GNU bug report logs -
#63652
[PATCH] services: screen-locker-service-type: Configurable PAM and setuid.
Previous Next
Reported by: muradm <mail <at> muradm.net>
Date: Mon, 22 May 2023 19:08:01 UTC
Severity: normal
Tags: patch
Done: Josselin Poiret <dev <at> jpoiret.xyz>
Bug is archived. No further changes may be made.
Full log
Message #13 received at 63652-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi muradm,
muradm <mail <at> muradm.net> writes:
> screen-locker-service-type by default does both define PAM entry
> and make program setuid binary. Normally both methods are
> mutually exclusive, if binary has setuid set it does not really
> needs PAM, otherway around also similar, if PAM is enabled
> binary should not relay on setuid.
>
> Recent swaylock package now compiled with PAM support. When PAM
> support is compiled in, swaylock rejects executing if binary is
> also setuid program.
>
> This change turns screen-locker-configuration from strict
> PAM AND setuid to more flexible PAM AND/OR setuid. Allowing
> swaylock to be configured properly while supporting other
> screen locker preferences.
>
> * gnu/services/xorg.scm (screen-locker-configuration): Switch from
> define-record-type to define-configuration.
> [using-pam?]: New field to control PAM entry existence.
> [using-setuid?]: New field to control setuid binary existence.
> (screen-locker-pam-services): Should not make unix-pam-service if
> using-pam? is set to #f.
> (screen-locker-setuid-programs): Should not make program setuid
> program if using-setuid? is set to #f.
> (screen-locker-generate-doc): Internal function to generate
> configuration documentation.
> (screen-locker-service): Adapt to new screen-locker-configuration.
> * gnu/services/desktop.scm (desktop-services-for-system): Adapt to
> new screen-locker-configuration.
> * doc/guix.texi: Reflect new changes to screen-locker-configuration.
Thanks! Tested and pushed as f4f5ee6ad6e2432f52e37c549211df8f1cdbb571
with the following changes:
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index b1ffa72c0e..b9f5f6b6a9 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -2147,7 +2147,10 @@ Xorg
can be achieved by adding the following service to your @file{config.scm}:
@lisp
-(screen-locker-service slock)
+(service screen-locker-services-type
+ (screen-locker-configuration
+ (name "slock")
+ (program (file-append slock "/bin/slock"))))
@end lisp
If you manually lock your screen, e.g. by directly calling slock when you want to lock
diff --git a/doc/guix.texi b/doc/guix.texi
index 704bbd39d2..db37676e12 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -97,7 +97,7 @@
Copyright @copyright{} 2021 pukkamustard@*
Copyright @copyright{} 2021 Alice Brenon@*
Copyright @copyright{} 2021, 2022 Josselin Poiret@*
-Copyright @copyright{} 2021 muradm@*
+Copyright @copyright{} 2021, 2023 muradm@*
Copyright @copyright{} 2021, 2022 Andrew Tropin@*
Copyright @copyright{} 2021 Sarah Morgensen@*
Copyright @copyright{} 2022 Remco van 't Veer@*
@@ -22533,28 +22533,32 @@ X Window
saver to the set of setuid programs and/or add a PAM entry for it. The
value for this service is a @code{<screen-locker-configuration>} object.
-While default behavior is to setup both setuid program and PAM entry,
-they are effectively mutually exclusive. Screen locker programs may
-prevent executing when PAM is configured, and @code{setuid} is set on
-executable. Then @code{using-setuid?} can be set to @code{#f}.
+While the default behavior is to setup both a setuid program and PAM
+entry, these two methods are redundant. Screen locker programs may not
+execute when PAM is configured and @code{setuid} is set on their
+executable. In this case, @code{using-setuid?} can be set to @code{#f}.
For example, to make XlockMore usable:
@lisp
(service screen-locker-service-type
(screen-locker-configuration
- "xlock" (file-append xlockmore "/bin/xlock") #f))
+ (name "xlock")
+ (program (file-append xlockmore "/bin/xlock"))))
@end lisp
makes the good ol' XlockMore usable.
For example, swaylock fails to execute when compiled with PAM support
-and setuid enabled, then one can disable setuid:
+and setuid enabled. One can thus disable setuid:
@lisp
(service screen-locker-service-type
(screen-locker-configuration
- "swaylock" (file-append xlockmore "/bin/xlock") #f #t #f))
+ (name "swaylock")
+ (program (file-append xlockmore "/bin/xlock"))
+ (using-pam? #t)
+ (using-setuid? #f)))
@end lisp
@end defvar
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 639e99ff79..a63748b652 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1840,13 +1840,11 @@ (define* (desktop-services-for-system #:optional
(service screen-locker-service-type
(screen-locker-configuration
(name "slock")
- (program (file-append slock "/bin/slock"))
- (allow-empty-password? #f)))
+ (program (file-append slock "/bin/slock"))))
(service screen-locker-service-type
(screen-locker-configuration
(name "xlock")
- (program (file-append xlock "/bin/xlock"))
- (allow-empty-password? #f)))
+ (program (file-append xlockmore "/bin/xlock"))))
;; Add udev rules for MTP devices so that non-root users can access
;; them.
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index b6c1636660..f8cf9f25b6 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -723,14 +723,6 @@ (define-configuration/no-serialization screen-locker-configuration
(boolean #t)
"Whether to setup program as setuid binary."))
-(define-deprecated/public-alias
- screen-locker
- screen-locker-configuration)
-
-(define-deprecated/public-alias
- screen-locker?
- screen-locker-configuration?)
-
(define (screen-locker-pam-services config)
(match-record config <screen-locker-configuration>
(name allow-empty-password? using-pam?)
--
Josselin Poiret
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 1 year and 355 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.