-service-type
+                               (lambda (config)
+                                 (list (pam-extension (make-limits-file config)))))))
      (description
-      "Install the specified resource usage limits by populating
-@file{/etc/security/limits.conf} and using the @code{pam_limits}
-authentication module.")
+      "Use the @code{pam_limits} authentication module to set the specified
+resource usage limits.")
      (default-value '()))))
 
 (define-deprecated (pam-limits-service #:optional (limits '()))
-- 
2.40.1





From debbugs-submit-bounces@debbugs.gnu.org Fri May 12 14:53:03 2023
Received: (at 63383) by debbugs.gnu.org; 12 May 2023 18:53:03 +0000
Received: from localhost ([127.0.0.1]:32984 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pxXsz-0003aK-TF
	for submit@debbugs.gnu.org; Fri, 12 May 2023 14:53:03 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:38686)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pxXsu-0003ZR-VH
 for 63383@debbugs.gnu.org; Fri, 12 May 2023 14:53:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=0WTw1l4kXkjVOxY
 X+wAXnubS1bIk3/lWcQ5m7mjE/M4=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=gNOlpSbL4jrBHD6yuvxDZ3zw10JpZ7VtbNX/aHAA
 4ZPJS9psfzxeTV4YvvZqlu3kaueEfsltl6g0s1GPxn6OoncCC9HxmP1XNVmyE4dbh9bwox
 zzJgnFPl8VmrjKF2P3EuwnlIz1YdjcMD+dIOCwXKPDnQKavz2huXUn0pIO7H0=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 7339be32
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Fri, 12 May 2023 18:52:55 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 74e49375;
 Fri, 12 May 2023 18:52:54 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their
 absolute paths.
Date: Fri, 12 May 2023 11:52:49 -0700
Message-Id: <f3be0c6f9f71c103772fe6f24d83fbf1f7593283.1683917556.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
References: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 63383
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.

An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.

[1] https://issues.guix.gnu.org/61744#6

This commit was tested and is already being deployed in production.

* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
 gnu/services/base.scm    |  6 ++--
 gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
 gnu/services/sddm.scm    | 33 +++++++++++-----------
 gnu/services/xorg.scm    |  5 ++--
 gnu/system/pam.scm       | 20 +++++++-------
 5 files changed, 77 insertions(+), 47 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4bef781977..5d0542b39d 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
   #:use-module (gnu packages admin)
   #:use-module ((gnu packages linux)
                 #:select (alsa-utils btrfs-progs crda eudev
-                          e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
-                          util-linux xfsprogs))
+                          e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+                          rng-tools util-linux xfsprogs))
   #:use-module (gnu packages bash)
   #:use-module ((gnu packages base)
                 #:select (coreutils glibc glibc-utf8-locales tar
@@ -1609,7 +1609,7 @@ (define pam-limits-service-type
              (lambda (pam)
                (let ((pam-limits (pam-entry
                                   (control "required")
-                                  (module "pam_limits.so")
+                                  (module (file-append linux-pam "/lib/security/pam_limits.so"))
                                   (arguments
                                    (list #~(string-append "conf=" #$limits-file))))))
                  (if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index b966f402d6..9927e8769b 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
   #:use-module (gnu packages display-managers)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages gnome)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages vnc)
   #:use-module (gnu packages xorg)
   #:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
    (name "lightdm-greeter")
    (auth (list
           ;; Load environment from /etc/environment and ~/.pam_environment.
-          (pam-entry (control "required") (module "pam_env.so"))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_env.so")))
           ;; Always let the greeter start without authentication.
-          (pam-entry (control "required") (module "pam_permit.so"))))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; No action required for account management
-   (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+   (account (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; Prohibit changing password.
-   (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+   (password (list
+              (pam-entry
+               (control "required")
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    ;; Setup session.
-   (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+   (session (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (lightdm-autologin-pam-service)
   "Return a PAM service for @command{lightdm-autologin}}."
   (pam-service
    (name "lightdm-autologin")
-   (auth
-    (list
-     ;; Block login if user is globally disabled.
-     (pam-entry (control "required") (module "pam_nologin.so"))
-     (pam-entry (control "required") (module "pam_succeed_if.so")
-                (arguments (list "uid >= 1000")))
-     ;; Allow access without authentication.
-     (pam-entry (control "required") (module "pam_permit.so"))))
+   (auth (list
+          ;; Block login if user is globally disabled.
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+           (arguments (list "uid >= 1000")))
+          ;; Allow access without authentication.
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; Stop autologin if account requires action.
-   (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+   (account (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    ;; Prohibit changing password.
-   (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+   (password (list
+              (pam-entry
+               (control "required")
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    ;; Setup session.
-   (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+   (session (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (lightdm-pam-services config)
   (list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index c9a7ba96f4..9cd4d23bdb 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages display-managers)
   #:use-module (gnu packages freedesktop)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages xorg)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
     (list
      (pam-entry
       (control "requisite")
-      (module "pam_nologin.so"))
+      (module (file-append linux-pam "/lib/security/pam_nologin.so")))
      (pam-entry
       (control "required")
-      (module "pam_env.so"))
+      (module (file-append linux-pam "/lib/security/pam_env.so")))
      (pam-entry
       (control "required")
-      (module "pam_succeed_if.so")
+      (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
       (arguments (list (string-append "uid >= "
                                       (number->string (sddm-configuration-minimum-uid config)))
                        "quiet")))
      ;; should be factored out into system-auth
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    (account
     (list
      ;; should be factored out into system-account
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    (password
     (list
      ;; should be factored out into system-password
      (pam-entry
       (control "required")
-      (module "pam_unix.so")
+      (module (file-append linux-pam "/lib/security/pam_unix.so"))
       (arguments (list "sha512" "shadow" "try_first_pass")))))
    (session
     (list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
      ;; should be factored out into system-session
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (sddm-greeter-pam-service)
   "Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
      ;; Load environment from /etc/environment and ~/.pam_environment
      (pam-entry
       (control "required")
-      (module "pam_env.so"))
+      (module (file-append linux-pam "/lib/security/pam_env.so")))
      ;; Always let the greeter start without authentication
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (account
     (list
      ;; No action required for account management
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (password
     (list
      ;; Can't change password
      (pam-entry
       (control "required")
-      (module "pam_deny.so"))))
+      (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    (session
     (list
      ;; Setup session
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (sddm-autologin-pam-service config)
   "Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
     (list
      (pam-entry
       (control "requisite")
-      (module "pam_nologin.so"))
+      (module (file-append linux-pam "/lib/security/pam_nologin.so")))
      (pam-entry
       (control "required")
-      (module "pam_succeed_if.so")
+      (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
       (arguments (list (string-append "uid >= "
                                       (number->string (sddm-configuration-minimum-uid config)))
                        "quiet")))
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (account
     (list
      (pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
     (list
      (pam-entry
       (control "required")
-      (module "pam_deny.so"))))
+      (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    (session
     (list
      (pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 8b6080fd26..97fbde3511 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages gnustep)
   #:use-module (gnu packages gnome)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages bash)
   #:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
                                       "/lib/security/pam_gdm.so")))
                 (pam-entry
                  (control "sufficient")
-                 (module "pam_permit.so")))))
+                 (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
    (pam-service
     (inherit (unix-pam-service "gdm-launch-environment"))
     (auth (list (pam-entry
                  (control "required")
-                 (module "pam_permit.so")))))
+                 (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
    (unix-pam-service "gdm-password"
                      #:login-uid? #t
                      #:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index adc40c975f..e3711e2b1e 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -202,7 +202,7 @@ (define %pam-other-services
   ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
   (let ((deny (pam-entry
                (control "required")
-               (module "pam_deny.so"))))
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
     (pam-service
      (name "other")
      (account (list deny))
@@ -213,10 +213,10 @@ (module "pam_deny.so"))))
 (define unix-pam-service
   (let ((unix (pam-entry
                (control "required")
-               (module "pam_unix.so")))
+               (module (file-append linux-pam "/lib/security/pam_unix.so"))))
         (env  (pam-entry ; to honor /etc/environment.
                (control "required")
-               (module "pam_env.so"))))
+               (module (file-append linux-pam "/lib/security/pam_env.so")))))
     (lambda* (name #:key allow-empty-passwords? allow-root? motd
               login-uid? gnupg?)
       "Return a standard Unix-style PAM service for NAME.  When
@@ -234,12 +234,12 @@ (module "pam_env.so"))))
        (auth (append (if allow-root?
                          (list (pam-entry
                                 (control "sufficient")
-                                (module "pam_rootok.so")))
+                                (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
                          '())
                      (list (if allow-empty-passwords?
                                (pam-entry
                                 (control "required")
-                                (module "pam_unix.so")
+                                (module (file-append linux-pam "/lib/security/pam_unix.so"))
                                 (arguments '("nullok")))
                                unix))
                      (if gnupg?
@@ -249,20 +249,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
                          '())))
        (password (list (pam-entry
                         (control "required")
-                        (module "pam_unix.so")
+                        (module (file-append linux-pam "/lib/security/pam_unix.so"))
                         ;; Store SHA-512 encrypted passwords in /etc/shadow.
                         (arguments '("sha512" "shadow")))))
        (session `(,@(if motd
                         (list (pam-entry
                                (control "optional")
-                               (module "pam_motd.so")
+                               (module (file-append linux-pam "/lib/security/pam_motd.so"))
                                (arguments
                                 (list #~(string-append "motd=" #$motd)))))
                         '())
                   ,@(if login-uid?
                         (list (pam-entry       ;to fill in /proc/self/loginuid
                                (control "required")
-                               (module "pam_loginuid.so")))
+                               (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
                         '())
                   ,@(if gnupg?
                         (list (pam-entry
@@ -276,13 +276,13 @@ (define (rootok-pam-service command)
 authenticate to run COMMAND."
   (let ((unix (pam-entry
                (control "required")
-               (module "pam_unix.so"))))
+               (module (file-append linux-pam "/lib/security/pam_unix.so")))))
     (pam-service
      (name command)
      (account (list unix))
      (auth (list (pam-entry
                   (control "sufficient")
-                  (module "pam_rootok.so"))))
+                  (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
      (password (list unix))
      (session (list unix)))))
 
-- 
2.40.1





From debbugs-submit-bounces@debbugs.gnu.org Fri May 12 14:53:04 2023
Received: (at 63383) by debbugs.gnu.org; 12 May 2023 18:53:04 +0000
Received: from localhost ([127.0.0.1]:32992 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pxXt2-0003b6-82
	for submit@debbugs.gnu.org; Fri, 12 May 2023 14:53:04 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:38686)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pxXsy-0003ZR-Pu
 for 63383@debbugs.gnu.org; Fri, 12 May 2023 14:53:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=PzZT4yNHmmaUw5W
 jYUsLhh1NuD3gUlVl/gqDgsJ5cpc=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=cGrvxHKzGJJ9rxqzBaN4Vaeb+CbvgoXiYVEd1i/+
 t2pi9DE5WzKaVmCcfK4zqPmX6yimrRSD4cTjlCZ7hSK9NiVjgiMvg5PeT5Wlf5JHLQnwJM
 E3Unbs8uam6z0MZLcjVi1dixx0Lq6RJwCfc0c5IpQvggIK4M/VHJ3FCRIyr0Q=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id b22520eb
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Fri, 12 May 2023 18:52:56 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id eda3230f;
 Fri, 12 May 2023 18:52:55 +0000 (UTC)
From: Felix Lechner <felix.lechner@lease-up.com>
To: 63383@debbugs.gnu.org
Subject: [PATCH v2 4/4] Use more file-append.
Date: Fri, 12 May 2023 11:52:50 -0700
Message-Id: <c496e154f52cc97eb786efefce7f3470596229b8.1683917556.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
References: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 63383
Cc: Felix Lechner <felix.lechner@lease-up.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Based on the author's review of the code base as well as past commits, similar
invocations are in the process of being changed over from string-append to
file-append.

* gnu/services/authentication.scm
* gnu/services/base.scm
* gnu/services/kerberos.scm
* gnu/services/pam-mount.scm: Use more file-append instead of string-append.
---
 gnu/services/authentication.scm | 2 +-
 gnu/services/base.scm           | 2 +-
 gnu/services/kerberos.scm       | 4 ++--
 gnu/services/pam-mount.scm      | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f1ad1b1afe..fbfef2d3d0 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -504,7 +504,7 @@ (define (nslcd-shepherd-service config)
 (define (pam-ldap-pam-service config)
   "Return a PAM service for LDAP authentication."
   (define pam-ldap-module
-    #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
+    (file-append (nslcd-configuration-nss-pam-ldapd config)
                      "/lib/security/pam_ldap.so"))
   (pam-extension
     (transformer
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 5d0542b39d..a6c501e2c2 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3253,7 +3253,7 @@ (define (greetd-pam-service config)
   (define optional-pam-mount
     (pam-entry
      (control "optional")
-     (module #~(string-append #$greetd-pam-mount "/lib/security/pam_mount.so"))
+     (module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
      (arguments '("disable_interactive"))))
 
   (list
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 1a1b37f890..a6f540a9b6 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -432,8 +432,8 @@ (define (pam-krb5-pam-service config)
    (transformer
     (lambda (pam)
       (define pam-krb5-module
-        #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
-                         "/lib/security/pam_krb5.so"))
+        (file-append (pam-krb5-configuration-pam-krb5 config)
+                     "/lib/security/pam_krb5.so"))
 
       (let ((pam-krb5-sufficient
              (pam-entry
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index 21c34ddd61..afaa2704cd 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -87,7 +87,7 @@ (define (pam-mount-pam-service config)
   (define optional-pam-mount
     (pam-entry
      (control "optional")
-     (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
+     (module (file-append pam-mount "/lib/security/pam_mount.so"))))
   (list
    (pam-extension
     (transformer
-- 
2.40.1





From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 28 14:45:08 2023
Received: (at 63383) by debbugs.gnu.org; 28 Jun 2023 18:45:08 +0000
Received: from localhost ([127.0.0.1]:51703 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qEaA8-0004LR-Ee
	for submit@debbugs.gnu.org; Wed, 28 Jun 2023 14:45:08 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:35310)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@lease-up.com>) id 1qEaA2-0004Iz-LQ
 for 63383@debbugs.gnu.org; Wed, 28 Jun 2023 14:45:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=cMX+orJcgMdNxJz
 O6opDYlj3sMnNayV6dqMzj2mtfn8=;
 h=cc:to:subject:date:from:in-reply-to:
 references; d=lease-up.com; b=jEm7JBCrXNjH0kdqdb+Jg0rRfCpt/BHZV90jzqj1
 eYAyyJF/y1d5ViW90cc+xykUTTeWYCvsgMOecxKG94UiWr+B+YgVemQXv6yXDW14U2EUiB
 PNtKitCpbVzgYmgbou39PErR7i0P/cJuuCAfnyUs3MtkvJz0wPMj9DP92XyxY=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 538dfab8
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO)
 for <63383@debbugs.gnu.org>; Wed, 28 Jun 2023 18:45:00 +0000 (UTC)
Received: by mail-lf1-f42.google.com with SMTP id
 2adb3069b0e04-4f8735ac3e3so9056507e87.2
 for <63383@debbugs.gnu.org>; Wed, 28 Jun 2023 11:45:00 -0700 (PDT)
X-Gm-Message-State: AC+VfDyM0GWb+YqThp9Yt3yB3Fcj30iCpe2NdBufbv7w4G82GODLaJ/B
 N3oPMnPo5SCP0HztjFATV5JKZ7/XvazkWCVCdHo=
X-Google-Smtp-Source: ACHHUZ7Y8ZSYCZmCtK0AFPWIWEFjXPBF7jFXLJpyZFGSDxPnlVbrRZ2KpdyDkBFpmlRVChlGJz6TQGj+t6aXrM83utY=
X-Received: by 2002:a05:6512:2002:b0:4fb:8cd1:1679 with SMTP id
 a2-20020a056512200200b004fb8cd11679mr2631365lfb.44.1687977898616; Wed, 28 Jun
 2023 11:44:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAFHYt567hXKWgA6hFKF6aFoXtdi2vtwoLYAmaf2jAqD1+OwBcg@mail.gmail.com>
In-Reply-To: <CAFHYt567hXKWgA6hFKF6aFoXtdi2vtwoLYAmaf2jAqD1+OwBcg@mail.gmail.com>
From: Felix Lechner <felix.lechner@lease-up.com>
Date: Wed, 28 Jun 2023 11:44:21 -0700
X-Gmail-Original-Message-ID: <CAFHYt56SpBw71_kNVcx-Jrjvn9PES3yn+L6CLt3o-ywcEnVJTw@mail.gmail.com>
Message-ID: <CAFHYt56SpBw71_kNVcx-Jrjvn9PES3yn+L6CLt3o-ywcEnVJTw@mail.gmail.com>
Subject: Fwd: PAM may cause issues on system updates
To: 63383@debbugs.gnu.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63383
Cc: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>,
 Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[an earlier version was sent to the wrong bug]

Hi,

There is another bug that was probably a reason why some folks
hesitated to accept this patch:

  https://issues.guix.gnu.org/32182

In that bug, Ludo' proposed to refer from Shepherd services to PAM
services by absolute paths. I believe it is a viable and worthy
solution.

(By contrast, this bug makes PAM services refer to PAM modules by
absolute paths.)

Another solution could be to make all PAM modules and services Guile
scripts. While admittedly a more comprehensive effort, I believe such
an upgrade might be popular in the broader community, which is
generally tired of PAM. The only prerequisite to execute those scripts
would be a working copy of GNU Guile (i.e. no libpam or libc).

Kind regards
Felix




From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 15 16:19:45 2023
Received: (at 63383-done) by debbugs.gnu.org; 15 Aug 2023 20:19:46 +0000
Received: from localhost ([127.0.0.1]:36747 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qW0W1-0005I4-HE
	for submit@debbugs.gnu.org; Tue, 15 Aug 2023 16:19:45 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37506)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1qW0Vz-0005Hq-KL
 for 63383-done@debbugs.gnu.org; Tue, 15 Aug 2023 16:19:44 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1qW0Vt-0005ZY-9d; Tue, 15 Aug 2023 16:19:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=8VaIpV6H5wgFAuRosKPlE/VTrXPMoeAG59sx+BBLm44=; b=MTUBW41TWHWpANXvjlIP
 23Ot7svPAPrgl8/PuCSsW42o3iThQRrP6Cfb1rSU896UDeBmsEf5itvjB4iLtmpNPEgsOq1LbW2dp
 prrAKx+0nQj7I8EGsHTJrFK1gxmaZg8MUPC5AAayGL9abyY1UZ+dUVgyfBuAciKMZWHLe7YxVRvqE
 v4l8URXAsEcLjfBhR9x6jE2x75ncjHwz5Xt1feJ39EUI2PnT0naY2ntcSUU6mc3pTj52NPfLnOpB0
 Qzrivfba2uDZeoOd81ege5DrI/WEfdLXyG4cPifPEX5Vkn/ZlYoJoHkbDNbJj0+W6JnKlXJk58UJO
 Jm3DpqEjuqpgwA==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Felix Lechner <felix.lechner@lease-up.com>
Subject: Re: bug#63383: [PATCH 0/4] Various PAM improvements
References: <CAFHYt567hXKWgA6hFKF6aFoXtdi2vtwoLYAmaf2jAqD1+OwBcg@mail.gmail.com>
 <CAFHYt56SpBw71_kNVcx-Jrjvn9PES3yn+L6CLt3o-ywcEnVJTw@mail.gmail.com>
Date: Tue, 15 Aug 2023 22:19:34 +0200
In-Reply-To: <CAFHYt56SpBw71_kNVcx-Jrjvn9PES3yn+L6CLt3o-ywcEnVJTw@mail.gmail.com>
 (Felix Lechner's message of "Wed, 28 Jun 2023 11:44:21 -0700")
Message-ID: <87cyzo83e1.fsf_-_@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63383-done
Cc: 63383-done@debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Sorry for the long delay!

Felix Lechner <felix.lechner@lease-up.com> skribis:

> There is another bug that was probably a reason why some folks
> hesitated to accept this patch:
>
>   https://issues.guix.gnu.org/32182
>
> In that bug, Ludo' proposed to refer from Shepherd services to PAM
> services by absolute paths. I believe it is a viable and worthy
> solution.
>
> (By contrast, this bug makes PAM services refer to PAM modules by
> absolute paths.)

Right.  For this reason, I=E2=80=99m dropping the patch that adds more abso=
lute
file names for all modules shipped with =E2=80=98linux-pam=E2=80=99 but kee=
ping the rest.

> Another solution could be to make all PAM modules and services Guile
> scripts. While admittedly a more comprehensive effort, I believe such
> an upgrade might be popular in the broader community, which is
> generally tired of PAM. The only prerequisite to execute those scripts
> would be a working copy of GNU Guile (i.e. no libpam or libc).

Hmm are you suggesting a PAM rewrite in Guile?

Thanks,
Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 16 14:22:38 2023
Received: (at 63383-done) by debbugs.gnu.org; 16 Aug 2023 18:22:38 +0000
Received: from localhost ([127.0.0.1]:42067 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qWLAE-00048i-E4
	for submit@debbugs.gnu.org; Wed, 16 Aug 2023 14:22:38 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:52636)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@lease-up.com>) id 1qWLAB-00048Z-PP
 for 63383-done@debbugs.gnu.org; Wed, 16 Aug 2023 14:22:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=nZNseJey3gDk25F
 8INbeJZvmKY8hE05MjAsOBGWk3Tw=;
 h=cc:to:subject:date:from:in-reply-to:
 references; d=lease-up.com; b=PMJimYCLzNf8+kxIM7OmKZ133jPALJ1BkGzbnhR0
 n8EPipAIfy/aFypN656ZYJUhyGuTcHKHVthz66aNUG05Y8andKH7df8BZgzmQ+kN0D1EG+
 AdPA8L5YkLQP3HUgm8AE13a8SlrvrvdfHIo8ZzSpxF4mMVz4jdnaHFE+HDNzw=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id a52d2b8e
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO)
 for <63383-done@debbugs.gnu.org>;
 Wed, 16 Aug 2023 18:22:32 +0000 (UTC)
Received: by mail-lf1-f45.google.com with SMTP id
 2adb3069b0e04-4fe85fd3d27so11382852e87.0
 for <63383-done@debbugs.gnu.org>; Wed, 16 Aug 2023 11:22:31 -0700 (PDT)
X-Gm-Message-State: AOJu0Yxdx3+Y1z/WvXiOlwlayAjAilzWIFEdfWiR98HNMNLinw7wnFjC
 Rg1AwENKbuIYJFQbMD85spMQFUnDwtDCwfWDgc4=
X-Google-Smtp-Source: AGHT+IFAmE5quPc1rBm6C5fz4gv8hqJtDwYIEjj+HpoEluFOmm1KidmFONzm6TKCHHS1jiuyEo2gpAjdBtn3qPn5rDo=
X-Received: by 2002:a05:6512:2348:b0:4f6:3677:54e with SMTP id
 p8-20020a056512234800b004f63677054emr2166060lfu.36.1692210149898; Wed, 16 Aug
 2023 11:22:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAFHYt567hXKWgA6hFKF6aFoXtdi2vtwoLYAmaf2jAqD1+OwBcg@mail.gmail.com>
 <CAFHYt56SpBw71_kNVcx-Jrjvn9PES3yn+L6CLt3o-ywcEnVJTw@mail.gmail.com>
 <87cyzo83e1.fsf_-_@gnu.org>
In-Reply-To: <87cyzo83e1.fsf_-_@gnu.org>
From: Felix Lechner <felix.lechner@lease-up.com>
Date: Wed, 16 Aug 2023 11:21:52 -0700
X-Gmail-Original-Message-ID: <CAFHYt55cjoEfaoQCcyoxd+GzmQQWA0Fno4mv3+A9Dmjgc2qNLw@mail.gmail.com>
Message-ID: <CAFHYt55cjoEfaoQCcyoxd+GzmQQWA0Fno4mv3+A9Dmjgc2qNLw@mail.gmail.com>
Subject: Re: bug#63383: [PATCH 0/4] Various PAM improvements
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63383-done
Cc: 63383-done@debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludo'

On Tue, Aug 15, 2023 at 1:19=E2=80=AFPM Ludovic Court=C3=A8s <ludo@gnu.org>=
 wrote:
>
> I=E2=80=99m dropping the patch that adds more absolute
> file names for all modules shipped with =E2=80=98linux-pam=E2=80=99 but k=
eeping the rest.

Thanks for doing that. It was the right thing to do.

> Hmm are you suggesting a PAM rewrite in Guile?

Thanks for asking! I rewrote PAM in Guile some time ago [1] but it
still uses a shared library to start Guile via the good old "tortoise"
interface. [2] Upon reflection, I am not sure it would shelter us from
all potential compatibility issues on upgrades, including upgrades of
Guile.

Perhaps it would be best for Guix to adopt a fully script-driven
approach similar to OpenBSD. [3] Maxim may have alluded to it in a
correspondence on this topic elsewhere.

Kind regards
Felix

[1] https://codeberg.org/lechner/guile-pam
[2] https://www.gnu.org/software/guile/docs/guile-tut/tutorial.html#Tortois=
e
[3] https://blog.lambda.cx/posts/how-bsd-authentication-works/




From unknown Fri Jun 20 05:29:32 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Thu, 14 Sep 2023 11:24:14 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator