Package: guix-patches;
Reported by: Felix Lechner <felix.lechner <at> lease-up.com>
Date: Tue, 9 May 2023 00:57:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Message #29 received at 63383 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 63383 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths. Date: Fri, 12 May 2023 11:52:49 -0700
In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.
An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.
[1] https://issues.guix.gnu.org/61744#6
This commit was tested and is already being deployed in production.
* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
gnu/services/base.scm | 6 ++--
gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
gnu/services/sddm.scm | 33 +++++++++++-----------
gnu/services/xorg.scm | 5 ++--
gnu/system/pam.scm | 20 +++++++-------
5 files changed, 77 insertions(+), 47 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4bef781977..5d0542b39d 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils btrfs-progs crda eudev
- e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
- util-linux xfsprogs))
+ e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+ rng-tools util-linux xfsprogs))
#:use-module (gnu packages bash)
#:use-module ((gnu packages base)
#:select (coreutils glibc glibc-utf8-locales tar
@@ -1609,7 +1609,7 @@ (define pam-limits-service-type
(lambda (pam)
(let ((pam-limits (pam-entry
(control "required")
- (module "pam_limits.so")
+ (module (file-append linux-pam "/lib/security/pam_limits.so"))
(arguments
(list #~(string-append "conf=" #$limits-file))))))
(if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index b966f402d6..9927e8769b 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages vnc)
#:use-module (gnu packages xorg)
#:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
(name "lightdm-greeter")
(auth (list
;; Load environment from /etc/environment and ~/.pam_environment.
- (pam-entry (control "required") (module "pam_env.so"))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; No action required for account management
- (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-autologin-pam-service)
"Return a PAM service for @command{lightdm-autologin}}."
(pam-service
(name "lightdm-autologin")
- (auth
- (list
- ;; Block login if user is globally disabled.
- (pam-entry (control "required") (module "pam_nologin.so"))
- (pam-entry (control "required") (module "pam_succeed_if.so")
- (arguments (list "uid >= 1000")))
- ;; Allow access without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (auth (list
+ ;; Block login if user is globally disabled.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+ (arguments (list "uid >= 1000")))
+ ;; Allow access without authentication.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Stop autologin if account requires action.
- (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-pam-services config)
(list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index c9a7ba96f4..9cd4d23bdb 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
#:use-module (gnu packages admin)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages xorg)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
;; should be factored out into system-auth
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(account
(list
;; should be factored out into system-account
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(password
(list
;; should be factored out into system-password
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments (list "sha512" "shadow" "try_first_pass")))))
(session
(list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
;; should be factored out into system-session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-greeter-pam-service)
"Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
;; Load environment from /etc/environment and ~/.pam_environment
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
;; No action required for account management
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(password
(list
;; Can't change password
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
;; Setup session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-autologin-pam-service config)
"Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
(pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
(list
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
(pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 8b6080fd26..97fbde3511 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnustep)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
#:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
"/lib/security/pam_gdm.so")))
(pam-entry
(control "sufficient")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(pam-service
(inherit (unix-pam-service "gdm-launch-environment"))
(auth (list (pam-entry
(control "required")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index adc40c975f..e3711e2b1e 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -202,7 +202,7 @@ (define %pam-other-services
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
(let ((deny (pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(pam-service
(name "other")
(account (list deny))
@@ -213,10 +213,10 @@ (module "pam_deny.so"))))
(define unix-pam-service
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so")))
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))))
(env (pam-entry ; to honor /etc/environment.
(control "required")
- (module "pam_env.so"))))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))))
(lambda* (name #:key allow-empty-passwords? allow-root? motd
login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
@@ -234,12 +234,12 @@ (module "pam_env.so"))))
(auth (append (if allow-root?
(list (pam-entry
(control "sufficient")
- (module "pam_rootok.so")))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
'())
(list (if allow-empty-passwords?
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments '("nullok")))
unix))
(if gnupg?
@@ -249,20 +249,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())))
(password (list (pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
(session `(,@(if motd
(list (pam-entry
(control "optional")
- (module "pam_motd.so")
+ (module (file-append linux-pam "/lib/security/pam_motd.so"))
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
,@(if login-uid?
(list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
- (module "pam_loginuid.so")))
+ (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
'())
,@(if gnupg?
(list (pam-entry
@@ -276,13 +276,13 @@ (define (rootok-pam-service command)
authenticate to run COMMAND."
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(pam-service
(name command)
(account (list unix))
(auth (list (pam-entry
(control "sufficient")
- (module "pam_rootok.so"))))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
(password (list unix))
(session (list unix)))))
--
2.40.1
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.