Package: guix-patches;
Reported by: Felix Lechner <felix.lechner <at> lease-up.com>
Date: Fri, 26 Jul 2024 22:03:02 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 72316 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
pelzflorian <at> pelzflorian.de, ludo <at> gnu.org, matt <at> excalamus.com, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Fri, 26 Jul 2024 22:03:02 GMT) Full text and rfc822 format available.Felix Lechner <felix.lechner <at> lease-up.com>:pelzflorian <at> pelzflorian.de, ludo <at> gnu.org, matt <at> excalamus.com, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org.
(Fri, 26 Jul 2024 22:03:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: guix-patches <at> gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH 0/3] Switch to Guile-PAM. Date: Fri, 26 Jul 2024 15:01:08 -0700
Guile-PAM reimplements the PAM stack in GNU Guile and allows system administrators to write modules in GNU Guile. This patch series switches Guix System to Guile-PAM. It relies on the shared objects from Linux-PAM until Guile implementations are available. In Guix, Guile-PAM could start Shepherd's user services or keep track of login sessions similar to pam_systemd.so. The guile-pam package ships with a detailed Texinfo manual. The software is in alpha stage. For example, the interaction with sddm was not well-tested. Please let me know how it goes---private email is okay! Kind regards Felix Felix Lechner (3): Add guile-pam. Switch to Guile-PAM. Add a guile-pam-module service. doc/guix.texi | 89 ++++++++++ gnu/local.mk | 1 + gnu/packages/linux.scm | 56 ++++++ gnu/services/authentication.scm | 9 +- gnu/services/base.scm | 16 +- gnu/services/desktop.scm | 14 +- gnu/services/kerberos.scm | 12 +- gnu/services/lightdm.scm | 69 ++++++-- gnu/services/pam-mount.scm | 5 +- gnu/services/pam.scm | 105 +++++++++++ gnu/services/sddm.scm | 91 +++++++--- gnu/services/xorg.scm | 17 +- gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ 13 files changed, 671 insertions(+), 109 deletions(-) create mode 100644 gnu/services/pam.scm base-commit: 862a9b5b25966845f71d218ad8c0c5655ffc479a -- 2.45.2
leo <at> famulari.name, w <at> wmeyer.eu, guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Fri, 26 Jul 2024 22:40:01 GMT) Full text and rfc822 format available.Message #8 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 72316 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH 1/3] Add guile-pam. Date: Fri, 26 Jul 2024 15:39:11 -0700
Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2
---
gnu/packages/linux.scm | 56 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index f36d0fc9ee..7b5f549584 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -112,6 +112,7 @@ (define-module (gnu packages linux)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
#:use-module (gnu packages boost)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages calendar)
#:use-module (gnu packages check)
#:use-module (gnu packages cpio)
@@ -145,6 +146,7 @@ (define-module (gnu packages linux)
#:use-module (gnu packages graphviz)
#:use-module (gnu packages gstreamer)
#:use-module (gnu packages gtk)
+ #:use-module (gnu packages guile)
#:use-module (gnu packages haskell-apps)
#:use-module (gnu packages haskell-xyz)
#:use-module (gnu packages image)
@@ -157,6 +159,7 @@ (define-module (gnu packages linux)
#:use-module (gnu packages m4)
#:use-module (gnu packages man)
#:use-module (gnu packages maths)
+ #:use-module (gnu packages mes)
#:use-module (gnu packages multiprecision)
#:use-module (gnu packages ncurses)
#:use-module (gnu packages netpbm)
@@ -1917,6 +1920,59 @@ (define-public vendor-reset-linux-module
;;; Pluggable authentication modules (PAM).
;;;
+(define-public guile-pam
+ (let ((commit "7eba489fbc56b72de5e4bd77d7c99816434b5178")
+ (revision "0"))
+ (package
+ (name "guile-pam")
+ (version (git-version "0.0" revision commit))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://codeberg.org/lechner/guile-pam")
+ (commit commit)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "149cmgif05wcp4zgkkr2gp93djr44qiv71ih2b2d633vnj1mbayb"))))
+ (native-inputs (list
+ autoconf
+ automake
+ gnulib
+ guile-3.0
+ libtool
+ linux-pam
+ nyacc
+ pkg-config
+ texinfo))
+ (inputs (list
+ guile-3.0
+ linux-pam))
+ (propagated-inputs (list
+ nyacc))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'install-gnulib
+ ;; per https://lists.gnu.org/archive/html/guile-devel/2012-08/msg00042.html
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((build-aux (dirname (search-input-file inputs "/src/gnulib/build-aux/config.rpath"))))
+ (mkdir-p "build-aux")
+ (copy-recursively build-aux "build-aux"))
+ (let ((m4 (dirname (search-input-file inputs "/src/gnulib/m4/lib-link.m4"))))
+ (mkdir-p "m4")
+ (copy-recursively m4 "m4")))))))
+ (home-page "https://codeberg.org/lechner/guile-pam")
+ (synopsis "Write your Linux-PAM authentication logic in Guile Scheme")
+ (description
+ "Guile-PAM provides a way to rewrite your authentication logic in the
+Linux PAM (pluggable authentication modules) in Guile Scheme. It should make
+those modules more transparent to the administrator and more intuitive to
+use.")
+ (license license:gpl3+))))
+
(define-public linux-pam
(package
(name "linux-pam")
--
2.45.2
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Fri, 26 Jul 2024 22:40:02 GMT) Full text and rfc822 format available.Message #11 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 72316 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH 2/3] Switch to Guile-PAM. Date: Fri, 26 Jul 2024 15:39:12 -0700
Change-Id: Ib691b41cdb152f508a4a8d1b12b2a20da8706fed
---
gnu/services/authentication.scm | 9 +-
gnu/services/base.scm | 16 +-
gnu/services/desktop.scm | 14 +-
gnu/services/kerberos.scm | 12 +-
gnu/services/lightdm.scm | 69 ++++++--
gnu/services/pam-mount.scm | 5 +-
gnu/services/sddm.scm | 91 +++++++---
gnu/services/xorg.scm | 17 +-
gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------
9 files changed, 420 insertions(+), 109 deletions(-)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index fbfef2d3d0..88ccba6ada 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -503,9 +503,6 @@ (define (nslcd-shepherd-service config)
(define (pam-ldap-pam-service config)
"Return a PAM service for LDAP authentication."
- (define pam-ldap-module
- (file-append (nslcd-configuration-nss-pam-ldapd config)
- "/lib/security/pam_ldap.so"))
(pam-extension
(transformer
(lambda (pam)
@@ -514,7 +511,11 @@ (define (pam-ldap-pam-service config)
(let ((sufficient
(pam-entry
(control "sufficient")
- (module pam-ldap-module))))
+ (module "pam_ldap.so")
+ (foreign-library-path
+ (list
+ (file-append (nslcd-configuration-nss-pam-ldapd config)
+ "/lib/security"))))))
(pam-service
(inherit pam)
(auth (cons sufficient (pam-service-auth pam)))
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4b5b103cc3..0d99c649c2 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils btrfs-progs crda eudev
- e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
- util-linux xfsprogs))
+ e2fsprogs f2fs-tools fuse gpm kbd linux-pam
+ lvm2 rng-tools util-linux xfsprogs))
#:use-module (gnu packages bash)
#:use-module ((gnu packages base)
#:select (coreutils glibc glibc/hurd
@@ -1652,7 +1652,10 @@ (define pam-limits-service-type
(control "required")
(module "pam_limits.so")
(arguments
- (list #~(string-append "conf=" #$limits-file))))))
+ (list #~(string-append "conf=" #$limits-file)))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(if (member (pam-service-name pam)
'("login" "greetd" "su" "slim" "gdm-password"
"sddm" "lightdm" "sudo" "sshd"))
@@ -3540,8 +3543,11 @@ (define (greetd-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
- (arguments '("disable_interactive"))))
+ (module "pam_mount.so")
+ (arguments '("disable_interactive"))
+ (foreign-library-path
+ (list
+ (file-append greetd-pam-mount "/lib/security")))))
(list
(unix-pam-service "greetd"
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 63e2011ce3..762b933519 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1233,8 +1233,10 @@ (define (pam-extension-procedure config)
(define pam-elogind
(pam-entry
(control "required")
- (module (file-append (elogind-package config)
- "/lib/security/pam_elogind.so"))))
+ (module "pam_elogind.so")
+ (foreign-library-path
+ (list
+ (file-append (elogind-package config) "/lib/security")))))
(list (pam-extension
(transformer
@@ -1886,9 +1888,11 @@ (define (pam-gnome-keyring config)
(define (%pam-keyring-entry . arguments)
(pam-entry
(control "optional")
- (module (file-append (gnome-keyring-package config)
- "/lib/security/pam_gnome_keyring.so"))
- (arguments arguments)))
+ (module "pam_gnome_keyring.so")
+ (arguments arguments)
+ (foreign-library-path
+ (list
+ (file-append (gnome-keyring-package config) "/lib/security")))))
(list
(pam-extension
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index a6f540a9b6..d2d8988a83 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -431,18 +431,18 @@ (define (pam-krb5-pam-service config)
(pam-extension
(transformer
(lambda (pam)
- (define pam-krb5-module
- (file-append (pam-krb5-configuration-pam-krb5 config)
- "/lib/security/pam_krb5.so"))
-
(let ((pam-krb5-sufficient
(pam-entry
(control "sufficient")
- (module pam-krb5-module)
+ (module "pam_krb5.so")
(arguments
(list
(format #f "minimum_uid=~a"
- (pam-krb5-configuration-minimum-uid config)))))))
+ (pam-krb5-configuration-minimum-uid config))))
+ (foreign-library-path
+ (list
+ (file-append (pam-krb5-configuration-pam-krb5 config)
+ "/lib/security"))))))
(pam-service
(inherit pam)
(auth (cons* pam-krb5-sufficient
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index 18beaa44de..dcdae51c68 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
+ #:use-module ((gnu packages linux) #:select (linux-pam))
#:use-module (gnu packages vnc)
#:use-module (gnu packages xorg)
#:use-module (gnu services configuration)
@@ -546,15 +547,35 @@ (define (lightdm-greeter-pam-service)
(name "lightdm-greeter")
(auth (list
;; Load environment from /etc/environment and ~/.pam_environment.
- (pam-entry (control "required") (module "pam_env.so"))
+ (pam-entry (control "required")
+ (module "pam_env.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
;; Always let the greeter start without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry (control "required")
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; No action required for account management
- (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+ (account (list (pam-entry (control "required")
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list (pam-entry (control "required")
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list (pam-entry (control "required")
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))))
(define (lightdm-autologin-pam-service)
"Return a PAM service for @command{lightdm-autologin}}."
@@ -563,17 +584,41 @@ (define (lightdm-autologin-pam-service)
(auth
(list
;; Block login if user is globally disabled.
- (pam-entry (control "required") (module "pam_nologin.so"))
- (pam-entry (control "required") (module "pam_succeed_if.so")
- (arguments (list "uid >= 1000")))
+ (pam-entry (control "required")
+ (module "pam_nologin.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
+ (pam-entry (control "required")
+ (module "pam_succeed_if.so")
+ (arguments (list "uid >= 1000"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
;; Allow access without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry (control "required")
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Stop autologin if account requires action.
- (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+ (account (list (pam-entry (control "required")
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list (pam-entry (control "required")
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list (pam-entry (control "required")
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))))
(define (lightdm-pam-services config)
(list (lightdm-pam-service config)
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index b3a02e82e9..1eb5b44e31 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -94,7 +94,10 @@ (define (pam-mount-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module (file-append pam-mount "/lib/security/pam_mount.so"))))
+ (module "pam_mount.so")
+ (foreign-library-path
+ (list
+ (file-append pam-mount "/lib/security")))))
(list
(pam-extension
(transformer
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 92d64cc599..cb2c5a9276 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services sddm)
#:use-module (gnu packages admin)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
+ #:use-module ((gnu packages linux) #:select (linux-pam))
#:use-module (gnu packages xorg)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
@@ -206,40 +207,61 @@ (define (sddm-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module "pam_nologin.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module "pam_env.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
(pam-entry
(control "required")
(module "pam_succeed_if.so")
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
- "quiet")))
+ "quiet"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
;; should be factored out into system-auth
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(account
(list
;; should be factored out into system-account
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(password
(list
;; should be factored out into system-password
(pam-entry
(control "required")
(module "pam_unix.so")
- (arguments (list "sha512" "shadow" "try_first_pass")))))
+ (arguments (list "sha512" "shadow" "try_first_pass"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(session
(list
;; lfs has a required pam_limits.so
;; should be factored out into system-session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))))
(define (sddm-greeter-pam-service)
"Return a PAM service for @command{sddm-greeter}."
@@ -250,29 +272,44 @@ (define (sddm-greeter-pam-service)
;; Load environment from /etc/environment and ~/.pam_environment
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module "pam_env.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
;; Always let the greeter start without authentication
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(account
(list
;; No action required for account management
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(password
(list
;; Can't change password
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(session
(list
;; Setup session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))))
(define (sddm-autologin-pam-service config)
"Return a PAM service for @command{sddm-autologin}"
@@ -282,31 +319,37 @@ (define (sddm-autologin-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module "pam_nologin.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
(pam-entry
(control "required")
(module "pam_succeed_if.so")
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
- "quiet")))
+ "quiet"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(account
- (list
- (pam-entry
- (control "include")
- (module "sddm"))))
+ (pam-service-account (sddm-pam-service config)))
(password
(list
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(session
- (list
- (pam-entry
- (control "include")
- (module "sddm"))))))
+ (pam-service-session (sddm-pam-service config)))))
(define (sddm-pam-services config)
(list (sddm-pam-service config)
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index e7d8922d76..b1df08662f 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -1236,16 +1236,25 @@ (define (gdm-pam-service config)
#:login-uid? #t))
(auth (list (pam-entry
(control "optional")
- (module (file-append (gdm-configuration-gdm config)
- "/lib/security/pam_gdm.so")))
+ (module "pam_gdm.so")
+ (foreign-library-path
+ (list
+ (file-append (gdm-configuration-gdm config)
+ "/lib/security/"))))
(pam-entry
(control "sufficient")
- (module "pam_permit.so")))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))))
(pam-service
(inherit (unix-pam-service "gdm-launch-environment"))
(auth (list (pam-entry
(control "required")
- (module "pam_permit.so")))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))))
(unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a035a92e25..232256d59a 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -32,7 +32,9 @@ (define-module (gnu system pam)
#:use-module (srfi srfi-11)
#:use-module (srfi srfi-26)
#:use-module ((guix utils) #:select (%current-system))
+ #:use-module (gnu packages guile)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages mes)
#:export (pam-service
pam-service-name
pam-service-account
@@ -44,6 +46,8 @@ (define-module (gnu system pam)
pam-entry-control
pam-entry-module
pam-entry-arguments
+ pam-entry-guile-inputs
+ pam-entry-foreign-library-path
pam-limits-entry
pam-limits-entry-domain
@@ -92,10 +96,16 @@ (define-record-type* <pam-service> pam-service
(define-record-type* <pam-entry> pam-entry
make-pam-entry
pam-entry?
- (control pam-entry-control) ; string
+ (control pam-entry-control) ; string, symbol or g-expression
(module pam-entry-module) ; file name
(arguments pam-entry-arguments ; list of string-valued g-expressions
- (default '())))
+ (default '()))
+ (guile-inputs pam-entry-guile-inputs ; list of package variables
+ (default '()))
+ (foreign-library-path pam-entry-foreign-library-path ; list of file-like folders
+ ;; courtesy for historical usage
+ (default (list
+ (file-append linux-pam "/lib/security")))))
;; PAM limits entries are used by the pam_limits PAM module to set or override
;; limits on system resources for user sessions. The format is specified
@@ -150,35 +160,79 @@ (define (pam-limits-entry->string entry)
(number->string value))))
" "))))
-(define (pam-service->configuration service)
+(define (pam-service->configuration service shared-object environment-file pamda-file)
"Return the derivation building the configuration file for SERVICE, to be
dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
- (define (entry->gexp type entry)
- (match entry
- (($ <pam-entry> control module (arguments ...))
- #~(format #t "~a ~a ~a ~a~%"
- #$type #$control #$module
- (string-join (list #$@arguments))))))
-
- (match service
- (($ <pam-service> name account auth password session)
- (define builder
- #~(begin
- (with-output-to-file #$output
- (lambda ()
- #$@(append (map (cut entry->gexp "account" <>) account)
- (map (cut entry->gexp "auth" <>) auth)
- (map (cut entry->gexp "password" <>) password)
- (map (cut entry->gexp "session" <>) session))
- #t))))
-
- (computed-file name builder))))
-
-(define (pam-services->directory services)
+ (mixed-text-file (pam-service-name service)
+ "account required " shared-object " " environment-file " " pamda-file "\n"
+ "auth required " shared-object " " environment-file " " pamda-file "\n"
+ "password required " shared-object " " environment-file " " pamda-file "\n"
+ "session required " shared-object " " environment-file " " pamda-file "\n"))
+
+(define (intersperse a xs)
+ (if (null? xs)
+ '()
+ [cons (car xs)
+ (if (null? (cdr xs))
+ (cdr xs)
+ (cons a (intersperse a (cdr xs))))]))
+
+(define* (make-environment-file guile-inputs
+ foreign-library-path
+ #:key
+ (auto-compile? #f)
+ (guix-locale-path '("/run/current-system/locale"))
+ (install-locale? #f)
+ (jit-log-level 0)
+ (jit-pause-when-stopping? #f)
+ (jit-stop-after -1)
+ (jit-threshold 1000)
+ (locale "C.utf8")
+ (warn-deprecated "yes"))
+ (let* ((load-path (map (lambda (package)
+ (file-append package "/share/guile/site/3.0"))
+ guile-inputs))
+ (load-compiled-path (map (lambda (package)
+ (file-append package "/lib/guile/3.0/site-ccache"))
+ guile-inputs))
+ (lines `(("LANG=" ,locale)
+ ;; note on LOCPATH from the Glibc manual:
+ ;; The value of ‘LOCPATH’ is ignored by privileged programs for security
+ ;; reasons, and only the default directory is used.
+ ("GUIX_LOCPATH=" ,@(intersperse ":" guix-locale-path))
+ ("GUILE_AUTO_COMPILE=" ,(if auto-compile? "1" "0"))
+ ("GUILE_INSTALL_LOCALE=" ,(if install-locale? "1" "0"))
+ ("GUILE_LOAD_PATH=" ,@(intersperse ":" load-path))
+ ("GUILE_LOAD_COMPILED_PATH=" ,@(intersperse ":" load-compiled-path))
+ ("GUILE_EXTENSIONS_PATH=" ,@(intersperse ":" foreign-library-path))
+ ("GUILE_WARN_DEPRECATED=" ,warn-deprecated)
+ ("GUILE_JIT_LOG=" ,(number->string jit-log-level))
+ ("GUILE_JIT_PAUSE_WHEN_STOPPING=" ,(if jit-pause-when-stopping? "1" "0"))
+ ("GUILE_JIT_STOP_AFTER=" ,(number->string jit-stop-after))
+ ("GUILE_JIT_THRESHOLD=" ,(number->string jit-threshold))))
+ (terminated (map (lambda (line)
+ (append line '("\0")))
+ lines))
+ (flattened (fold (lambda (right left)
+ (append left right))
+ '()
+ terminated)))
+ (apply mixed-text-file "guile-pam-environment" flattened)))
+
+(define (pam-services->directory shared-object
+ guile-inputs
+ foreign-library-path
+ folder
+ services)
"Return the derivation to build the configuration directory to be used as
/etc/pam.d for SERVICES."
- (let ((names (map pam-service-name services))
- (files (map pam-service->configuration services)))
+ (let* ((names (map pam-service-name services))
+ (environment-file (make-environment-file guile-inputs
+ foreign-library-path))
+ (pamda-file (make-pam-stack folder services))
+ (files (map (cut pam-service->configuration <>
+ shared-object environment-file pamda-file)
+ services)))
(define builder
#~(begin
(use-modules (ice-9 match)
@@ -195,14 +249,17 @@ (define (pam-services->directory services)
;; instead. See <http://bugs.gnu.org/20037>.
(delete-duplicates '#$(zip names files)))))
- (computed-file "pam.d" builder)))
+ (computed-file folder builder)))
(define %pam-other-services
;; The "other" PAM configuration, which denies everything (see
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
(let ((deny (pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(pam-service
(name "other")
(account (list deny))
@@ -213,12 +270,18 @@ (define %pam-other-services
(define unix-pam-service
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so")))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))
(env (pam-entry ; to honor /etc/environment.
(control "required")
- (module "pam_env.so"))))
+ (module "pam_env.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(lambda* (name #:key allow-empty-passwords? allow-root? motd
- login-uid? gnupg?)
+ login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
@@ -234,40 +297,61 @@ (define unix-pam-service
(auth (append (if allow-root?
(list (pam-entry
(control "sufficient")
- (module "pam_rootok.so")))
+ (module "pam_rootok.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))
'())
(list (if allow-empty-passwords?
(pam-entry
(control "required")
(module "pam_unix.so")
- (arguments '("nullok")))
+ (arguments '("nullok"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
unix))
(if gnupg?
(list (pam-entry
(control "required")
- (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ (module "pam_gnupg.so")
+ (foreign-library-path
+ (list
+ (file-append pam-gnupg "/lib/security")))))
'())))
(password (list (pam-entry
(control "required")
(module "pam_unix.so")
;; Store SHA-512 encrypted passwords in /etc/shadow.
- (arguments '("sha512" "shadow")))))
+ (arguments '("sha512" "shadow"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(session `(,@(if motd
(list (pam-entry
(control "optional")
(module "pam_motd.so")
(arguments
- (list #~(string-append "motd=" #$motd)))))
+ (list #~(string-append "motd=" #$motd)))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))
'())
,@(if login-uid?
(list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
- (module "pam_loginuid.so")))
+ (module "pam_loginuid.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))
'())
,@(if gnupg?
(list (pam-entry
(control "required")
- (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ (module "pam_gnupg.so")
+ (foreign-library-path
+ (list
+ (file-append pam-gnupg "/lib/security")))))
'())
,env ,unix))))))
@@ -276,13 +360,19 @@ (define (rootok-pam-service command)
authenticate to run COMMAND."
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(pam-service
(name command)
(account (list unix))
(auth (list (pam-entry
(control "sufficient")
- (module "pam_rootok.so"))))
+ (module "pam_rootok.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(password (list unix))
(session (list unix)))))
@@ -374,21 +464,114 @@ (define-record-type* <pam-configuration>
(services pam-configuration-services)
;list of procedures <pam-entry> -> <pam-entry>
(transformers pam-configuration-transformers)
+ ;; file-like shared module
+ (shared-object pam-configuration-shared-object)
+ ;; list of package variables
+ (guile-inputs pam-configuration-guile-inputs)
+ ;; list of file-like folders
+ (foreign-library-path pam-configuration-foreign-library-path)
;list of symbols
(shepherd-requirements pam-configuration-shepherd-requirements))
+(define (make-pam-stack folder services)
+ (define* (entry->gate entry
+ #:key
+ only-actions
+ only-services)
+ (match entry
+ (($ <pam-entry> control module (options ...))
+ ;; adapted from (pam legacy configuration)
+ (cond
+ ((string=? "include" control)
+ (error "PAM include not implemented; send list of <pam-entry> instead"
+ control module options entry))
+ ((string=? "substack" control)
+ ;; this probably differs a little bit from Linux-PAM
+ #~(gate required (stack-pamda
+ (configuration-file->gates #$folder #$module
+ #:only-actions '#$only-actions
+ #:only-services '#$only-services))
+ #:only-actions '#$only-actions
+ #:only-services '#$only-services))
+ (else
+ #~(gate (legacy-plan->modern-plan #$control)
+ (legacy-or-modern-pamda #$module)
+ #:options (list #$@options)
+ #:only-actions '#$only-actions
+ #:only-services '#$only-services))))))
+
+ (define (service->gates service)
+ (match service
+ (($ <pam-service> name account auth password session)
+ (append (map (cut entry->gate <>
+ #:only-actions '(pam_sm_acct_mgmt)
+ #:only-services (list name))
+ account)
+ (map (cut entry->gate <>
+ #:only-actions '(pam_sm_authenticate
+ pam_sm_setcred)
+ #:only-services (list name))
+ auth)
+ (map (cut entry->gate <>
+ #:only-actions '(pam_sm_chauthtok)
+ #:only-services (list name))
+ password)
+ (map (cut entry->gate <>
+ #:only-actions '(pam_sm_open_session
+ pam_sm_close_session)
+ #:only-services (list name))
+ session)))))
+
+ (let* ((gates (append-map service->gates services)))
+ (scheme-file
+ "guile-pam-stack.scm"
+ #~(begin
+ (use-modules (pam stack)
+ (pam legacy configuration)
+ (pam legacy module)
+ (pam legacy stack))
+ (stack-pamda (list #$@gates))))))
+
(define (/etc-entry config)
"Return the /etc/pam.d entry corresponding to CONFIG."
+ (define (service->pam-entries service)
+ (match service
+ (($ <pam-service> name account auth password session)
+ (append account auth password session))))
(match config
- (($ <pam-configuration> services transformers shepherd-requirements)
- (let ((services (map (apply compose identity transformers)
- services)))
- `(("pam.d" ,(pam-services->directory services)))))))
+ (($ <pam-configuration> services
+ transformers
+ shared-object
+ guile-inputs
+ foreign-library-path
+ shepherd-requirements)
+ (let* ((services (map (apply compose identity transformers)
+ services))
+ (all-entries (append-map service->pam-entries
+ services))
+ (combined-inputs (delete-duplicates
+ (append guile-inputs
+ (append-map pam-entry-guile-inputs
+ all-entries))))
+ (combined-library-path (delete-duplicates
+ (append foreign-library-path
+ (append-map pam-entry-foreign-library-path
+ all-entries)))))
+ `(("pam.d" ,(pam-services->directory shared-object
+ combined-inputs
+ combined-library-path
+ "pam.d"
+ services)))))))
(define (pam-shepherd-service config)
"Return the PAM synchronization shepherd service corresponding to CONFIG."
(match config
- (($ <pam-configuration> services transformers shepherd-requirements)
+ (($ <pam-configuration> services
+ transformers
+ shared-object
+ guile-inputs
+ foreign-library-path
+ shepherd-requirements)
(list (shepherd-service
(documentation "Synchronization point for services that need to be
started for PAM to work.")
@@ -417,6 +600,9 @@ (define (extend-configuration initial extensions)
services))
(transformers (append (pam-configuration-transformers initial)
(map pam-extension-transformer pam-extensions)))
+ (shared-object (pam-configuration-shared-object initial))
+ (guile-inputs (pam-configuration-guile-inputs initial))
+ (foreign-library-path (pam-configuration-foreign-library-path initial))
(shepherd-requirements
(append (pam-configuration-shepherd-requirements initial)
(append-map pam-extension-shepherd-requirements pam-extensions))))))
@@ -442,8 +628,19 @@ (define pam-root-service-type
such as @command{login} or @command{sshd}, and specifies for instance how the
program may authenticate users or what it should do when opening a new
session.")))
-
-(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '()))
+(define* (pam-root-service base
+ #:key
+ (transformers '())
+ (shared-object
+ (file-append guile-pam "/lib/security/pam_guile.so"))
+ (guile-inputs
+ (list guile-3.0
+ guile-bytestructures ;for (bytestructures guile)
+ guile-pam ;for (pam) and (ffi pam)
+ nyacc)) ;for (system ffi-helper-rt)
+ (foreign-library-path
+ (list (file-append linux-pam "/lib"))) ;for libpam.so
+ (shepherd-requirements '()))
"The \"root\" PAM service, which collects <pam-service> instance and turns
them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
TRANSFORM is a procedure that takes a <pam-service> and returns a
@@ -452,6 +649,9 @@ (define* (pam-root-service base #:key (transformers '()) (shepherd-requirements
(service pam-root-service-type
(pam-configuration (services base)
(transformers transformers)
+ (shared-object shared-object)
+ (guile-inputs guile-inputs)
+ (foreign-library-path foreign-library-path)
(shepherd-requirements shepherd-requirements))))
--
2.45.2
pelzflorian <at> pelzflorian.de, ludo <at> gnu.org, matt <at> excalamus.com, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Fri, 26 Jul 2024 22:40:02 GMT) Full text and rfc822 format available.Message #14 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 72316 <at> debbugs.gnu.org Cc: Felix Lechner <felix.lechner <at> lease-up.com> Subject: [PATCH 3/3] Add a guile-pam-module service. Date: Fri, 26 Jul 2024 15:39:13 -0700
Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6
---
doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++
gnu/local.mk | 1 +
gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++
3 files changed, 195 insertions(+)
create mode 100644 gnu/services/pam.scm
diff --git a/doc/guix.texi b/doc/guix.texi
index 41814042f5..a9bf00f0bb 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -403,6 +403,7 @@ Top
* Telephony Services:: Telephony services.
* File-Sharing Services:: File-sharing services.
* Monitoring Services:: Monitoring services.
+* Guile-PAM Services:: Guile-PAM services.
* Kerberos Services:: Kerberos services.
* LDAP Services:: LDAP services.
* Web Services:: Web servers.
@@ -18991,6 +18992,7 @@ Services
* Telephony Services:: Telephony services.
* File-Sharing Services:: File-sharing services.
* Monitoring Services:: Monitoring services.
+* Guile-PAM Services:: Guile-PAM services.
* Kerberos Services:: Kerberos services.
* LDAP Services:: LDAP services.
* Web Services:: Web servers.
@@ -30932,6 +30934,93 @@ Monitoring Services
@end deftp
+@c %end of fragment
+
+@node Guile-PAM Services
+@subsection Guile-PAM Services
+@cindex Guile-PAM
+
+The @code{(gnu services pam)} module provides services related to the
+authentication mechanism @dfn{Guile-PAM}.
+
+Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM
+authentication system. For details, please have a look at the Texinfo
+manual in the @code{guile-pam} package.
+
+@defvar guile-pam-module-service-type
+A service type for Guile-PAM modules.
+@end defvar
+
+@noindent
+Here is an example of its use:
+@lisp
+(define welcome-pamda-file
+ (scheme-file
+ "welcome-pamda-file"
+ #~(begin
+ (use-modules (ice-9 format))
+
+ (lambda (action handle flags options)
+ (case action
+ ;; authentication management
+ ((pam_sm_authenticate)
+ (format #t "In a working module, we would now identify you.~%"))
+ ((pam_sm_setcred)
+ (format #t "In a working module, we would now help you manage additional credentials.~%"))
+ ;; account management
+ ((pam_sm_acct_mgmt)
+ (format #t "In a working module, we would now confirm your access rights.~%"))
+ ;; password management
+ ((pam_sm_chauthtok)
+ (format #t "In a working module, we would now change your password.~%"))
+ ;; session management
+ ((pam_sm_open_session)
+ (format #t "In a working module, we would now open a session for you.~%"))
+ ((pam_sm_close_session)
+ (format #t "In a working module, we would now close your session.~%"))
+ (else
+ (format #t "In a working module, we would not know what to do about action '~s'.~%"
+ action)))
+ 'PAM_SUCCESS))))
+
+(service guile-pam-module-service-type
+ (guile-pam-module-configuration
+ (rules "optional")
+ (module welcome-pamda-file)
+ (services '("login"
+ "greetd"
+ "su"
+ "slim"
+ "gdm-password"
+ "sddm"))))
+@end lisp
+
+@c %start of fragment
+
+@deftp {Data Type} guile-pam-module-configuration
+Available @code{guile-pam-module-configuration} fields are:
+
+@table @asis
+@item @code{rules} (type: maybe-string)
+Determines how the module's return value is evaluated.
+
+@item @code{module} (type: maybe-file-like)
+A Guile-PAM pamda file or a classical PAM module.
+
+@item @code{services} (type: maybe-list-of-strings)
+List of PAM service names for which to install the module.
+
+@item @code{guile-inputs} (type: maybe-list-of-packages)
+Guile inputs available in the PAM module
+
+@item @code{foreign-library-path} (type: maybe-list-of-packages)
+Search path for shared objects and libraries.
+
+@end table
+
+@end deftp
+
+
@c %end of fragment
@node Kerberos Services
diff --git a/gnu/local.mk b/gnu/local.mk
index fac7b5973b..30551971ac 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -733,6 +733,7 @@ GNU_SYSTEM_MODULES = \
%D%/services/networking.scm \
%D%/services/nix.scm \
%D%/services/nfs.scm \
+ %D%/services/pam.scm \
%D%/services/pam-mount.scm \
%D%/services/science.scm \
%D%/services/security.scm \
diff --git a/gnu/services/pam.scm b/gnu/services/pam.scm
new file mode 100644
index 0000000000..a242067e38
--- /dev/null
+++ b/gnu/services/pam.scm
@@ -0,0 +1,105 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2024 Felix Lechner <felix.lechner <at> lease-up.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services pam)
+ #:use-module (gnu packages guile)
+ #:use-module (gnu packages guile-xyz)
+ #:use-module (gnu packages linux)
+ #:use-module (gnu packages mes)
+ #:use-module (gnu services)
+ #:use-module (gnu services configuration)
+ #:use-module (gnu system pam)
+ #:use-module (guix gexp)
+ #:use-module (guix packages)
+ #:use-module (guix records)
+ #:use-module (guix utils)
+ #:use-module (srfi srfi-1)
+ #:export (guile-pam-module-configuration))
+
+(define-maybe string)
+(define-maybe list-of-strings)
+(define-maybe file-like)
+
+(define-maybe string-or-file-like)
+(define (string-or-file-like? val)
+ (or (string? val) (file-like? val)))
+
+(define-maybe list-of-packages)
+(define (list-of-packages? val)
+ (and (list? val) (map package? val)))
+
+(define-configuration/no-serialization guile-pam-module-configuration
+ (rules
+ maybe-string
+ "Determines how the module's return value is evaluated.")
+ (module
+ maybe-file-like
+ "A Guile-PAM pamda file or a classical PAM module.")
+ (services
+ maybe-list-of-strings
+ "List of PAM service names for which to install the module.")
+ (guile-inputs
+ maybe-list-of-packages
+ "Guile inputs available in the PAM module")
+ (foreign-library-path
+ maybe-list-of-packages
+ "Search path for shared objects and libraries.") )
+
+(define (guile-pam-module-service config)
+ "Return a list of <shepherd-service> for guile-pam-module for CONFIG."
+ (match-record
+ config <guile-pam-module-configuration> (foreign-library-path
+ guile-inputs
+ module
+ rules
+ services)
+ (list
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (if (member (pam-service-name pam) services)
+ (let* ((new-entry
+ (pam-entry
+ (control rules)
+ (module module)
+ (guile-inputs (if (eq? %unset-value guile-inputs)
+ '()
+ guile-inputs))
+ (foreign-library-path (if (eq? %unset-value foreign-library-path)
+ '()
+ foreign-library-path)))))
+ (pam-service
+ (inherit pam)
+ (auth (append (pam-service-auth pam)
+ (list new-entry)))
+ (account (append (pam-service-account pam)
+ (list new-entry)))
+ (session (append (pam-service-session pam)
+ (list new-entry)))
+ (password (append (pam-service-password pam)
+ (list new-entry)))))
+ pam)))))))
+
+(define-public guile-pam-module-service-type
+ (service-type
+ (name 'guile-pam-module)
+ (extensions (list (service-extension pam-root-service-type
+ guile-pam-module-service)))
+ (compose concatenate)
+ (default-value (guile-pam-module-configuration))
+ (description "Load Guile code as part of Linux-PAM.")))
--
2.45.2
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Mon, 29 Jul 2024 10:23:02 GMT) Full text and rfc822 format available.Message #17 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [bug#72316] [PATCH 3/3] Add a guile-pam-module service. Date: Mon, 29 Jul 2024 12:22:27 +0200
Hi Felix. I don’t know linux-pam much but had been wary of its design, but now that I started reading your guile-pam info manual, it is less of a riddle. By the way, guile-pam docs reference guile-wtut, which presumably should be guile-tut without w. About this doc/guix.texi addition, it is okay in my opinion, but it would be better giving one or two functional examples rather than only calling the (format) procedure. This would showcase to the uninitiated what PAM can do and how it looks in Guile. > + (foreign-library-path > + maybe-list-of-packages > + "Search path for shared objects and libraries.") ) > […] > + (foreign-library-path (if (eq? %unset-value foreign-library-path) > + '() > + foreign-library-path))))) It is repetitive that foreign-library-path must be set now everywhere for non-guile pam modules. Even though a foreign-library-path is not always needed, would it be better to always set it as default even when unneeded, then patch 2/3 “Switch to Guile-PAM.” could be dropped? Disclaimer; I do not know PAM. I may well be wrong. Regards, Florian
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Tue, 30 Jul 2024 17:02:02 GMT) Full text and rfc822 format available.Message #20 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [bug#72316] [PATCH 3/3] Add a guile-pam-module service. Date: Tue, 30 Jul 2024 10:00:43 -0700
Hi Florian, On Mon, Jul 29 2024, pelzflorian (Florian Pelz) wrote: > guile-pam docs reference guile-wtut, which presumably should be > guile-tut without w. Thank you for your review! A baby has been typing extra letters. The typo was fixed. You were credited in the commit message. [1] > About this doc/guix.texi addition [...] it would be better giving one > or two functional examples rather than only calling the (format) > procedure. This would showcase to the uninitiated what PAM can do and > how it looks in Guile. I personally think that it would turn off new readers. Guix System configures PAM already. Only people hoping to accomplish something non-standard will look into Guile-PAM. Unfortunately, those readers have little in common. That's why I illustrated the way Guile-PAM works with a simple example. You are now saying we should instead solve a specialist case, but I believe that's likely to distract the diverse group of readers by drawing too much attention to what the module does, as opposed to how Guile-PAM works. The example was supposed to draw readers to Guile-PAM's Texinfo manual, which I mentioned nearby. Should we strike the example instead? > It is repetitive that foreign-library-path must be set now everywhere > for non-guile pam modules. The foreign-library-path only looks repetitive. It is the absolute path to each module. The modules just happen to be in the same place. Guix traditionally relied on a special feature in Linux-PAM: One can use absolute paths but, as many long-timer Guixers know, that is likely to cause stability issues. Guile-PAM solves that issue for Guix by separating the load path so a running process won't reload a newer version of the same shared object. Since the change has a logic to it, I have trouble relating to your observation that the load paths look repetitive. Please note that the foreign-library-path isn't actually needed for modules that ship with Linux-PAM. The Linux-PAM load path is added by default near the comment regarding "courtesy for historical usage" in the patch. It is being offered only for user customizations of the operating-system record, however, and may go away. The right thing is always list the load path for a module. That is what the patch does. > Even though a foreign-library-path is not always needed, would it be > better to always set it as default even when unneeded As I hoped to explain above, the load path is always needed. In my estimation, is not better to offer a default even though I did so for the time being in the interest of a smooth transition. Ultimately, the matter rests with the Guix maintainers. They will (or will not) decide if, when, and how to offer Guile-PAM to their users. Because Guile-PAM is a new and lightly tested package that strives to become an integral part of every Guix system, the decision will likely involve a lot more questions than the ones you and I are discussing in this thread here. At the same time, Guile-PAM is only 541 lines of code (in Scheme, not counting the examples) so maybe someone will get around to taking a look. > then patch 2/3 “Switch to Guile-PAM.” could be dropped? No, the patch does other things. It switches all PAM configurations from Linux-PAM to Guile-PAM. The configured system will use Guile-PAM's stack implementation. Guile-PAM should be attractive to Guix for several reasons. One is that it may simplify Guix's existing PAM machinery, which is complex, because the same things can be accomplished better with quoted S-expressions (or G-expressions, depending on the context). There are also philosophical considerations which I hope will encourage Guix to adopt Guile-PAM. The code is short, written in Scheme, and licensed under the GPL. > Disclaimer; I do not know PAM. I may well be wrong. No worries, please, and thanks again for your review. Linux-PAM is arcane and complicated. I wrote Guile-PAM for you! Kind regards Felix [1] https://codeberg.org/lechner/guile-pam/commit/2f0f20a0a44f7672bfd93470c0562d19eb8ec511
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Tue, 29 Apr 2025 15:09:05 GMT) Full text and rfc822 format available.Message #23 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Z572 <zhengjunjie <at> iscas.ac.cn> To: Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Florian Pelz <pelzflorian <at> pelzflorian.de>, 72316 <at> debbugs.gnu.org, Felix Lechner <felix.lechner <at> lease-up.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [bug#72316] [PATCH 0/3] Switch to Guile-PAM. Date: Tue, 29 Apr 2025 23:08:14 +0800
[Message part 1 (text/plain, inline)]
Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> writes: > Guile-PAM reimplements the PAM stack in GNU Guile and allows system > administrators to write modules in GNU Guile. > > This patch series switches Guix System to Guile-PAM. It relies on the shared > objects from Linux-PAM until Guile implementations are available. > > In Guix, Guile-PAM could start Shepherd's user services or keep track of login > sessions similar to pam_systemd.so. > > The guile-pam package ships with a detailed Texinfo manual. > > The software is in alpha stage. For example, the interaction with sddm was > not well-tested. Please let me know how it goes---private email is okay! I think this is a cool approach, but switching directly to guile-pam might be too radical and probably shouldn't be enabled by default, but I think simply merging the guile-pam package definitions should be fine. What do you think? > > Kind regards > Felix > > > Felix Lechner (3): > Add guile-pam. > Switch to Guile-PAM. > Add a guile-pam-module service. > > doc/guix.texi | 89 ++++++++++ > gnu/local.mk | 1 + > gnu/packages/linux.scm | 56 ++++++ > gnu/services/authentication.scm | 9 +- > gnu/services/base.scm | 16 +- > gnu/services/desktop.scm | 14 +- > gnu/services/kerberos.scm | 12 +- > gnu/services/lightdm.scm | 69 ++++++-- > gnu/services/pam-mount.scm | 5 +- > gnu/services/pam.scm | 105 +++++++++++ > gnu/services/sddm.scm | 91 +++++++--- > gnu/services/xorg.scm | 17 +- > gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ > 13 files changed, 671 insertions(+), 109 deletions(-) > create mode 100644 gnu/services/pam.scm > > > base-commit: 862a9b5b25966845f71d218ad8c0c5655ffc479a
[signature.asc (application/pgp-signature, inline)]
liliana.prikler <at> gmail.com, maxim.cournoyer <at> gmail.com, noelopez <at> free.fr, vivien <at> planete-kraus.eu, guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 13:43:02 GMT) Full text and rfc822 format available.Message #26 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 72316 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Felix Lechner <felix.lechner <at> lease-up.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: [PATCH v2 0/3] Switch to Guile-PAM Date: Thu, 1 May 2025 06:42:34 -0700
Hi Z572, Yes, you are right. More testing is needed before Guile-PAM can manage other modules. Will you push the package definition and the service, i.e. the first two commits? With the service, folks can write their own modules. Then they can do all the things they always wanted, like set kernel limits in one line [1] or mount FUSE based-drives upon login. [2] I worked on this thing for ten years and believe it could be a game changer. Switching to Guile-PAM is not that radical: The third commit merely runs the stack in Guile but still uses the modules from Linux-PAM. At about five hundred lines of code, the Guile stack is much easier to read (or audit) than the stack in Linux-PAM, but I agree we should wait. Please feel free to push the first two commits. I will show folks how to use them. Thanks! Kind regards Felix [1] https://codeberg.org/lechner/system-config/src/commit/0ca80a773408d5934285288ca8da03b9675e9f75/host/lechner-desktop/operating-system.scm#L75 [2] https://codeberg.org/lechner/away/src/commit/2aba38327c1ada959656c58c2f515072c864d983/pam.scm#L76-L80 Felix Lechner (3): Add guile-pam. Add a guile-pam-module service. Switch to Guile-PAM. doc/guix.texi | 89 ++++++++++ gnu/local.mk | 1 + gnu/packages/linux.scm | 71 ++++++++ gnu/services/authentication.scm | 9 +- gnu/services/base.scm | 16 +- gnu/services/desktop.scm | 14 +- gnu/services/kerberos.scm | 12 +- gnu/services/lightdm.scm | 69 ++++++-- gnu/services/pam-mount.scm | 5 +- gnu/services/pam.scm | 105 +++++++++++ gnu/services/sddm.scm | 91 +++++++--- gnu/services/xorg.scm | 17 +- gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ 13 files changed, 686 insertions(+), 109 deletions(-) create mode 100644 gnu/services/pam.scm base-commit: 304f8bebbb3bc77b27be7ead82f2d79a10fe1843 -- 2.49.0
leo <at> famulari.name, w <at> wmeyer.eu, guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 13:43:02 GMT) Full text and rfc822 format available.Message #29 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 72316 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Felix Lechner <felix.lechner <at> lease-up.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: [PATCH v2 1/3] Add guile-pam. Date: Thu, 1 May 2025 06:42:35 -0700
Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2
---
gnu/packages/linux.scm | 71 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 71 insertions(+)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b4adf0c2b43..35ae4558043 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -113,6 +113,7 @@ (define-module (gnu packages linux)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
#:use-module (gnu packages boost)
+ #:use-module (gnu packages build-tools)
#:use-module (gnu packages calendar)
#:use-module (gnu packages check)
#:use-module (gnu packages cpio)
@@ -145,6 +146,7 @@ (define-module (gnu packages linux)
#:use-module (gnu packages graphviz)
#:use-module (gnu packages gstreamer)
#:use-module (gnu packages gtk)
+ #:use-module (gnu packages guile)
#:use-module (gnu packages haskell-apps)
#:use-module (gnu packages haskell-xyz)
#:use-module (gnu packages image)
@@ -158,6 +160,7 @@ (define-module (gnu packages linux)
#:use-module (gnu packages m4)
#:use-module (gnu packages man)
#:use-module (gnu packages maths)
+ #:use-module (gnu packages mes)
#:use-module (gnu packages multiprecision)
#:use-module (gnu packages ncurses)
#:use-module (gnu packages netpbm)
@@ -2412,6 +2415,74 @@ (define-public vendor-reset-linux-module
;;; Pluggable authentication modules (PAM).
;;;
+(define-public guile-pam
+ (let ((commit "5ea70a5d88e7ade27ba9f231acab7d363b6400fb")
+ (revision "0"))
+ (package
+ (name "guile-pam")
+ (version (git-version "0.0" revision commit))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://codeberg.org/lechner/guile-pam")
+ (commit commit)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1i034f42wnmnsz76pcniif2ikpbamh0cki3ib2zwmbnvif4656av"))))
+ (native-inputs (list
+ autoconf
+ automake
+ gnulib
+ guile-3.0
+ libtool
+ linux-pam
+ nyacc-2.01
+ pkg-config
+ texinfo))
+ (inputs (list
+ guile-3.0
+ linux-pam))
+ (propagated-inputs (list
+ nyacc-2.01))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:make-flags
+ #~(list (string-append "ENTRY_POINT_DIR=" #$output "/share/entry-points"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'install-gnulib
+ ;; per https://lists.gnu.org/archive/html/guile-devel/2012-08/msg00042.html
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((gnulib-build-aux (dirname
+ (search-input-file inputs
+ "/src/gnulib/build-aux/config.rpath"))))
+ (mkdir-p "build-aux")
+ (copy-recursively gnulib-build-aux "build-aux"))
+ (let ((gnulib-m4 (dirname (search-input-file inputs
+ "/src/gnulib/m4/lib-link.m4"))))
+ (mkdir-p "m4")
+ (copy-recursively gnulib-m4 "m4"))))
+ (add-after 'patch-source-shebangs 'fix-paths
+ (lambda* (#:key inputs #:allow-other-keys)
+ (for-each (lambda (file)
+ (substitute* file
+ (("/usr/bin/env -S guile ")
+ (string-append (search-input-file inputs "/bin/guile") " \\\n"))))
+ '("test/legacy-control-strings"))
+ (substitute* "scm/pam.scm"
+ (("[.]/wrap/c/[.]libs/conversation.so")
+ (string-append #$output "/lib/guile-pam/wrapper/conversation.so"))))))))
+ (home-page "https://codeberg.org/lechner/guile-pam")
+ (synopsis "Write your Linux-PAM authentication logic in Guile Scheme")
+ (description
+ "Guile-PAM provides a way to rewrite your authentication logic in the
+Linux PAM (pluggable authentication modules) in Guile Scheme. It should make
+those modules more transparent to the administrator and more intuitive to
+use.")
+ (license license:gpl3+))))
+
(define-public linux-pam
(package
(name "linux-pam")
--
2.49.0
gabriel <at> erlikon.ch, ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 13:44:02 GMT) Full text and rfc822 format available.Message #32 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 72316 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Felix Lechner <felix.lechner <at> lease-up.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: [PATCH v2 2/3] Add a guile-pam-module service. Date: Thu, 1 May 2025 06:42:36 -0700
Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6
---
doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++
gnu/local.mk | 1 +
gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++
3 files changed, 195 insertions(+)
create mode 100644 gnu/services/pam.scm
diff --git a/doc/guix.texi b/doc/guix.texi
index 90d90b2e1eb..11480cb0ae5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -412,6 +412,7 @@ Top
* Telephony Services:: Telephony services.
* File-Sharing Services:: File-sharing services.
* Monitoring Services:: Monitoring services.
+* Guile-PAM Services:: Guile-PAM services.
* Kerberos Services:: Kerberos services.
* LDAP Services:: LDAP services.
* Web Services:: Web servers.
@@ -19437,6 +19438,7 @@ Services
* Telephony Services:: Telephony services.
* File-Sharing Services:: File-sharing services.
* Monitoring Services:: Monitoring services.
+* Guile-PAM Services:: Guile-PAM services.
* Kerberos Services:: Kerberos services.
* LDAP Services:: LDAP services.
* Web Services:: Web servers.
@@ -33149,6 +33151,93 @@ Monitoring Services
@end deftp
+@c %end of fragment
+
+@node Guile-PAM Services
+@subsection Guile-PAM Services
+@cindex Guile-PAM
+
+The @code{(gnu services pam)} module provides services related to the
+authentication mechanism @dfn{Guile-PAM}.
+
+Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM
+authentication system. For details, please have a look at the Texinfo
+manual in the @code{guile-pam} package.
+
+@defvar guile-pam-module-service-type
+A service type for Guile-PAM modules.
+@end defvar
+
+@noindent
+Here is an example of its use:
+@lisp
+(define welcome-pamda-file
+ (scheme-file
+ "welcome-pamda-file"
+ #~(begin
+ (use-modules (ice-9 format))
+
+ (lambda (action handle flags options)
+ (case action
+ ;; authentication management
+ ((pam_sm_authenticate)
+ (format #t "In a working module, we would now identify you.~%"))
+ ((pam_sm_setcred)
+ (format #t "In a working module, we would now help you manage additional credentials.~%"))
+ ;; account management
+ ((pam_sm_acct_mgmt)
+ (format #t "In a working module, we would now confirm your access rights.~%"))
+ ;; password management
+ ((pam_sm_chauthtok)
+ (format #t "In a working module, we would now change your password.~%"))
+ ;; session management
+ ((pam_sm_open_session)
+ (format #t "In a working module, we would now open a session for you.~%"))
+ ((pam_sm_close_session)
+ (format #t "In a working module, we would now close your session.~%"))
+ (else
+ (format #t "In a working module, we would not know what to do about action '~s'.~%"
+ action)))
+ 'PAM_SUCCESS))))
+
+(service guile-pam-module-service-type
+ (guile-pam-module-configuration
+ (rules "optional")
+ (module welcome-pamda-file)
+ (services '("login"
+ "greetd"
+ "su"
+ "slim"
+ "gdm-password"
+ "sddm"))))
+@end lisp
+
+@c %start of fragment
+
+@deftp {Data Type} guile-pam-module-configuration
+Available @code{guile-pam-module-configuration} fields are:
+
+@table @asis
+@item @code{rules} (type: maybe-string)
+Determines how the module's return value is evaluated.
+
+@item @code{module} (type: maybe-file-like)
+A Guile-PAM pamda file or a classical PAM module.
+
+@item @code{services} (type: maybe-list-of-strings)
+List of PAM service names for which to install the module.
+
+@item @code{guile-inputs} (type: maybe-list-of-packages)
+Guile inputs available in the PAM module
+
+@item @code{foreign-library-path} (type: maybe-list-of-packages)
+Search path for shared objects and libraries.
+
+@end table
+
+@end deftp
+
+
@c %end of fragment
@node Kerberos Services
diff --git a/gnu/local.mk b/gnu/local.mk
index f6f95bbf10b..3d3da58d659 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -764,6 +764,7 @@ GNU_SYSTEM_MODULES = \
%D%/services/networking.scm \
%D%/services/nix.scm \
%D%/services/nfs.scm \
+ %D%/services/pam.scm \
%D%/services/pam-mount.scm \
%D%/services/power.scm \
%D%/services/science.scm \
diff --git a/gnu/services/pam.scm b/gnu/services/pam.scm
new file mode 100644
index 00000000000..a242067e380
--- /dev/null
+++ b/gnu/services/pam.scm
@@ -0,0 +1,105 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2024 Felix Lechner <felix.lechner <at> lease-up.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services pam)
+ #:use-module (gnu packages guile)
+ #:use-module (gnu packages guile-xyz)
+ #:use-module (gnu packages linux)
+ #:use-module (gnu packages mes)
+ #:use-module (gnu services)
+ #:use-module (gnu services configuration)
+ #:use-module (gnu system pam)
+ #:use-module (guix gexp)
+ #:use-module (guix packages)
+ #:use-module (guix records)
+ #:use-module (guix utils)
+ #:use-module (srfi srfi-1)
+ #:export (guile-pam-module-configuration))
+
+(define-maybe string)
+(define-maybe list-of-strings)
+(define-maybe file-like)
+
+(define-maybe string-or-file-like)
+(define (string-or-file-like? val)
+ (or (string? val) (file-like? val)))
+
+(define-maybe list-of-packages)
+(define (list-of-packages? val)
+ (and (list? val) (map package? val)))
+
+(define-configuration/no-serialization guile-pam-module-configuration
+ (rules
+ maybe-string
+ "Determines how the module's return value is evaluated.")
+ (module
+ maybe-file-like
+ "A Guile-PAM pamda file or a classical PAM module.")
+ (services
+ maybe-list-of-strings
+ "List of PAM service names for which to install the module.")
+ (guile-inputs
+ maybe-list-of-packages
+ "Guile inputs available in the PAM module")
+ (foreign-library-path
+ maybe-list-of-packages
+ "Search path for shared objects and libraries.") )
+
+(define (guile-pam-module-service config)
+ "Return a list of <shepherd-service> for guile-pam-module for CONFIG."
+ (match-record
+ config <guile-pam-module-configuration> (foreign-library-path
+ guile-inputs
+ module
+ rules
+ services)
+ (list
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (if (member (pam-service-name pam) services)
+ (let* ((new-entry
+ (pam-entry
+ (control rules)
+ (module module)
+ (guile-inputs (if (eq? %unset-value guile-inputs)
+ '()
+ guile-inputs))
+ (foreign-library-path (if (eq? %unset-value foreign-library-path)
+ '()
+ foreign-library-path)))))
+ (pam-service
+ (inherit pam)
+ (auth (append (pam-service-auth pam)
+ (list new-entry)))
+ (account (append (pam-service-account pam)
+ (list new-entry)))
+ (session (append (pam-service-session pam)
+ (list new-entry)))
+ (password (append (pam-service-password pam)
+ (list new-entry)))))
+ pam)))))))
+
+(define-public guile-pam-module-service-type
+ (service-type
+ (name 'guile-pam-module)
+ (extensions (list (service-extension pam-root-service-type
+ guile-pam-module-service)))
+ (compose concatenate)
+ (default-value (guile-pam-module-configuration))
+ (description "Load Guile code as part of Linux-PAM.")))
--
2.49.0
liliana.prikler <at> gmail.com, maxim.cournoyer <at> gmail.com, noelopez <at> free.fr, vivien <at> planete-kraus.eu, guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 13:44:02 GMT) Full text and rfc822 format available.Message #35 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: 72316 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Felix Lechner <felix.lechner <at> lease-up.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: [PATCH v2 3/3] Switch to Guile-PAM. Date: Thu, 1 May 2025 06:42:37 -0700
Change-Id: Ib691b41cdb152f508a4a8d1b12b2a20da8706fed
---
gnu/services/authentication.scm | 9 +-
gnu/services/base.scm | 16 +-
gnu/services/desktop.scm | 14 +-
gnu/services/kerberos.scm | 12 +-
gnu/services/lightdm.scm | 69 ++++++--
gnu/services/pam-mount.scm | 5 +-
gnu/services/sddm.scm | 91 +++++++---
gnu/services/xorg.scm | 17 +-
gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------
9 files changed, 420 insertions(+), 109 deletions(-)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index fbfef2d3d0a..88ccba6ada4 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -503,9 +503,6 @@ (define (nslcd-shepherd-service config)
(define (pam-ldap-pam-service config)
"Return a PAM service for LDAP authentication."
- (define pam-ldap-module
- (file-append (nslcd-configuration-nss-pam-ldapd config)
- "/lib/security/pam_ldap.so"))
(pam-extension
(transformer
(lambda (pam)
@@ -514,7 +511,11 @@ (define (pam-ldap-pam-service config)
(let ((sufficient
(pam-entry
(control "sufficient")
- (module pam-ldap-module))))
+ (module "pam_ldap.so")
+ (foreign-library-path
+ (list
+ (file-append (nslcd-configuration-nss-pam-ldapd config)
+ "/lib/security"))))))
(pam-service
(inherit pam)
(auth (cons sufficient (pam-service-auth pam)))
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 650121be8f1..6fb84ce01e1 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -61,8 +61,8 @@ (define-module (gnu services base)
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils btrfs-progs crda eudev
- e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
- util-linux xfsprogs))
+ e2fsprogs f2fs-tools fuse gpm kbd linux-pam
+ lvm2 rng-tools util-linux xfsprogs))
#:use-module (gnu packages bash)
#:use-module ((gnu packages base)
#:select (coreutils glibc glibc/hurd
@@ -1731,7 +1731,10 @@ (define pam-limits-service-type
(control "required")
(module "pam_limits.so")
(arguments
- (list #~(string-append "conf=" #$limits-file))))))
+ (list #~(string-append "conf=" #$limits-file)))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(if (member (pam-service-name pam)
'("login" "greetd" "su" "slim" "gdm-password"
"sddm" "lightdm" "sudo" "sshd"))
@@ -4032,8 +4035,11 @@ (define (greetd-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
- (arguments '("disable_interactive"))))
+ (module "pam_mount.so")
+ (arguments '("disable_interactive"))
+ (foreign-library-path
+ (list
+ (file-append greetd-pam-mount "/lib/security")))))
(list
(unix-pam-service "greetd"
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index a586746cc59..ca1078f9df6 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1494,8 +1494,10 @@ (define (pam-extension-procedure config)
(define pam-elogind
(pam-entry
(control "required")
- (module (file-append (elogind-configuration-elogind config)
- "/lib/security/pam_elogind.so"))))
+ (module "pam_elogind.so")
+ (foreign-library-path
+ (list
+ (file-append (elogind-configuration-elogind config) "/lib/security")))))
(list (pam-extension
(transformer
@@ -1712,9 +1714,11 @@ (define (pam-gnome-keyring config)
(define (%pam-keyring-entry . arguments)
(pam-entry
(control "optional")
- (module (file-append (gnome-keyring-package config)
- "/lib/security/pam_gnome_keyring.so"))
- (arguments arguments)))
+ (module ("pam_gnome_keyring.so"))
+ (arguments arguments)
+ (foreign-library-path
+ (list
+ (file-append (gnome-keyring-package config) "/lib/security")))))
(list
(pam-extension
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index a6f540a9b6a..d2d8988a837 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -431,18 +431,18 @@ (define (pam-krb5-pam-service config)
(pam-extension
(transformer
(lambda (pam)
- (define pam-krb5-module
- (file-append (pam-krb5-configuration-pam-krb5 config)
- "/lib/security/pam_krb5.so"))
-
(let ((pam-krb5-sufficient
(pam-entry
(control "sufficient")
- (module pam-krb5-module)
+ (module "pam_krb5.so")
(arguments
(list
(format #f "minimum_uid=~a"
- (pam-krb5-configuration-minimum-uid config)))))))
+ (pam-krb5-configuration-minimum-uid config))))
+ (foreign-library-path
+ (list
+ (file-append (pam-krb5-configuration-pam-krb5 config)
+ "/lib/security"))))))
(pam-service
(inherit pam)
(auth (cons* pam-krb5-sufficient
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index b69cc21322a..6cca06b827a 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
+ #:use-module ((gnu packages linux) #:select (linux-pam))
#:use-module (gnu packages vnc)
#:use-module (gnu packages xorg)
#:use-module (gnu services configuration)
@@ -546,15 +547,35 @@ (define (lightdm-greeter-pam-service)
(name "lightdm-greeter")
(auth (list
;; Load environment from /etc/environment and ~/.pam_environment.
- (pam-entry (control "required") (module "pam_env.so"))
+ (pam-entry (control "required")
+ (module "pam_env.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
;; Always let the greeter start without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry (control "required")
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; No action required for account management
- (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+ (account (list (pam-entry (control "required")
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list (pam-entry (control "required")
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list (pam-entry (control "required")
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))))
(define (lightdm-autologin-pam-service)
"Return a PAM service for @command{lightdm-autologin}}."
@@ -563,17 +584,41 @@ (define (lightdm-autologin-pam-service)
(auth
(list
;; Block login if user is globally disabled.
- (pam-entry (control "required") (module "pam_nologin.so"))
- (pam-entry (control "required") (module "pam_succeed_if.so")
- (arguments (list "uid >= 1000")))
+ (pam-entry (control "required")
+ (module "pam_nologin.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
+ (pam-entry (control "required")
+ (module "pam_succeed_if.so")
+ (arguments (list "uid >= 1000"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
;; Allow access without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry (control "required")
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Stop autologin if account requires action.
- (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+ (account (list (pam-entry (control "required")
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list (pam-entry (control "required")
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list (pam-entry (control "required")
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))))
(define (lightdm-pam-services config)
(list (lightdm-pam-service config)
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index b3a02e82e92..1eb5b44e315 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -94,7 +94,10 @@ (define (pam-mount-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module (file-append pam-mount "/lib/security/pam_mount.so"))))
+ (module "pam_mount.so")
+ (foreign-library-path
+ (list
+ (file-append pam-mount "/lib/security")))))
(list
(pam-extension
(transformer
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 92d64cc5993..cb2c5a9276d 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services sddm)
#:use-module (gnu packages admin)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
+ #:use-module ((gnu packages linux) #:select (linux-pam))
#:use-module (gnu packages xorg)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
@@ -206,40 +207,61 @@ (define (sddm-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module "pam_nologin.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module "pam_env.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
(pam-entry
(control "required")
(module "pam_succeed_if.so")
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
- "quiet")))
+ "quiet"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
;; should be factored out into system-auth
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(account
(list
;; should be factored out into system-account
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(password
(list
;; should be factored out into system-password
(pam-entry
(control "required")
(module "pam_unix.so")
- (arguments (list "sha512" "shadow" "try_first_pass")))))
+ (arguments (list "sha512" "shadow" "try_first_pass"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(session
(list
;; lfs has a required pam_limits.so
;; should be factored out into system-session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))))
(define (sddm-greeter-pam-service)
"Return a PAM service for @command{sddm-greeter}."
@@ -250,29 +272,44 @@ (define (sddm-greeter-pam-service)
;; Load environment from /etc/environment and ~/.pam_environment
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module "pam_env.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
;; Always let the greeter start without authentication
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(account
(list
;; No action required for account management
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(password
(list
;; Can't change password
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(session
(list
;; Setup session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))))
(define (sddm-autologin-pam-service config)
"Return a PAM service for @command{sddm-autologin}"
@@ -282,31 +319,37 @@ (define (sddm-autologin-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module "pam_nologin.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
(pam-entry
(control "required")
(module "pam_succeed_if.so")
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
- "quiet")))
+ "quiet"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(account
- (list
- (pam-entry
- (control "include")
- (module "sddm"))))
+ (pam-service-account (sddm-pam-service config)))
(password
(list
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(session
- (list
- (pam-entry
- (control "include")
- (module "sddm"))))))
+ (pam-service-session (sddm-pam-service config)))))
(define (sddm-pam-services config)
(list (sddm-pam-service config)
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index bef05b9bb9b..21f9924d166 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -1236,16 +1236,25 @@ (define (gdm-pam-service config)
#:login-uid? #t))
(auth (list (pam-entry
(control "optional")
- (module (file-append (gdm-configuration-gdm config)
- "/lib/security/pam_gdm.so")))
+ (module "pam_gdm.so")
+ (foreign-library-path
+ (list
+ (file-append (gdm-configuration-gdm config)
+ "/lib/security/"))))
(pam-entry
(control "sufficient")
- (module "pam_permit.so")))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))))
(pam-service
(inherit (unix-pam-service "gdm-launch-environment"))
(auth (list (pam-entry
(control "required")
- (module "pam_permit.so")))))
+ (module "pam_permit.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))))
(unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 07b84b04efe..08dc4693297 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -32,7 +32,9 @@ (define-module (gnu system pam)
#:use-module (srfi srfi-11)
#:use-module (srfi srfi-26)
#:use-module ((guix utils) #:select (%current-system))
+ #:use-module (gnu packages guile)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages mes)
#:export (pam-service
pam-service?
pam-service-name
@@ -46,6 +48,8 @@ (define-module (gnu system pam)
pam-entry-control
pam-entry-module
pam-entry-arguments
+ pam-entry-guile-inputs
+ pam-entry-foreign-library-path
pam-limits-entry
pam-limits-entry?
@@ -95,10 +99,16 @@ (define-record-type* <pam-service> pam-service
(define-record-type* <pam-entry> pam-entry
make-pam-entry
pam-entry?
- (control pam-entry-control) ; string
+ (control pam-entry-control) ; string, symbol or g-expression
(module pam-entry-module) ; file name
(arguments pam-entry-arguments ; list of string-valued g-expressions
- (default '())))
+ (default '()))
+ (guile-inputs pam-entry-guile-inputs ; list of package variables
+ (default '()))
+ (foreign-library-path pam-entry-foreign-library-path ; list of file-like folders
+ ;; courtesy for historical usage
+ (default (list
+ (file-append linux-pam "/lib/security")))))
;; PAM limits entries are used by the pam_limits PAM module to set or override
;; limits on system resources for user sessions. The format is specified
@@ -153,35 +163,80 @@ (define (pam-limits-entry->string entry)
(number->string value))))
" "))))
-(define (pam-service->configuration service)
+(define (pam-service->configuration service shared-object environment-file pamda-file)
"Return the derivation building the configuration file for SERVICE, to be
dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
- (define (entry->gexp type entry)
- (match entry
- (($ <pam-entry> control module (arguments ...))
- #~(format #t "~a ~a ~a ~a~%"
- #$type #$control #$module
- (string-join (list #$@arguments))))))
-
- (match service
- (($ <pam-service> name account auth password session)
- (define builder
- #~(begin
- (with-output-to-file #$output
- (lambda ()
- #$@(append (map (cut entry->gexp "account" <>) account)
- (map (cut entry->gexp "auth" <>) auth)
- (map (cut entry->gexp "password" <>) password)
- (map (cut entry->gexp "session" <>) session))
- #t))))
-
- (computed-file name builder))))
-
-(define (pam-services->directory services)
+ (mixed-text-file (pam-service-name service)
+ "account required " shared-object " " environment-file " " pamda-file "\n"
+ "auth required " shared-object " " environment-file " " pamda-file "\n"
+ "password required " shared-object " " environment-file " " pamda-file "\n"
+ "session required " shared-object " " environment-file " " pamda-file "\n"))
+
+(define (intersperse a xs)
+ (if (null? xs)
+ '()
+ [cons (car xs)
+ (if (null? (cdr xs))
+ (cdr xs)
+ (cons a (intersperse a (cdr xs))))]))
+
+;; should include locale, but keeping effects of pam_env.so
+(define* (make-environment-file #:key
+ (guile-auto-compile? #f)
+ (guile-extensions-path '())
+ (guile-install-locale? #f)
+ (guile-jit-log-level 0)
+ (guile-jit-pause-when-stopping? #f)
+ (guile-jit-stop-after -1)
+ (guile-jit-threshold 1000)
+ (guile-load-compiled-path '())
+ (guile-load-path '())
+ (guile-warn-deprecated "yes")
+ (ld-library-path '())
+ (ltdl-library-path '()))
+ (let* ((lines `(("GUILE_AUTO_COMPILE=" ,(if guile-auto-compile? "1" "0"))
+ ("GUILE_EXTENSIONS_PATH=" ,@(intersperse ":" guile-extensions-path))
+ ("GUILE_INSTALL_LOCALE=" ,(if guile-install-locale? "1" "0"))
+ ("GUILE_JIT_LOG=" ,(number->string guile-jit-log-level))
+ ("GUILE_JIT_PAUSE_WHEN_STOPPING=" ,(if guile-jit-pause-when-stopping? "1" "0"))
+ ("GUILE_JIT_STOP_AFTER=" ,(number->string guile-jit-stop-after))
+ ("GUILE_JIT_THRESHOLD=" ,(number->string guile-jit-threshold))
+ ("GUILE_LOAD_COMPILED_PATH=" ,@(intersperse ":" guile-load-compiled-path))
+ ("GUILE_LOAD_PATH=" ,@(intersperse ":" guile-load-path))
+ ("GUILE_WARN_DEPRECATED=" ,guile-warn-deprecated)
+ ("LD_LIBRARY_PATH=" ,@(intersperse ":" ld-library-path))
+ ("LTDL_LIBRARY_PATH=" ,@(intersperse ":" ltdl-library-path))))
+ (terminated (map (lambda (line)
+ (append line '("\0")))
+ lines))
+ (flattened (fold (lambda (right left)
+ (append left right))
+ '()
+ terminated)))
+ (apply mixed-text-file "guile-pam-environment" flattened)))
+
+(define (pam-services->directory shared-object
+ guile-inputs
+ foreign-library-path
+ folder
+ services)
"Return the derivation to build the configuration directory to be used as
/etc/pam.d for SERVICES."
- (let ((names (map pam-service-name services))
- (files (map pam-service->configuration services)))
+ (let* ((names (map pam-service-name services))
+ (load-path (map (lambda (package)
+ (file-append package "/share/guile/site/3.0"))
+ guile-inputs))
+ (load-compiled-path (map (lambda (package)
+ (file-append package "/lib/guile/3.0/site-ccache"))
+ guile-inputs))
+ (environment-file (make-environment-file #:guile-extensions-path foreign-library-path
+ #:ld-library-path foreign-library-path
+ #:guile-load-path load-path
+ #:guile-load-compiled-path load-compiled-path))
+ (pamda-file (make-pam-stack folder services))
+ (files (map (cut pam-service->configuration <>
+ shared-object environment-file pamda-file)
+ services)))
(define builder
#~(begin
(use-modules (ice-9 match)
@@ -198,14 +253,17 @@ (define (pam-services->directory services)
;; instead. See <http://bugs.gnu.org/20037>.
(delete-duplicates '#$(zip names files)))))
- (computed-file "pam.d" builder)))
+ (computed-file folder builder)))
(define %pam-other-services
;; The "other" PAM configuration, which denies everything (see
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
(let ((deny (pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module "pam_deny.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(pam-service
(name "other")
(account (list deny))
@@ -216,12 +274,18 @@ (define %pam-other-services
(define unix-pam-service
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so")))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))
(env (pam-entry ; to honor /etc/environment.
(control "required")
- (module "pam_env.so"))))
+ (module "pam_env.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(lambda* (name #:key allow-empty-passwords? allow-root? motd
- login-uid? gnupg?)
+ login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
@@ -237,40 +301,61 @@ (define unix-pam-service
(auth (append (if allow-root?
(list (pam-entry
(control "sufficient")
- (module "pam_rootok.so")))
+ (module "pam_rootok.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))
'())
(list (if allow-empty-passwords?
(pam-entry
(control "required")
(module "pam_unix.so")
- (arguments '("nullok")))
+ (arguments '("nullok"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))
unix))
(if gnupg?
(list (pam-entry
(control "required")
- (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ (module "pam_gnupg.so")
+ (foreign-library-path
+ (list
+ (file-append pam-gnupg "/lib/security")))))
'())))
(password (list (pam-entry
(control "required")
(module "pam_unix.so")
;; Store SHA-512 encrypted passwords in /etc/shadow.
- (arguments '("sha512" "shadow")))))
+ (arguments '("sha512" "shadow"))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(session `(,@(if motd
(list (pam-entry
(control "optional")
(module "pam_motd.so")
(arguments
- (list #~(string-append "motd=" #$motd)))))
+ (list #~(string-append "motd=" #$motd)))
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))
'())
,@(if login-uid?
(list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
- (module "pam_loginuid.so")))
+ (module "pam_loginuid.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security")))))
'())
,@(if gnupg?
(list (pam-entry
(control "required")
- (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ (module "pam_gnupg.so")
+ (foreign-library-path
+ (list
+ (file-append pam-gnupg "/lib/security")))))
'())
,env ,unix))))))
@@ -279,13 +364,19 @@ (define (rootok-pam-service command)
authenticate to run COMMAND."
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module "pam_unix.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(pam-service
(name command)
(account (list unix))
(auth (list (pam-entry
(control "sufficient")
- (module "pam_rootok.so"))))
+ (module "pam_rootok.so")
+ (foreign-library-path
+ (list
+ (file-append linux-pam "/lib/security"))))))
(password (list unix))
(session (list unix)))))
@@ -377,21 +468,114 @@ (define-record-type* <pam-configuration>
(services pam-configuration-services)
;list of procedures <pam-entry> -> <pam-entry>
(transformers pam-configuration-transformers)
+ ;; file-like shared module
+ (shared-object pam-configuration-shared-object)
+ ;; list of package variables
+ (guile-inputs pam-configuration-guile-inputs)
+ ;; list of file-like folders
+ (foreign-library-path pam-configuration-foreign-library-path)
;list of symbols
(shepherd-requirements pam-configuration-shepherd-requirements))
+(define (make-pam-stack folder services)
+ (define* (entry->gate entry
+ #:key
+ only-actions
+ only-services)
+ (match entry
+ (($ <pam-entry> control module (options ...))
+ ;; adapted from (pam legacy configuration)
+ (cond
+ ((string=? "include" control)
+ (error "PAM include not implemented; send list of <pam-entry> instead"
+ control module options entry))
+ ((string=? "substack" control)
+ ;; this probably differs a little bit from Linux-PAM
+ #~(gate required (stack-pamda
+ (configuration-file->gates #$folder #$module
+ #:only-actions '#$only-actions
+ #:only-services '#$only-services))
+ #:only-actions '#$only-actions
+ #:only-services '#$only-services))
+ (else
+ #~(gate (control-string->plan #$control)
+ (shared-object-or-pamda #$module)
+ #:options (list #$@options)
+ #:only-actions '#$only-actions
+ #:only-services '#$only-services))))))
+
+ (define (service->gates service)
+ (match service
+ (($ <pam-service> name account auth password session)
+ (append (map (cut entry->gate <>
+ #:only-actions '(pam_sm_acct_mgmt)
+ #:only-services (list name))
+ account)
+ (map (cut entry->gate <>
+ #:only-actions '(pam_sm_authenticate
+ pam_sm_setcred)
+ #:only-services (list name))
+ auth)
+ (map (cut entry->gate <>
+ #:only-actions '(pam_sm_chauthtok)
+ #:only-services (list name))
+ password)
+ (map (cut entry->gate <>
+ #:only-actions '(pam_sm_open_session
+ pam_sm_close_session)
+ #:only-services (list name))
+ session)))))
+
+ (let* ((gates (append-map service->gates services)))
+ (scheme-file
+ "guile-pam-stack.scm"
+ #~(begin
+ (use-modules (pam stack)
+ (pam legacy configuration)
+ (pam legacy module)
+ (pam legacy stack))
+ (stack-pamda (list #$@gates))))))
+
(define (/etc-entry config)
"Return the /etc/pam.d entry corresponding to CONFIG."
+ (define (service->pam-entries service)
+ (match service
+ (($ <pam-service> name account auth password session)
+ (append account auth password session))))
(match config
- (($ <pam-configuration> services transformers shepherd-requirements)
- (let ((services (map (apply compose identity transformers)
- services)))
- `(("pam.d" ,(pam-services->directory services)))))))
+ (($ <pam-configuration> services
+ transformers
+ shared-object
+ guile-inputs
+ foreign-library-path
+ shepherd-requirements)
+ (let* ((services (map (apply compose identity transformers)
+ services))
+ (all-entries (append-map service->pam-entries
+ services))
+ (combined-inputs (delete-duplicates
+ (append guile-inputs
+ (append-map pam-entry-guile-inputs
+ all-entries))))
+ (combined-library-path (delete-duplicates
+ (append foreign-library-path
+ (append-map pam-entry-foreign-library-path
+ all-entries)))))
+ `(("pam.d" ,(pam-services->directory shared-object
+ combined-inputs
+ combined-library-path
+ "pam.d"
+ services)))))))
(define (pam-shepherd-service config)
"Return the PAM synchronization shepherd service corresponding to CONFIG."
(match config
- (($ <pam-configuration> services transformers shepherd-requirements)
+ (($ <pam-configuration> services
+ transformers
+ shared-object
+ guile-inputs
+ foreign-library-path
+ shepherd-requirements)
(list (shepherd-service
(documentation "Synchronization point for services that need to be
started for PAM to work.")
@@ -420,6 +604,9 @@ (define (extend-configuration initial extensions)
services))
(transformers (append (pam-configuration-transformers initial)
(map pam-extension-transformer pam-extensions)))
+ (shared-object (pam-configuration-shared-object initial))
+ (guile-inputs (pam-configuration-guile-inputs initial))
+ (foreign-library-path (pam-configuration-foreign-library-path initial))
(shepherd-requirements
(append (pam-configuration-shepherd-requirements initial)
(append-map pam-extension-shepherd-requirements pam-extensions))))))
@@ -445,8 +632,18 @@ (define pam-root-service-type
such as @command{login} or @command{sshd}, and specifies for instance how the
program may authenticate users or what it should do when opening a new
session.")))
-
-(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '()))
+(define* (pam-root-service base
+ #:key
+ (transformers '())
+ (shared-object
+ (file-append guile-pam "/lib/security/pam_guile.so"))
+ (guile-inputs
+ (list guile-3.0
+ guile-pam ;for (pam) and (ffi pam)
+ nyacc-2.01)) ;for (nyacc foreign cdata)
+ (foreign-library-path
+ (list (file-append linux-pam "/lib"))) ;for libpam.so
+ (shepherd-requirements '()))
"The \"root\" PAM service, which collects <pam-service> instance and turns
them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
TRANSFORM is a procedure that takes a <pam-service> and returns a
@@ -455,6 +652,9 @@ (define* (pam-root-service base #:key (transformers '()) (shepherd-requirements
(service pam-root-service-type
(pam-configuration (services base)
(transformers transformers)
+ (shared-object shared-object)
+ (guile-inputs guile-inputs)
+ (foreign-library-path foreign-library-path)
(shepherd-requirements shepherd-requirements))))
--
2.49.0
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 14:05:02 GMT) Full text and rfc822 format available.Message #38 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [PATCH v2 1/3] Add guile-pam. Date: Thu, 01 May 2025 23:04:01 +0900
Hi Felix,
Felix Lechner <felix.lechner <at> lease-up.com> writes:
[...]
> +(define-public guile-pam
> + (let ((commit "5ea70a5d88e7ade27ba9f231acab7d363b6400fb")
> + (revision "0"))
> + (package
> + (name "guile-pam")
> + (version (git-version "0.0" revision commit))
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://codeberg.org/lechner/guile-pam")
> + (commit commit)))
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "1i034f42wnmnsz76pcniif2ikpbamh0cki3ib2zwmbnvif4656av"))))
> + (native-inputs (list
> + autoconf
> + automake
> + gnulib
> + guile-3.0
> + libtool
> + linux-pam
> + nyacc-2.01
> + pkg-config
> + texinfo))
> + (inputs (list
> + guile-3.0
> + linux-pam))
> + (propagated-inputs (list
> + nyacc-2.01))
> + (build-system gnu-build-system)
> + (arguments
> + (list
> + #:make-flags
> + #~(list (string-append "ENTRY_POINT_DIR=" #$output "/share/entry-points"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'install-gnulib
> + ;; per https://lists.gnu.org/archive/html/guile-devel/2012-08/msg00042.html
> + (lambda* (#:key inputs #:allow-other-keys)
> + (let ((gnulib-build-aux (dirname
> + (search-input-file inputs
> + "/src/gnulib/build-aux/config.rpath"))))
It seems more conventional to avoid the leading '/' on the file name
using `search-input-file'.
> + (mkdir-p "build-aux")
> + (copy-recursively gnulib-build-aux "build-aux"))
> + (let ((gnulib-m4 (dirname (search-input-file inputs
> + "/src/gnulib/m4/lib-link.m4"))))
> + (mkdir-p "m4")
> + (copy-recursively gnulib-m4 "m4"))))
> + (add-after 'patch-source-shebangs 'fix-paths
> + (lambda* (#:key inputs #:allow-other-keys)
> + (for-each (lambda (file)
> + (substitute* file
> + (("/usr/bin/env -S guile ")
> + (string-append (search-input-file inputs "/bin/guile") " \\\n"))))
> + '("test/legacy-control-strings"))
Perhaps not prominently mentioned enough, but our coding conventions
(info "(guix) Formatting Code") suggests to keep the maximum line width
<= 80 characters (it's in the linked style.txt document, and also in
.editorconfig, and our .dir-locals.el sets the fill-column to 78, as
some extra hints)
> + (substitute* "scm/pam.scm"
> + (("[.]/wrap/c/[.]libs/conversation.so")
> + (string-append #$output "/lib/guile-pam/wrapper/conversation.so"))))))))
> + (home-page "https://codeberg.org/lechner/guile-pam")
> + (synopsis "Write your Linux-PAM authentication logic in Guile Scheme")
> + (description
> + "Guile-PAM provides a way to rewrite your authentication logic in the
> +Linux PAM (pluggable authentication modules) in Guile Scheme. It should make
> +those modules more transparent to the administrator and more intuitive to
> +use.")
Sentences should be separated by two spaces in every doc/text of the
source, as another convention.
Other than these nitpicks, LGTM! Could you please send a v3 with my
small suggestions?
--
Thanks,
Maxim
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 14:31:01 GMT) Full text and rfc822 format available.Message #41 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [PATCH v2 1/3] Add guile-pam. Date: Thu, 01 May 2025 23:30:04 +0900
Hi, Felix Lechner <felix.lechner <at> lease-up.com> writes: > Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2 I forgot, you need a GNU ChangeLog message for your commit message (that holds for any commit to be merged into Guix). You can use Magit 'C' on the git diffs while editing a commit message to automate some of it. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 14:34:02 GMT) Full text and rfc822 format available.Message #44 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [PATCH v2 2/3] Add a guile-pam-module service. Date: Thu, 01 May 2025 23:33:30 +0900
Hi!
Felix Lechner <felix.lechner <at> lease-up.com> writes:
> Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6
Missing GNU ChangeLog message. A system test to ensure it keeps working
n the future would be great. We already have a (gnu tests pam) module.
> ---
> doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++
> gnu/local.mk | 1 +
> gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 195 insertions(+)
> create mode 100644 gnu/services/pam.scm
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 90d90b2e1eb..11480cb0ae5 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -412,6 +412,7 @@ Top
> * Telephony Services:: Telephony services.
> * File-Sharing Services:: File-sharing services.
> * Monitoring Services:: Monitoring services.
> +* Guile-PAM Services:: Guile-PAM services.
> * Kerberos Services:: Kerberos services.
> * LDAP Services:: LDAP services.
> * Web Services:: Web servers.
> @@ -19437,6 +19438,7 @@ Services
> * Telephony Services:: Telephony services.
> * File-Sharing Services:: File-sharing services.
> * Monitoring Services:: Monitoring services.
> +* Guile-PAM Services:: Guile-PAM services.
> * Kerberos Services:: Kerberos services.
> * LDAP Services:: LDAP services.
> * Web Services:: Web servers.
> @@ -33149,6 +33151,93 @@ Monitoring Services
> @end deftp
>
>
> +@c %end of fragment
Why do we get the %end before any %start? :-)
> +
> +@node Guile-PAM Services
> +@subsection Guile-PAM Services
> +@cindex Guile-PAM
The contextual index could have extra context, like:
--8<---------------cut here---------------start------------->8---
@cindex Guile-PAM, configuring PAM using Guile
@cindex PAM configuration using Guile, Guile-PAM
--8<---------------cut here---------------end--------------->8---
> +
> +The @code{(gnu services pam)} module provides services related to the
> +authentication mechanism @dfn{Guile-PAM}.
> +
> +Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM
> +authentication system. For details, please have a look at the Texinfo
> +manual in the @code{guile-pam} package.
You can make a proper Texinfo cross-reference to your guile-pam Manual
here, for extra convenience, see (info "(texinfo) Referring to a Manual
as a Whole").
> +@defvar guile-pam-module-service-type
> +A service type for Guile-PAM modules.
> +@end defvar
> +
> +@noindent
> +Here is an example of its use:
> +@lisp
> +(define welcome-pamda-file
> + (scheme-file
> + "welcome-pamda-file"
> + #~(begin
> + (use-modules (ice-9 format))
> +
> + (lambda (action handle flags options)
> + (case action
> + ;; authentication management
For all standalone comments, use complete sentences, or near complete
sentences, like ;; Authentication management.
for margin comment it's fine to use incomplete ones,
e.g. ;authentication management
> + ((pam_sm_authenticate)
> + (format #t "In a working module, we would now identify you.~%"))
> + ((pam_sm_setcred)
> + (format #t "In a working module, we would now help you manage additional credentials.~%"))
> + ;; account management
> + ((pam_sm_acct_mgmt)
> + (format #t "In a working module, we would now confirm your access rights.~%"))
> + ;; password management
> + ((pam_sm_chauthtok)
> + (format #t "In a working module, we would now change your password.~%"))
> + ;; session management
> + ((pam_sm_open_session)
> + (format #t "In a working module, we would now open a session for you.~%"))
> + ((pam_sm_close_session)
> + (format #t "In a working module, we would now close your session.~%"))
> + (else
> + (format #t "In a working module, we would not know what to do about action '~s'.~%"
> + action)))
> + 'PAM_SUCCESS))))
Please mind the maximum 80 chars width.
> +(service guile-pam-module-service-type
> + (guile-pam-module-configuration
> + (rules "optional")
> + (module welcome-pamda-file)
> + (services '("login"
> + "greetd"
> + "su"
> + "slim"
> + "gdm-password"
> + "sddm"))))
> +@end lisp
> +
> +@c %start of fragment
> +
> +@deftp {Data Type} guile-pam-module-configuration
> +Available @code{guile-pam-module-configuration} fields are:
> +
> +@table @asis
> +@item @code{rules} (type: maybe-string)
> +Determines how the module's return value is evaluated.
> +
> +@item @code{module} (type: maybe-file-like)
> +A Guile-PAM pamda file or a classical PAM module.
> +
> +@item @code{services} (type: maybe-list-of-strings)
> +List of PAM service names for which to install the module.
> +
> +@item @code{guile-inputs} (type: maybe-list-of-packages)
> +Guile inputs available in the PAM module
Missing ending period. ^
[...]
> +++ b/gnu/services/pam.scm
> @@ -0,0 +1,105 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2024 Felix Lechner <felix.lechner <at> lease-up.com>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu services pam)
> + #:use-module (gnu packages guile)
> + #:use-module (gnu packages guile-xyz)
> + #:use-module (gnu packages linux)
> + #:use-module (gnu packages mes)
> + #:use-module (gnu services)
> + #:use-module (gnu services configuration)
> + #:use-module (gnu system pam)
> + #:use-module (guix gexp)
> + #:use-module (guix packages)
> + #:use-module (guix records)
> + #:use-module (guix utils)
> + #:use-module (srfi srfi-1)
> + #:export (guile-pam-module-configuration))
> +
> +(define-maybe string)
> +(define-maybe list-of-strings)
> +(define-maybe file-like)
> +
> +(define-maybe string-or-file-like)
> +(define (string-or-file-like? val)
> + (or (string? val) (file-like? val)))
> +
> +(define-maybe list-of-packages)
> +(define (list-of-packages? val)
> + (and (list? val) (map package? val)))
> +
> +(define-configuration/no-serialization guile-pam-module-configuration
> + (rules
> + maybe-string
> + "Determines how the module's return value is evaluated.")
> + (module
> + maybe-file-like
> + "A Guile-PAM pamda file or a classical PAM module.")
> + (services
> + maybe-list-of-strings
> + "List of PAM service names for which to install the module.")
> + (guile-inputs
> + maybe-list-of-packages
> + "Guile inputs available in the PAM module")
The trailing period, as mentioned earlier.
> + (foreign-library-path
> + maybe-list-of-packages
> + "Search path for shared objects and libraries.") )
> +
> +(define (guile-pam-module-service config)
> + "Return a list of <shepherd-service> for guile-pam-module for CONFIG."
> + (match-record
> + config <guile-pam-module-configuration> (foreign-library-path
> + guile-inputs
> + module
> + rules
> + services)
The field names are more conventionally formatted on a line after the
record type. You can use the ( one two three
four five)
Emacs trick (leading space inside the opening parenthesis) to have them
indented as data rather than as a procedure call.
> + (list
> + (pam-extension
> + (transformer
> + (lambda (pam)
> + (if (member (pam-service-name pam) services)
> + (let* ((new-entry
> + (pam-entry
> + (control rules)
> + (module module)
> + (guile-inputs (if (eq? %unset-value guile-inputs)
Better use (maybe-value-set? guile-inputs) here.
> + '()
> + guile-inputs))
> + (foreign-library-path (if (eq? %unset-value foreign-library-path)
Likewise + 80 chars limit.
> + '()
> + foreign-library-path)))))
> + (pam-service
> + (inherit pam)
> + (auth (append (pam-service-auth pam)
> + (list new-entry)))
> + (account (append (pam-service-account pam)
> + (list new-entry)))
> + (session (append (pam-service-session pam)
> + (list new-entry)))
> + (password (append (pam-service-password pam)
> + (list new-entry)))))
> + pam)))))))
> +
> +(define-public guile-pam-module-service-type
> + (service-type
> + (name 'guile-pam-module)
> + (extensions (list (service-extension pam-root-service-type
> + guile-pam-module-service)))
> + (compose concatenate)
> + (default-value (guile-pam-module-configuration))
> + (description "Load Guile code as part of Linux-PAM.")))
Interesting. Other than my above comments, it LGTM.
--
Thanks,
Maxim
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 14:39:02 GMT) Full text and rfc822 format available.Message #47 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [PATCH v2 3/3] Switch to Guile-PAM. Date: Thu, 01 May 2025 23:38:48 +0900
Hi Felix, Felix Lechner <felix.lechner <at> lease-up.com> writes: > Change-Id: Ib691b41cdb152f508a4a8d1b12b2a20da8706fed Missing GNU changelog. It seems there's already an agreement to postpone on this "big" change, until the service and documentation had some time to sink in, shake bugs (if any), and gather user feedback? That would be wise, I think. In the meantime, at least the patch would need reworking so the code fits our 80 columns maximum width convention. I'd defer this one until a later time, and present it with a GCD when the moment is ripe? -- Thanks, Maxim
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 15:15:02 GMT) Full text and rfc822 format available.Message #50 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Z572 <z572 <at> z572.online> To: Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Wilko Meyer <w <at> wmeyer.eu>, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Leo Famulari <leo <at> famulari.name>, 72316 <at> debbugs.gnu.org, Felix Lechner <felix.lechner <at> lease-up.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [bug#72316] [PATCH v2 1/3] Add guile-pam. Date: Thu, 01 May 2025 23:14:03 +0800
[Message part 1 (text/plain, inline)]
Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> writes:
> Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2
> ---
> gnu/packages/linux.scm | 71 ++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 71 insertions(+)
>
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index b4adf0c2b43..35ae4558043 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -113,6 +113,7 @@ (define-module (gnu packages linux)
> #:use-module (gnu packages bash)
> #:use-module (gnu packages bison)
> #:use-module (gnu packages boost)
> + #:use-module (gnu packages build-tools)
> #:use-module (gnu packages calendar)
> #:use-module (gnu packages check)
> #:use-module (gnu packages cpio)
> @@ -145,6 +146,7 @@ (define-module (gnu packages linux)
> #:use-module (gnu packages graphviz)
> #:use-module (gnu packages gstreamer)
> #:use-module (gnu packages gtk)
> + #:use-module (gnu packages guile)
> #:use-module (gnu packages haskell-apps)
> #:use-module (gnu packages haskell-xyz)
> #:use-module (gnu packages image)
> @@ -158,6 +160,7 @@ (define-module (gnu packages linux)
> #:use-module (gnu packages m4)
> #:use-module (gnu packages man)
> #:use-module (gnu packages maths)
> + #:use-module (gnu packages mes)
> #:use-module (gnu packages multiprecision)
> #:use-module (gnu packages ncurses)
> #:use-module (gnu packages netpbm)
> @@ -2412,6 +2415,74 @@ (define-public vendor-reset-linux-module
> ;;; Pluggable authentication modules (PAM).
> ;;;
>
> +(define-public guile-pam
> + (let ((commit "5ea70a5d88e7ade27ba9f231acab7d363b6400fb")
> + (revision "0"))
> + (package
> + (name "guile-pam")
> + (version (git-version "0.0" revision commit))
i think should (git-version "0.0.1" revision commit)
because this commit is after v0.0.1.
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://codeberg.org/lechner/guile-pam")
> + (commit commit)))
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "1i034f42wnmnsz76pcniif2ikpbamh0cki3ib2zwmbnvif4656av"))))
> + (native-inputs (list
> + autoconf
> + automake
> + gnulib
> + guile-3.0
> + libtool
> + linux-pam
why linux-pam both in native-inputs and inputs, is it required when
cross compiling?
> + nyacc-2.01
Please add a comment why we can't just use nyacc.
> + pkg-config
> + texinfo))
> + (inputs (list
> + guile-3.0
> + linux-pam))
> + (propagated-inputs (list
> + nyacc-2.01))
> + (build-system gnu-build-system)
> + (arguments
> + (list
> + #:make-flags
> + #~(list (string-append "ENTRY_POINT_DIR=" #$output "/share/entry-points"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'install-gnulib
> + ;; per https://lists.gnu.org/archive/html/guile-devel/2012-08/msg00042.html
> + (lambda* (#:key inputs #:allow-other-keys)
> + (let ((gnulib-build-aux (dirname
> + (search-input-file inputs
> + "/src/gnulib/build-aux/config.rpath"))))
> + (mkdir-p "build-aux")
> + (copy-recursively gnulib-build-aux "build-aux"))
> + (let ((gnulib-m4 (dirname (search-input-file inputs
> + "/src/gnulib/m4/lib-link.m4"))))
> + (mkdir-p "m4")
> + (copy-recursively gnulib-m4 "m4"))))
> + (add-after 'patch-source-shebangs 'fix-paths
> + (lambda* (#:key inputs #:allow-other-keys)
> + (for-each (lambda (file)
> + (substitute* file
> + (("/usr/bin/env -S guile ")
> + (string-append (search-input-file inputs "/bin/guile") " \\\n"))))
> + '("test/legacy-control-strings"))
> + (substitute* "scm/pam.scm"
> + (("[.]/wrap/c/[.]libs/conversation.so")
> + (string-append #$output "/lib/guile-pam/wrapper/conversation.so"))))))))
> + (home-page "https://codeberg.org/lechner/guile-pam")
> + (synopsis "Write your Linux-PAM authentication logic in Guile Scheme")
> + (description
> + "Guile-PAM provides a way to rewrite your authentication logic in the
> +Linux PAM (pluggable authentication modules) in Guile Scheme. It should make
> +those modules more transparent to the administrator and more intuitive to
> +use.")
> + (license license:gpl3+))))
> +
> (define-public linux-pam
> (package
> (name "linux-pam")
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 15:15:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 15:28:01 GMT) Full text and rfc822 format available.Message #56 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Z572 <z572 <at> z572.online> To: Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Cc: Vivien Kraus <vivien <at> planete-kraus.eu>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Liliana Marie Prikler <liliana.prikler <at> gmail.com>, 72316 <at> debbugs.gnu.org, Felix Lechner <felix.lechner <at> lease-up.com>, Noé Lopez <noelopez <at> free.fr>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [bug#72316] [PATCH v2 0/3] Switch to Guile-PAM Date: Thu, 01 May 2025 23:26:46 +0800
[Message part 1 (text/plain, inline)]
Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> writes: > Hi Z572, > > Yes, you are right. More testing is needed before Guile-PAM can manage other > modules. Will you push the package definition and the service, i.e. the first > two commits? I think it's just a guile-pam package definition, like any other package, anyone can push it as long as it's ok. I'm not familiar with the service and can't make any guarantees. > > With the service, folks can write their own modules. Then they can do all the > things they always wanted, like set kernel limits in one line [1] or mount > FUSE based-drives upon login. [2] > > I worked on this thing for ten years and believe it could be a game changer. > > Switching to Guile-PAM is not that radical: The third commit merely runs the > stack in Guile but still uses the modules from Linux-PAM. At about five > hundred lines of code, the Guile stack is much easier to read (or audit) than > the stack in Linux-PAM, but I agree we should wait. I think you can propose a gcd later and see what people think. > > Please feel free to push the first two commits. I will show folks how to use > them. Thanks! > > Kind regards > Felix > > [1] https://codeberg.org/lechner/system-config/src/commit/0ca80a773408d5934285288ca8da03b9675e9f75/host/lechner-desktop/operating-system.scm#L75 > [2] https://codeberg.org/lechner/away/src/commit/2aba38327c1ada959656c58c2f515072c864d983/pam.scm#L76-L80 > > Felix Lechner (3): > Add guile-pam. > Add a guile-pam-module service. > Switch to Guile-PAM. > > doc/guix.texi | 89 ++++++++++ > gnu/local.mk | 1 + > gnu/packages/linux.scm | 71 ++++++++ > gnu/services/authentication.scm | 9 +- > gnu/services/base.scm | 16 +- > gnu/services/desktop.scm | 14 +- > gnu/services/kerberos.scm | 12 +- > gnu/services/lightdm.scm | 69 ++++++-- > gnu/services/pam-mount.scm | 5 +- > gnu/services/pam.scm | 105 +++++++++++ > gnu/services/sddm.scm | 91 +++++++--- > gnu/services/xorg.scm | 17 +- > gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ > 13 files changed, 686 insertions(+), 109 deletions(-) > create mode 100644 gnu/services/pam.scm > > > base-commit: 304f8bebbb3bc77b27be7ead82f2d79a10fe1843
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 15:28:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 17:06:01 GMT) Full text and rfc822 format available.Message #62 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Z572 <z572 <at> z572.online> To: Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Gabriel Wicki <gabriel <at> erlikon.ch>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, 72316 <at> debbugs.gnu.org, Felix Lechner <felix.lechner <at> lease-up.com>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. Date: Fri, 02 May 2025 01:04:58 +0800
[Message part 1 (text/plain, inline)]
Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> writes:
> Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6
> ---
> doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++
> gnu/local.mk | 1 +
> gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 195 insertions(+)
> create mode 100644 gnu/services/pam.scm
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 90d90b2e1eb..11480cb0ae5 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -412,6 +412,7 @@ Top
> * Telephony Services:: Telephony services.
> * File-Sharing Services:: File-sharing services.
> * Monitoring Services:: Monitoring services.
> +* Guile-PAM Services:: Guile-PAM services.
> * Kerberos Services:: Kerberos services.
> * LDAP Services:: LDAP services.
> * Web Services:: Web servers.
> @@ -19437,6 +19438,7 @@ Services
> * Telephony Services:: Telephony services.
> * File-Sharing Services:: File-sharing services.
> * Monitoring Services:: Monitoring services.
> +* Guile-PAM Services:: Guile-PAM services.
> * Kerberos Services:: Kerberos services.
> * LDAP Services:: LDAP services.
> * Web Services:: Web servers.
> @@ -33149,6 +33151,93 @@ Monitoring Services
> @end deftp
>
>
> +@c %end of fragment
> +
> +@node Guile-PAM Services
> +@subsection Guile-PAM Services
> +@cindex Guile-PAM
> +
> +The @code{(gnu services pam)} module provides services related to the
> +authentication mechanism @dfn{Guile-PAM}.
> +
> +Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM
> +authentication system. For details, please have a look at the Texinfo
> +manual in the @code{guile-pam} package.
> +
> +@defvar guile-pam-module-service-type
> +A service type for Guile-PAM modules.
> +@end defvar
> +
> +@noindent
> +Here is an example of its use:
> +@lisp
> +(define welcome-pamda-file
> + (scheme-file
> + "welcome-pamda-file"
> + #~(begin
> + (use-modules (ice-9 format))
> +
> + (lambda (action handle flags options)
> + (case action
> + ;; authentication management
> + ((pam_sm_authenticate)
> + (format #t "In a working module, we would now identify you.~%"))
> + ((pam_sm_setcred)
> + (format #t "In a working module, we would now help you manage additional credentials.~%"))
> + ;; account management
> + ((pam_sm_acct_mgmt)
> + (format #t "In a working module, we would now confirm your access rights.~%"))
> + ;; password management
> + ((pam_sm_chauthtok)
> + (format #t "In a working module, we would now change your password.~%"))
> + ;; session management
> + ((pam_sm_open_session)
> + (format #t "In a working module, we would now open a session for you.~%"))
> + ((pam_sm_close_session)
> + (format #t "In a working module, we would now close your session.~%"))
> + (else
> + (format #t "In a working module, we would not know what to do about action '~s'.~%"
> + action)))
> + 'PAM_SUCCESS))))
> +
> +(service guile-pam-module-service-type
> + (guile-pam-module-configuration
> + (rules "optional")
> + (module welcome-pamda-file)
> + (services '("login"
> + "greetd"
> + "su"
> + "slim"
> + "gdm-password"
> + "sddm"))))
> +@end lisp
> +
> +@c %start of fragment
> +
> +@deftp {Data Type} guile-pam-module-configuration
> +Available @code{guile-pam-module-configuration} fields are:
> +
> +@table @asis
> +@item @code{rules} (type: maybe-string)
> +Determines how the module's return value is evaluated.
> +
> +@item @code{module} (type: maybe-file-like)
> +A Guile-PAM pamda file or a classical PAM module.
> +
> +@item @code{services} (type: maybe-list-of-strings)
> +List of PAM service names for which to install the module.
> +
> +@item @code{guile-inputs} (type: maybe-list-of-packages)
> +Guile inputs available in the PAM module
> +
> +@item @code{foreign-library-path} (type: maybe-list-of-packages)
> +Search path for shared objects and libraries.
> +
> +@end table
> +
> +@end deftp
> +
> +
> @c %end of fragment
>
> @node Kerberos Services
> diff --git a/gnu/local.mk b/gnu/local.mk
> index f6f95bbf10b..3d3da58d659 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -764,6 +764,7 @@ GNU_SYSTEM_MODULES = \
> %D%/services/networking.scm \
> %D%/services/nix.scm \
> %D%/services/nfs.scm \
> + %D%/services/pam.scm \
> %D%/services/pam-mount.scm \
> %D%/services/power.scm \
> %D%/services/science.scm \
> diff --git a/gnu/services/pam.scm b/gnu/services/pam.scm
> new file mode 100644
> index 00000000000..a242067e380
> --- /dev/null
> +++ b/gnu/services/pam.scm
> @@ -0,0 +1,105 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2024 Felix Lechner <felix.lechner <at> lease-up.com>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu services pam)
> + #:use-module (gnu packages guile)
> + #:use-module (gnu packages guile-xyz)
> + #:use-module (gnu packages linux)
> + #:use-module (gnu packages mes)
> + #:use-module (gnu services)
> + #:use-module (gnu services configuration)
> + #:use-module (gnu system pam)
> + #:use-module (guix gexp)
> + #:use-module (guix packages)
> + #:use-module (guix records)
> + #:use-module (guix utils)
> + #:use-module (srfi srfi-1)
> + #:export (guile-pam-module-configuration))
> +
> +(define-maybe string)
> +(define-maybe list-of-strings)
> +(define-maybe file-like)
> +
> +(define-maybe string-or-file-like)
> +(define (string-or-file-like? val)
> + (or (string? val) (file-like? val)))
> +
> +(define-maybe list-of-packages)
> +(define (list-of-packages? val)
> + (and (list? val) (map package? val)))
i think should use (@ (srfi srfi-1) every), not map, otherwise this has
always been #t. And should use `file-like?', friendly to inferior packages.
> +
> +(define-configuration/no-serialization guile-pam-module-configuration
> + (rules
> + maybe-string
> + "Determines how the module's return value is evaluated.")
> + (module
> + maybe-file-like
> + "A Guile-PAM pamda file or a classical PAM module.")
> + (services
> + maybe-list-of-strings
> + "List of PAM service names for which to install the module.")
> + (guile-inputs
> + maybe-list-of-packages
> + "Guile inputs available in the PAM module")
If I understand correctly, all guile-pam-modules share the same
pam_guile and dependencies, can we restrict this so that each different
pam-module is its own separate dependency
(If possible in the future, I would even like to compile each of them to
wasm separately, limiting the capabilities even more.)
> + (foreign-library-path
> + maybe-list-of-packages
> + "Search path for shared objects and libraries.") )
> +
> +(define (guile-pam-module-service config)
> + "Return a list of <shepherd-service> for guile-pam-module for CONFIG."
> + (match-record
> + config <guile-pam-module-configuration> (foreign-library-path
> + guile-inputs
> + module
> + rules
> + services)
> + (list
> + (pam-extension
> + (transformer
> + (lambda (pam)
> + (if (member (pam-service-name pam) services)
> + (let* ((new-entry
> + (pam-entry
> + (control rules)
> + (module module)
> + (guile-inputs (if (eq? %unset-value guile-inputs)
> + '()
> + guile-inputs))
looks like this patch depends on https://issues.guix.gnu.org/72316#10 ?.
I think it may not be possible to merge directly
> + (foreign-library-path (if (eq? %unset-value foreign-library-path)
> + '()
> + foreign-library-path)))))
> + (pam-service
> + (inherit pam)
> + (auth (append (pam-service-auth pam)
> + (list new-entry)))
> + (account (append (pam-service-account pam)
> + (list new-entry)))
> + (session (append (pam-service-session pam)
> + (list new-entry)))
> + (password (append (pam-service-password pam)
> + (list new-entry)))))
> + pam)))))))
> +
> +(define-public guile-pam-module-service-type
> + (service-type
> + (name 'guile-pam-module)
> + (extensions (list (service-extension pam-root-service-type
> + guile-pam-module-service)))
> + (compose concatenate)
> + (default-value (guile-pam-module-configuration))
> + (description "Load Guile code as part of Linux-PAM.")))
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 01 May 2025 17:06:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Sun, 11 May 2025 17:17:01 GMT) Full text and rfc822 format available.Message #68 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [PATCH v2 1/3] Add guile-pam. Date: Sun, 11 May 2025 10:16:41 -0700
Hi Maxim, On Thu, May 01 2025, Maxim Cournoyer wrote: > you need a GNU ChangeLog message A ChangeLog message that's acceptable to you, together with the other adjustments you suggested, fall in my book within the responsibilities of the GNU Guix maintainers. Z572's comments have merit; I will address them in short order. Please just allow me to state that the package definition is useful on its own. Patch one provides the shared object pam_guile.so that allows users to deploy PAM modules written in GNU Guile. People have tried for decades to bring interpreted languages to PAM. Since GNU Guile is also the configuration language for Guix System, I believe there is potentially a benefit for your users. For details, please have a look at the upstream documentation. [1] I am Guile-PAM's upstream maintainer and hope to provide comprehensive and timely assistance over there. Kind regards Felix [1] https://juix.org/guile-pam/#From-PAM-to-Guile
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Sun, 11 May 2025 17:37:02 GMT) Full text and rfc822 format available.Message #71 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: Z572 <z572 <at> z572.online> Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Wilko Meyer <w <at> wmeyer.eu>, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Leo Famulari <leo <at> famulari.name>, 72316 <at> debbugs.gnu.org, Matthew Trzcinski <matt <at> excalamus.com>, Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Subject: Re: [bug#72316] [PATCH v2 1/3] Add guile-pam. Date: Sun, 11 May 2025 10:36:18 -0700
Hi Z572, On Thu, May 01 2025, Z572 wrote: > Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> writes: > > this commit is after v0.0.1. Nice catch, thank you! I created the tag v0.0.3 as an alias for commit 5ea70a5d. Feel free to use either. > why linux-pam both in native-inputs and inputs, is it required when > cross compiling? I cannot remember, and do not understand the function of native-inputs. > Please add a comment why we can't just use nyacc. Matt Wesche made changes and bug fixes on my behalf. Most notable is the new Cdata interface [1] which replaced Guile-Bytestructures. [2] [1] https://www.nongnu.org/nyacc/cdata.html [2] https://www.nongnu.org/nyacc/nyacc-fh-ug.html Kind regards Felix
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Sun, 11 May 2025 17:37:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Sun, 11 May 2025 18:04:01 GMT) Full text and rfc822 format available.Message #77 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: Z572 <z572 <at> z572.online> Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Gabriel Wicki <gabriel <at> erlikon.ch>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, 72316 <at> debbugs.gnu.org, Matthew Trzcinski <matt <at> excalamus.com>, Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. Date: Sun, 11 May 2025 11:03:47 -0700
Hi Z572, On Fri, May 02 2025, Z572 wrote: > i think should use (@ (srfi srfi-1) every), not map, otherwise this has > always been #t. And should use `file-like?', friendly to inferior packages. You are probably right. Please feel free to adjust the validator. I personally do not use the configuration-record's type checking features anymore. I will present my configuration system, which also disentangles the painful splicing of values into the command line, soon. > If I understand correctly, all guile-pam-modules share the same > pam_guile and dependencies, can we restrict this so that each different > pam-module is its own separate dependency I do not understand your sentence (and am not sure it's true). The Guile prerequisites are for the modules your users write. > (If possible in the future, I would even like to compile each of them to > wasm separately, limiting the capabilities even more.) I am a fan of WASM. What does it have to do with Guile-PAM, please? > looks like this patch depends on https://issues.guix.gnu.org/72316#10 ?. Yeah, that happened because I wrote the service to integrate Guile-PAM into the existing Guix stack. It quickly proved superior, however, to use Guile-PAM's stack, which is nearly identical. [1][2] An easy solution would be to merge patches two and three into a single patch. Kind regards Felix [1] https://juix.org/guile-pam/#Skipping-of-actions-on-PAM_005fIGNORE_002e [2] https://juix.org/guile-pam/#Legacy-instruction-sets
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Sun, 11 May 2025 18:05:01 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Mon, 12 May 2025 07:39:02 GMT) Full text and rfc822 format available.Message #83 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [PATCH v2 1/3] Add guile-pam. Date: Mon, 12 May 2025 16:38:31 +0900
Hi Felix, Felix Lechner <felix.lechner <at> lease-up.com> writes: > Hi Maxim, > > On Thu, May 01 2025, Maxim Cournoyer wrote: > >> you need a GNU ChangeLog message > > A ChangeLog message that's acceptable to you, together with the other > adjustments you suggested, fall in my book within the responsibilities > of the GNU Guix maintainers. I think you meant s/GNU Guix maintainers/committers/. I'd just say that it's more efficient if everybody does their part and strive to meet the standards rather than expect someone to fix it up. By leaving things like the GNU ChangeLog for someone else to write, you lower the chances that the change gets merged quickly, since it becomes more bothersome for someone else to fill the gaps themselves before pushing. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Tue, 13 May 2025 00:52:02 GMT) Full text and rfc822 format available.Message #86 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Z572 <zhengjunjie <at> iscas.ac.cn> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Gabriel Wicki <gabriel <at> erlikon.ch>, Florian Pelz <pelzflorian <at> pelzflorian.de>, 72316 <at> debbugs.gnu.org, Z572 <z572 <at> z572.online>, Matthew Trzcinski <matt <at> excalamus.com>, Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. Date: Tue, 13 May 2025 08:50:51 +0800
[Message part 1 (text/plain, inline)]
Felix Lechner <felix.lechner <at> lease-up.com> writes: > Hi Z572, > > On Fri, May 02 2025, Z572 wrote: > >> i think should use (@ (srfi srfi-1) every), not map, otherwise this has >> always been #t. And should use `file-like?', friendly to inferior packages. > > You are probably right. Please feel free to adjust the validator. > > I personally do not use the configuration-record's type checking > features anymore. I will present my configuration system, which also > disentangles the painful splicing of values into the command line, soon. > >> If I understand correctly, all guile-pam-modules share the same >> pam_guile and dependencies, can we restrict this so that each different >> pam-module is its own separate dependency > > I do not understand your sentence (and am not sure it's true). The > Guile prerequisites are for the modules your users write. If my module a needs guile-json-1, module b needs guile-json-4, they cannot be used by the same guile. Also, if a pam module is broken, I don't want all pam modules to be broken. > >> (If possible in the future, I would even like to compile each of them to >> wasm separately, limiting the capabilities even more.) > > I am a fan of WASM. What does it have to do with Guile-PAM, please? For example, I use hoot to compile the code to wasm, and load and interpret the wasm in pam-guile. If I don't need to access the file, I don't need the ability to read the file. > >> looks like this patch depends on https://issues.guix.gnu.org/72316#10 ?. > > Yeah, that happened because I wrote the service to integrate Guile-PAM > into the existing Guix stack. It quickly proved superior, however, to > use Guile-PAM's stack, which is nearly identical. [1][2] I think it is possible to use gexp's with-extensions, with-imported-modules, etc., instead of adding a guile-inputs option. > > An easy solution would be to merge patches two and three into a single > patch. > > Kind regards > Felix > > [1] > https://juix.org/guile-pam/#Skipping-of-actions-on-PAM_005fIGNORE_002e > [2] https://juix.org/guile-pam/#Legacy-instruction-sets
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Tue, 13 May 2025 02:52:02 GMT) Full text and rfc822 format available.Message #89 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 72316 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, Matthew Trzcinski <matt <at> excalamus.com> Subject: Re: [PATCH v2 1/3] Add guile-pam. Date: Mon, 12 May 2025 19:50:57 -0700
Hi Maxim, On Mon, May 12 2025, Maxim Cournoyer wrote: > I think you meant s/GNU Guix maintainers/committers/. Well, I meant maintainers in the common sense. [1] [1] https://en.wikipedia.org/wiki/Software_maintainer > it's more efficient if everybody does their part It may be more efficient for you, but it's not more efficient for me. As an aside, I maintained a project with many contributors (Debian's Lintian) and didn't nitpick. I adjusted commits to my liking, credited authorship, and accepted contributions because they were beneficial to my project. That's also how I will treat you when you come to Guile-PAM. > By leaving things like the GNU ChangeLog for someone else to write, > you lower the chances that the change gets merged quickly Could I see your analysis, please? From my experience, a proper commit message does nothing to make acceptance in GNU Guix any faster. > it becomes more bothersome for someone else to fill the gaps > themselves before pushing. Okay, so you find tasks bothersome that I think are part of a maintainer's role. I think it would have been more productive than this exchange if you had simply added the missing space yourself and made other needed changes that your trained eyes, which know Guix much better than I, saw in seconds. How long does it take to type a space and write a one-line commit message you like? Kind regards, Felix
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Tue, 13 May 2025 02:58:02 GMT) Full text and rfc822 format available.Message #92 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: Z572 <zhengjunjie <at> iscas.ac.cn> Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, Gabriel Wicki <gabriel <at> erlikon.ch>, Florian Pelz <pelzflorian <at> pelzflorian.de>, 72316 <at> debbugs.gnu.org, Z572 <z572 <at> z572.online>, Matthew Trzcinski <matt <at> excalamus.com>, Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. Date: Mon, 12 May 2025 19:57:12 -0700
Hi Z572, On Tue, May 13 2025, Z572 wrote: > If my module a needs guile-json-1, > module b needs guile-json-4, they cannot be used by the same guile. > Also, if a pam module is broken, I don't want all pam modules to be broken. > For example, I use hoot to compile the code to wasm, and load and > interpret the wasm in pam-guile. If I don't need to access the file, I > don't need the ability to read the file. > > I think it is possible to use gexp's with-extensions, > with-imported-modules, etc., instead of adding a guile-inputs option. Feel free to adjust the patches. Otherwise, your ideas and demands are vaporware. The patches I sent have been working in production for a year. For any changes needed at Guile-PAM, I am happy to look at your contributions over there as long as you agree to release your code under the GPLv3+ license. Kind regards, Felix
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Tue, 13 May 2025 02:58:03 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Wed, 14 May 2025 14:27:02 GMT) Full text and rfc822 format available.Message #98 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: Ludovic Courtès <ludo <at> gnu.org>, Gabriel Wicki <gabriel <at> erlikon.ch>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, 72316 <at> debbugs.gnu.org, Z572 <z572 <at> z572.online>, Matthew Trzcinski <matt <at> excalamus.com>, Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. Date: Wed, 14 May 2025 23:26:45 +0900
Hi Felix, Felix Lechner <felix.lechner <at> lease-up.com> writes: > Hi Z572, > > On Tue, May 13 2025, Z572 wrote: > >> If my module a needs guile-json-1, >> module b needs guile-json-4, they cannot be used by the same guile. >> Also, if a pam module is broken, I don't want all pam modules to be broken. > >> For example, I use hoot to compile the code to wasm, and load and >> interpret the wasm in pam-guile. If I don't need to access the file, I >> don't need the ability to read the file. >> >> I think it is possible to use gexp's with-extensions, >> with-imported-modules, etc., instead of adding a guile-inputs option. > > Feel free to adjust the patches. Otherwise, your ideas and demands are > vaporware. The patches I sent have been working in production for a > year. That's not a constructive way to approach code reviews. I'd like to remind you that we strive for a welcoming and positive interactions in the Guix project, as enshrined in our Code of Conduct. People have graciously taken their own time to look at your changes and suggest improvements or ideas. The least you can do in return is to show some gratitude for it, not dismiss their feedback as something you can't be bothered with. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Wed, 14 May 2025 14:28:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Wed, 14 May 2025 15:29:10 GMT) Full text and rfc822 format available.Message #104 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Felix Lechner <felix.lechner <at> lease-up.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Ludovic Courtès <ludo <at> gnu.org>, Gabriel Wicki <gabriel <at> erlikon.ch>, Z572 <zhengjunjie <at> iscas.ac.cn>, Florian Pelz <pelzflorian <at> pelzflorian.de>, 72316 <at> debbugs.gnu.org, Z572 <z572 <at> z572.online>, Matthew Trzcinski <matt <at> excalamus.com>, Felix Lechner via Guix-patches via <guix-patches <at> gnu.org> Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. Date: Wed, 14 May 2025 08:28:02 -0700
Hi Maxim, On Wed, May 14 2025, Maxim Cournoyer wrote: > That's not a constructive way to approach code reviews. Nitpicking people for missing spaces or other form errors is not productive. As for the commit messages, I do not get their point: They duplicate facts from the diff and offer no forensic improvements over 'git blame.' Furthermore, their use as ChangeLog entries is an anachronism for a project with a rolling release model. > I'd like to remind you that we strive for a welcoming and positive > interactions in the Guix project, as enshrined in our Code of Conduct. Please focus on the merits of Guile-PAM! This is the second time you attacked my person and threatened me with condescending and moralizing messages. The other time was unsolicited and in private on March 9, for which you apologized. The code of conduct allows for these incidents to be reported. What do you think about my patches, please? Do you see any benefits or drawbacks in using Guile-PAM in Guix? Where do you want to take authentication in Guix System? Could Guile-PAM help your users to configure their authentication methods with greater flexibility and individuality, or do you prefer the trusted but precompiled modules of Linux-PAM? In short, wouldn't Guile-PAM be a cool addition to GNU Guix? > People have graciously taken their own time to look at your changes and > suggest improvements or ideas. The least you can do in return is to > show some gratitude for it, not dismiss their feedback as something you > can't be bothered with. As a maintainer, it your duty to review contributions. If that bothers you, you might want to think about stepping aside. Also, please stop using your elevated position to domineer people who try to contribute in good faith. It's not good stewardship. Thank you for GNU Guix! It's the coolest software project I ever saw. Let's make it better together! Kind regards Felix
guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Wed, 14 May 2025 15:30:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#72316; Package guix-patches.
(Thu, 15 May 2025 00:26:02 GMT) Full text and rfc822 format available.Message #110 received at 72316 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Felix Lechner <felix.lechner <at> lease-up.com> Cc: ludo <at> gnu.org, gabriel <at> erlikon.ch, zhengjunjie <at> iscas.ac.cn, pelzflorian <at> pelzflorian.de, 72316 <at> debbugs.gnu.org, z572 <at> z572.online, matt <at> excalamus.com Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. Date: Thu, 15 May 2025 09:25:37 +0900
Hi Felix, My previous email was about your way to interact with others in this thread, which I think is below the expectations set in this community, namely, being dismissive of other's feedback. Guix is a social project before being a technical one, therefore being able to work together is more valuable than technical merits alone. I'm disappointed that instead of taking pause and adjusting, you appear to have chosen to deflect with passive-aggressive assertions and other not-so-kind suggestions. Please stop, and consider yourself warned. -- Thanks, Maxim
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.