From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 26 18:02:34 2024 Received: (at submit) by debbugs.gnu.org; 26 Jul 2024 22:02:34 +0000 Received: from localhost ([127.0.0.1]:40191 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXT1G-0007fJ-8q for submit@debbugs.gnu.org; Fri, 26 Jul 2024 18:02:34 -0400 Received: from lists.gnu.org ([209.51.188.17]:59022) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXT1C-0007fA-V6 for submit@debbugs.gnu.org; Fri, 26 Jul 2024 18:02:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sXT13-0003nq-95 for guix-patches@gnu.org; Fri, 26 Jul 2024 18:02:21 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1sXT11-0003OO-6G for guix-patches@gnu.org; Fri, 26 Jul 2024 18:02:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=aLb5EhjwKjM6oz8 sGKcEXcEm1vCO8nFEJfulPcZNyoc=; h=date:subject:cc:to:from; d=lease-up.com; b=MkmZB2V21d+7MN7Oj5sLmEdoUFqlINtukOOuX887h/TcN/GPZTy2 4Nfg7yDpPFElw0LFZNukQOD7wL1Czig4LaHRBGjeAhUQP/9U9jN8Lw+tSXI5bDRle/sak+ MUQODRJAQxDdB32h/8rKGXyyiOSeuw8S/XUc/bfrV42U8aiOU= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 86eda0d3 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Fri, 26 Jul 2024 22:02:15 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id f9cc9975; Fri, 26 Jul 2024 22:02:15 +0000 (UTC) From: Felix Lechner To: guix-patches@gnu.org Subject: [PATCH 0/3] Switch to Guile-PAM. Date: Fri, 26 Jul 2024 15:01:08 -0700 Message-ID: X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 X-Debbugs-Cc: Florian Pelz , Ludovic Courtès , Matthew Trzcinski , Maxim Cournoyer Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=208.82.101.137; envelope-from=felix.lechner@us-core.com; helo=sail-ipv4.us-core.com X-Spam_score_int: -19 X-Spam_score: -2.0 X-Spam_bar: -- X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: Felix Lechner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Guile-PAM reimplements the PAM stack in GNU Guile and allows system administrators to write modules in GNU Guile. This patch series switches Guix System to Guile-PAM. It relies on the shared objects from Linux-PAM until Guile implementations are available. In Guix, Guile-PAM could start Shepherd's user services or keep track of login sessions similar to pam_systemd.so. The guile-pam package ships with a detailed Texinfo manual. The software is in alpha stage. For example, the interaction with sddm was not well-tested. Please let me know how it goes---private email is okay! Kind regards Felix Felix Lechner (3): Add guile-pam. Switch to Guile-PAM. Add a guile-pam-module service. doc/guix.texi | 89 ++++++++++ gnu/local.mk | 1 + gnu/packages/linux.scm | 56 ++++++ gnu/services/authentication.scm | 9 +- gnu/services/base.scm | 16 +- gnu/services/desktop.scm | 14 +- gnu/services/kerberos.scm | 12 +- gnu/services/lightdm.scm | 69 ++++++-- gnu/services/pam-mount.scm | 5 +- gnu/services/pam.scm | 105 +++++++++++ gnu/services/sddm.scm | 91 +++++++--- gnu/services/xorg.scm | 17 +- gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ 13 files changed, 671 insertions(+), 109 deletions(-) create mode 100644 gnu/services/pam.scm base-commit: 862a9b5b25966845f71d218ad8c0c5655ffc479a -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 26 18:39:44 2024 Received: (at 72316) by debbugs.gnu.org; 26 Jul 2024 22:39:44 +0000 Received: from localhost ([127.0.0.1]:40236 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXTbD-0002vQ-Kx for submit@debbugs.gnu.org; Fri, 26 Jul 2024 18:39:44 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:53130) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXTb9-0002vE-8A for 72316@debbugs.gnu.org; Fri, 26 Jul 2024 18:39:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=Lv8r28u8q2zDtC/ utp2cjqMNGu/juSaOHSWDInHSLzc=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=Ei8LeigoWw5pnZ3Ci7+2UX/f5iXA32e8zJRxB/kJ VjaCmI3RzCfOFfKj0pm+2+i0006Mat9yE3Y80NfCWgdkg4PWh942aCs0lScX941jrRxtBP lFGUHeQcjx9aPXoVZqnFGxkd5XKwA2OYsxoppwtP/6ymqX0OYUpa3nDge3+Qg= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 8dc24db0 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Fri, 26 Jul 2024 22:39:27 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 5ec8305d; Fri, 26 Jul 2024 22:39:27 +0000 (UTC) From: Felix Lechner To: 72316@debbugs.gnu.org Subject: [PATCH 1/3] Add guile-pam. Date: Fri, 26 Jul 2024 15:39:11 -0700 Message-ID: <65131a4e1fc7760ce1e31975ec7c5ba06bd920b6.1722032727.git.felix.lechner@lease-up.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Leo Famulari , Wilko Meyer Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: Felix Lechner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2 --- gnu/packages/linux.scm | 56 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index f36d0fc9ee..7b5f549584 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -112,6 +112,7 @@ (define-module (gnu packages linux) #:use-module (gnu packages bash) #:use-module (gnu packages bison) #:use-module (gnu packages boost) + #:use-module (gnu packages build-tools) #:use-module (gnu packages calendar) #:use-module (gnu packages check) #:use-module (gnu packages cpio) @@ -145,6 +146,7 @@ (define-module (gnu packages linux) #:use-module (gnu packages graphviz) #:use-module (gnu packages gstreamer) #:use-module (gnu packages gtk) + #:use-module (gnu packages guile) #:use-module (gnu packages haskell-apps) #:use-module (gnu packages haskell-xyz) #:use-module (gnu packages image) @@ -157,6 +159,7 @@ (define-module (gnu packages linux) #:use-module (gnu packages m4) #:use-module (gnu packages man) #:use-module (gnu packages maths) + #:use-module (gnu packages mes) #:use-module (gnu packages multiprecision) #:use-module (gnu packages ncurses) #:use-module (gnu packages netpbm) @@ -1917,6 +1920,59 @@ (define-public vendor-reset-linux-module ;;; Pluggable authentication modules (PAM). ;;; +(define-public guile-pam + (let ((commit "7eba489fbc56b72de5e4bd77d7c99816434b5178") + (revision "0")) + (package + (name "guile-pam") + (version (git-version "0.0" revision commit)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://codeberg.org/lechner/guile-pam") + (commit commit))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "149cmgif05wcp4zgkkr2gp93djr44qiv71ih2b2d633vnj1mbayb")))) + (native-inputs (list + autoconf + automake + gnulib + guile-3.0 + libtool + linux-pam + nyacc + pkg-config + texinfo)) + (inputs (list + guile-3.0 + linux-pam)) + (propagated-inputs (list + nyacc)) + (build-system gnu-build-system) + (arguments + (list + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'install-gnulib + ;; per https://lists.gnu.org/archive/html/guile-devel/2012-08/msg00042.html + (lambda* (#:key inputs #:allow-other-keys) + (let ((build-aux (dirname (search-input-file inputs "/src/gnulib/build-aux/config.rpath")))) + (mkdir-p "build-aux") + (copy-recursively build-aux "build-aux")) + (let ((m4 (dirname (search-input-file inputs "/src/gnulib/m4/lib-link.m4")))) + (mkdir-p "m4") + (copy-recursively m4 "m4"))))))) + (home-page "https://codeberg.org/lechner/guile-pam") + (synopsis "Write your Linux-PAM authentication logic in Guile Scheme") + (description + "Guile-PAM provides a way to rewrite your authentication logic in the +Linux PAM (pluggable authentication modules) in Guile Scheme. It should make +those modules more transparent to the administrator and more intuitive to +use.") + (license license:gpl3+)))) + (define-public linux-pam (package (name "linux-pam") -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 26 18:39:49 2024 Received: (at 72316) by debbugs.gnu.org; 26 Jul 2024 22:39:49 +0000 Received: from localhost ([127.0.0.1]:40239 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXTbH-0002vm-4U for submit@debbugs.gnu.org; Fri, 26 Jul 2024 18:39:48 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:53130) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXTbC-0002vE-J0 for 72316@debbugs.gnu.org; Fri, 26 Jul 2024 18:39:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=CWel/sTFVUJqb+F iGMQKU75ZDornNS/3liGjcF+zBrY=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=PoqWFjRT3AzL849/0ouUOfVq46kmvd+M2R4109Rc tfWQ0dXpJhpjgS95GUjpUrnQ/xVSqGn0WpndrTEoSK1Dn8mhbG6q84/FIXf/8aNM+HLYvC MSgkg0uDwiha7fyf84kr2YE5FT0d1tVUlh/Tl6BhdtIn7bxbnV3/feCFPg1LE= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id a42c417d (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Fri, 26 Jul 2024 22:39:32 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id b02fa678; Fri, 26 Jul 2024 22:39:32 +0000 (UTC) From: Felix Lechner To: 72316@debbugs.gnu.org Subject: [PATCH 2/3] Switch to Guile-PAM. Date: Fri, 26 Jul 2024 15:39:12 -0700 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: Felix Lechner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Change-Id: Ib691b41cdb152f508a4a8d1b12b2a20da8706fed --- gnu/services/authentication.scm | 9 +- gnu/services/base.scm | 16 +- gnu/services/desktop.scm | 14 +- gnu/services/kerberos.scm | 12 +- gnu/services/lightdm.scm | 69 ++++++-- gnu/services/pam-mount.scm | 5 +- gnu/services/sddm.scm | 91 +++++++--- gnu/services/xorg.scm | 17 +- gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ 9 files changed, 420 insertions(+), 109 deletions(-) diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm index fbfef2d3d0..88ccba6ada 100644 --- a/gnu/services/authentication.scm +++ b/gnu/services/authentication.scm @@ -503,9 +503,6 @@ (define (nslcd-shepherd-service config) (define (pam-ldap-pam-service config) "Return a PAM service for LDAP authentication." - (define pam-ldap-module - (file-append (nslcd-configuration-nss-pam-ldapd config) - "/lib/security/pam_ldap.so")) (pam-extension (transformer (lambda (pam) @@ -514,7 +511,11 @@ (define (pam-ldap-pam-service config) (let ((sufficient (pam-entry (control "sufficient") - (module pam-ldap-module)))) + (module "pam_ldap.so") + (foreign-library-path + (list + (file-append (nslcd-configuration-nss-pam-ldapd config) + "/lib/security")))))) (pam-service (inherit pam) (auth (cons sufficient (pam-service-auth pam))) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 4b5b103cc3..0d99c649c2 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -58,8 +58,8 @@ (define-module (gnu services base) #:use-module (gnu packages admin) #:use-module ((gnu packages linux) #:select (alsa-utils btrfs-progs crda eudev - e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools - util-linux xfsprogs)) + e2fsprogs f2fs-tools fuse gpm kbd linux-pam + lvm2 rng-tools util-linux xfsprogs)) #:use-module (gnu packages bash) #:use-module ((gnu packages base) #:select (coreutils glibc glibc/hurd @@ -1652,7 +1652,10 @@ (define pam-limits-service-type (control "required") (module "pam_limits.so") (arguments - (list #~(string-append "conf=" #$limits-file)))))) + (list #~(string-append "conf=" #$limits-file))) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" "sddm" "lightdm" "sudo" "sshd")) @@ -3540,8 +3543,11 @@ (define (greetd-pam-service config) (define optional-pam-mount (pam-entry (control "optional") - (module (file-append greetd-pam-mount "/lib/security/pam_mount.so")) - (arguments '("disable_interactive")))) + (module "pam_mount.so") + (arguments '("disable_interactive")) + (foreign-library-path + (list + (file-append greetd-pam-mount "/lib/security"))))) (list (unix-pam-service "greetd" diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 63e2011ce3..762b933519 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1233,8 +1233,10 @@ (define (pam-extension-procedure config) (define pam-elogind (pam-entry (control "required") - (module (file-append (elogind-package config) - "/lib/security/pam_elogind.so")))) + (module "pam_elogind.so") + (foreign-library-path + (list + (file-append (elogind-package config) "/lib/security"))))) (list (pam-extension (transformer @@ -1886,9 +1888,11 @@ (define (pam-gnome-keyring config) (define (%pam-keyring-entry . arguments) (pam-entry (control "optional") - (module (file-append (gnome-keyring-package config) - "/lib/security/pam_gnome_keyring.so")) - (arguments arguments))) + (module "pam_gnome_keyring.so") + (arguments arguments) + (foreign-library-path + (list + (file-append (gnome-keyring-package config) "/lib/security"))))) (list (pam-extension diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm index a6f540a9b6..d2d8988a83 100644 --- a/gnu/services/kerberos.scm +++ b/gnu/services/kerberos.scm @@ -431,18 +431,18 @@ (define (pam-krb5-pam-service config) (pam-extension (transformer (lambda (pam) - (define pam-krb5-module - (file-append (pam-krb5-configuration-pam-krb5 config) - "/lib/security/pam_krb5.so")) - (let ((pam-krb5-sufficient (pam-entry (control "sufficient") - (module pam-krb5-module) + (module "pam_krb5.so") (arguments (list (format #f "minimum_uid=~a" - (pam-krb5-configuration-minimum-uid config))))))) + (pam-krb5-configuration-minimum-uid config)))) + (foreign-library-path + (list + (file-append (pam-krb5-configuration-pam-krb5 config) + "/lib/security")))))) (pam-service (inherit pam) (auth (cons* pam-krb5-sufficient diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm index 18beaa44de..dcdae51c68 100644 --- a/gnu/services/lightdm.scm +++ b/gnu/services/lightdm.scm @@ -24,6 +24,7 @@ (define-module (gnu services lightdm) #:use-module (gnu packages display-managers) #:use-module (gnu packages freedesktop) #:use-module (gnu packages gnome) + #:use-module ((gnu packages linux) #:select (linux-pam)) #:use-module (gnu packages vnc) #:use-module (gnu packages xorg) #:use-module (gnu services configuration) @@ -546,15 +547,35 @@ (define (lightdm-greeter-pam-service) (name "lightdm-greeter") (auth (list ;; Load environment from /etc/environment and ~/.pam_environment. - (pam-entry (control "required") (module "pam_env.so")) + (pam-entry (control "required") + (module "pam_env.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) ;; Always let the greeter start without authentication. - (pam-entry (control "required") (module "pam_permit.so")))) + (pam-entry (control "required") + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; No action required for account management - (account (list (pam-entry (control "required") (module "pam_permit.so")))) + (account (list (pam-entry (control "required") + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Prohibit changing password. - (password (list (pam-entry (control "required") (module "pam_deny.so")))) + (password (list (pam-entry (control "required") + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Setup session. - (session (list (pam-entry (control "required") (module "pam_unix.so")))))) + (session (list (pam-entry (control "required") + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))))) (define (lightdm-autologin-pam-service) "Return a PAM service for @command{lightdm-autologin}}." @@ -563,17 +584,41 @@ (define (lightdm-autologin-pam-service) (auth (list ;; Block login if user is globally disabled. - (pam-entry (control "required") (module "pam_nologin.so")) - (pam-entry (control "required") (module "pam_succeed_if.so") - (arguments (list "uid >= 1000"))) + (pam-entry (control "required") + (module "pam_nologin.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) + (pam-entry (control "required") + (module "pam_succeed_if.so") + (arguments (list "uid >= 1000")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) ;; Allow access without authentication. - (pam-entry (control "required") (module "pam_permit.so")))) + (pam-entry (control "required") + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Stop autologin if account requires action. - (account (list (pam-entry (control "required") (module "pam_unix.so")))) + (account (list (pam-entry (control "required") + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Prohibit changing password. - (password (list (pam-entry (control "required") (module "pam_deny.so")))) + (password (list (pam-entry (control "required") + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Setup session. - (session (list (pam-entry (control "required") (module "pam_unix.so")))))) + (session (list (pam-entry (control "required") + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))))) (define (lightdm-pam-services config) (list (lightdm-pam-service config) diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm index b3a02e82e9..1eb5b44e31 100644 --- a/gnu/services/pam-mount.scm +++ b/gnu/services/pam-mount.scm @@ -94,7 +94,10 @@ (define (pam-mount-pam-service config) (define optional-pam-mount (pam-entry (control "optional") - (module (file-append pam-mount "/lib/security/pam_mount.so")))) + (module "pam_mount.so") + (foreign-library-path + (list + (file-append pam-mount "/lib/security"))))) (list (pam-extension (transformer diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm index 92d64cc599..cb2c5a9276 100644 --- a/gnu/services/sddm.scm +++ b/gnu/services/sddm.scm @@ -24,6 +24,7 @@ (define-module (gnu services sddm) #:use-module (gnu packages admin) #:use-module (gnu packages display-managers) #:use-module (gnu packages freedesktop) + #:use-module ((gnu packages linux) #:select (linux-pam)) #:use-module (gnu packages xorg) #:use-module (gnu services) #:use-module (gnu services shepherd) @@ -206,40 +207,61 @@ (define (sddm-pam-service config) (list (pam-entry (control "requisite") - (module "pam_nologin.so")) + (module "pam_nologin.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) (pam-entry (control "required") - (module "pam_env.so")) + (module "pam_env.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) (pam-entry (control "required") (module "pam_succeed_if.so") (arguments (list (string-append "uid >= " (number->string (sddm-configuration-minimum-uid config))) - "quiet"))) + "quiet")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) ;; should be factored out into system-auth (pam-entry (control "required") - (module "pam_unix.so")))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (account (list ;; should be factored out into system-account (pam-entry (control "required") - (module "pam_unix.so")))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (password (list ;; should be factored out into system-password (pam-entry (control "required") (module "pam_unix.so") - (arguments (list "sha512" "shadow" "try_first_pass"))))) + (arguments (list "sha512" "shadow" "try_first_pass")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (session (list ;; lfs has a required pam_limits.so ;; should be factored out into system-session (pam-entry (control "required") - (module "pam_unix.so")))))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))))) (define (sddm-greeter-pam-service) "Return a PAM service for @command{sddm-greeter}." @@ -250,29 +272,44 @@ (define (sddm-greeter-pam-service) ;; Load environment from /etc/environment and ~/.pam_environment (pam-entry (control "required") - (module "pam_env.so")) + (module "pam_env.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) ;; Always let the greeter start without authentication (pam-entry (control "required") - (module "pam_permit.so")))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (account (list ;; No action required for account management (pam-entry (control "required") - (module "pam_permit.so")))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (password (list ;; Can't change password (pam-entry (control "required") - (module "pam_deny.so")))) + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (session (list ;; Setup session (pam-entry (control "required") - (module "pam_unix.so")))))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))))) (define (sddm-autologin-pam-service config) "Return a PAM service for @command{sddm-autologin}" @@ -282,31 +319,37 @@ (define (sddm-autologin-pam-service config) (list (pam-entry (control "requisite") - (module "pam_nologin.so")) + (module "pam_nologin.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) (pam-entry (control "required") (module "pam_succeed_if.so") (arguments (list (string-append "uid >= " (number->string (sddm-configuration-minimum-uid config))) - "quiet"))) + "quiet")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) (pam-entry (control "required") - (module "pam_permit.so")))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (account - (list - (pam-entry - (control "include") - (module "sddm")))) + (pam-service-account (sddm-pam-service config))) (password (list (pam-entry (control "required") - (module "pam_deny.so")))) + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (session - (list - (pam-entry - (control "include") - (module "sddm")))))) + (pam-service-session (sddm-pam-service config))))) (define (sddm-pam-services config) (list (sddm-pam-service config) diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index e7d8922d76..b1df08662f 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -1236,16 +1236,25 @@ (define (gdm-pam-service config) #:login-uid? #t)) (auth (list (pam-entry (control "optional") - (module (file-append (gdm-configuration-gdm config) - "/lib/security/pam_gdm.so"))) + (module "pam_gdm.so") + (foreign-library-path + (list + (file-append (gdm-configuration-gdm config) + "/lib/security/")))) (pam-entry (control "sufficient") - (module "pam_permit.so"))))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))))) (pam-service (inherit (unix-pam-service "gdm-launch-environment")) (auth (list (pam-entry (control "required") - (module "pam_permit.so"))))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))))) (unix-pam-service "gdm-password" #:login-uid? #t #:allow-empty-passwords? diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index a035a92e25..232256d59a 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -32,7 +32,9 @@ (define-module (gnu system pam) #:use-module (srfi srfi-11) #:use-module (srfi srfi-26) #:use-module ((guix utils) #:select (%current-system)) + #:use-module (gnu packages guile) #:use-module (gnu packages linux) + #:use-module (gnu packages mes) #:export (pam-service pam-service-name pam-service-account @@ -44,6 +46,8 @@ (define-module (gnu system pam) pam-entry-control pam-entry-module pam-entry-arguments + pam-entry-guile-inputs + pam-entry-foreign-library-path pam-limits-entry pam-limits-entry-domain @@ -92,10 +96,16 @@ (define-record-type* pam-service (define-record-type* pam-entry make-pam-entry pam-entry? - (control pam-entry-control) ; string + (control pam-entry-control) ; string, symbol or g-expression (module pam-entry-module) ; file name (arguments pam-entry-arguments ; list of string-valued g-expressions - (default '()))) + (default '())) + (guile-inputs pam-entry-guile-inputs ; list of package variables + (default '())) + (foreign-library-path pam-entry-foreign-library-path ; list of file-like folders + ;; courtesy for historical usage + (default (list + (file-append linux-pam "/lib/security"))))) ;; PAM limits entries are used by the pam_limits PAM module to set or override ;; limits on system resources for user sessions. The format is specified @@ -150,35 +160,79 @@ (define (pam-limits-entry->string entry) (number->string value)))) " ")))) -(define (pam-service->configuration service) +(define (pam-service->configuration service shared-object environment-file pamda-file) "Return the derivation building the configuration file for SERVICE, to be dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE." - (define (entry->gexp type entry) - (match entry - (($ control module (arguments ...)) - #~(format #t "~a ~a ~a ~a~%" - #$type #$control #$module - (string-join (list #$@arguments)))))) - - (match service - (($ name account auth password session) - (define builder - #~(begin - (with-output-to-file #$output - (lambda () - #$@(append (map (cut entry->gexp "account" <>) account) - (map (cut entry->gexp "auth" <>) auth) - (map (cut entry->gexp "password" <>) password) - (map (cut entry->gexp "session" <>) session)) - #t)))) - - (computed-file name builder)))) - -(define (pam-services->directory services) + (mixed-text-file (pam-service-name service) + "account required " shared-object " " environment-file " " pamda-file "\n" + "auth required " shared-object " " environment-file " " pamda-file "\n" + "password required " shared-object " " environment-file " " pamda-file "\n" + "session required " shared-object " " environment-file " " pamda-file "\n")) + +(define (intersperse a xs) + (if (null? xs) + '() + [cons (car xs) + (if (null? (cdr xs)) + (cdr xs) + (cons a (intersperse a (cdr xs))))])) + +(define* (make-environment-file guile-inputs + foreign-library-path + #:key + (auto-compile? #f) + (guix-locale-path '("/run/current-system/locale")) + (install-locale? #f) + (jit-log-level 0) + (jit-pause-when-stopping? #f) + (jit-stop-after -1) + (jit-threshold 1000) + (locale "C.utf8") + (warn-deprecated "yes")) + (let* ((load-path (map (lambda (package) + (file-append package "/share/guile/site/3.0")) + guile-inputs)) + (load-compiled-path (map (lambda (package) + (file-append package "/lib/guile/3.0/site-ccache")) + guile-inputs)) + (lines `(("LANG=" ,locale) + ;; note on LOCPATH from the Glibc manual: + ;; The value of ‘LOCPATH’ is ignored by privileged programs for security + ;; reasons, and only the default directory is used. + ("GUIX_LOCPATH=" ,@(intersperse ":" guix-locale-path)) + ("GUILE_AUTO_COMPILE=" ,(if auto-compile? "1" "0")) + ("GUILE_INSTALL_LOCALE=" ,(if install-locale? "1" "0")) + ("GUILE_LOAD_PATH=" ,@(intersperse ":" load-path)) + ("GUILE_LOAD_COMPILED_PATH=" ,@(intersperse ":" load-compiled-path)) + ("GUILE_EXTENSIONS_PATH=" ,@(intersperse ":" foreign-library-path)) + ("GUILE_WARN_DEPRECATED=" ,warn-deprecated) + ("GUILE_JIT_LOG=" ,(number->string jit-log-level)) + ("GUILE_JIT_PAUSE_WHEN_STOPPING=" ,(if jit-pause-when-stopping? "1" "0")) + ("GUILE_JIT_STOP_AFTER=" ,(number->string jit-stop-after)) + ("GUILE_JIT_THRESHOLD=" ,(number->string jit-threshold)))) + (terminated (map (lambda (line) + (append line '("\0"))) + lines)) + (flattened (fold (lambda (right left) + (append left right)) + '() + terminated))) + (apply mixed-text-file "guile-pam-environment" flattened))) + +(define (pam-services->directory shared-object + guile-inputs + foreign-library-path + folder + services) "Return the derivation to build the configuration directory to be used as /etc/pam.d for SERVICES." - (let ((names (map pam-service-name services)) - (files (map pam-service->configuration services))) + (let* ((names (map pam-service-name services)) + (environment-file (make-environment-file guile-inputs + foreign-library-path)) + (pamda-file (make-pam-stack folder services)) + (files (map (cut pam-service->configuration <> + shared-object environment-file pamda-file) + services))) (define builder #~(begin (use-modules (ice-9 match) @@ -195,14 +249,17 @@ (define (pam-services->directory services) ;; instead. See . (delete-duplicates '#$(zip names files))))) - (computed-file "pam.d" builder))) + (computed-file folder builder))) (define %pam-other-services ;; The "other" PAM configuration, which denies everything (see ;; .) (let ((deny (pam-entry (control "required") - (module "pam_deny.so")))) + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (pam-service (name "other") (account (list deny)) @@ -213,12 +270,18 @@ (define %pam-other-services (define unix-pam-service (let ((unix (pam-entry (control "required") - (module "pam_unix.so"))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))) (env (pam-entry ; to honor /etc/environment. (control "required") - (module "pam_env.so")))) + (module "pam_env.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (lambda* (name #:key allow-empty-passwords? allow-root? motd - login-uid? gnupg?) + login-uid? gnupg?) "Return a standard Unix-style PAM service for NAME. When ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is true, allow root to run the command without authentication. When MOTD is @@ -234,40 +297,61 @@ (define unix-pam-service (auth (append (if allow-root? (list (pam-entry (control "sufficient") - (module "pam_rootok.so"))) + (module "pam_rootok.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))) '()) (list (if allow-empty-passwords? (pam-entry (control "required") (module "pam_unix.so") - (arguments '("nullok"))) + (arguments '("nullok")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) unix)) (if gnupg? (list (pam-entry (control "required") - (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) + (module "pam_gnupg.so") + (foreign-library-path + (list + (file-append pam-gnupg "/lib/security"))))) '()))) (password (list (pam-entry (control "required") (module "pam_unix.so") ;; Store SHA-512 encrypted passwords in /etc/shadow. - (arguments '("sha512" "shadow"))))) + (arguments '("sha512" "shadow")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (session `(,@(if motd (list (pam-entry (control "optional") (module "pam_motd.so") (arguments - (list #~(string-append "motd=" #$motd))))) + (list #~(string-append "motd=" #$motd))) + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))) '()) ,@(if login-uid? (list (pam-entry ;to fill in /proc/self/loginuid (control "required") - (module "pam_loginuid.so"))) + (module "pam_loginuid.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))) '()) ,@(if gnupg? (list (pam-entry (control "required") - (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) + (module "pam_gnupg.so") + (foreign-library-path + (list + (file-append pam-gnupg "/lib/security"))))) '()) ,env ,unix)))))) @@ -276,13 +360,19 @@ (define (rootok-pam-service command) authenticate to run COMMAND." (let ((unix (pam-entry (control "required") - (module "pam_unix.so")))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (pam-service (name command) (account (list unix)) (auth (list (pam-entry (control "sufficient") - (module "pam_rootok.so")))) + (module "pam_rootok.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (password (list unix)) (session (list unix))))) @@ -374,21 +464,114 @@ (define-record-type* (services pam-configuration-services) ;list of procedures -> (transformers pam-configuration-transformers) + ;; file-like shared module + (shared-object pam-configuration-shared-object) + ;; list of package variables + (guile-inputs pam-configuration-guile-inputs) + ;; list of file-like folders + (foreign-library-path pam-configuration-foreign-library-path) ;list of symbols (shepherd-requirements pam-configuration-shepherd-requirements)) +(define (make-pam-stack folder services) + (define* (entry->gate entry + #:key + only-actions + only-services) + (match entry + (($ control module (options ...)) + ;; adapted from (pam legacy configuration) + (cond + ((string=? "include" control) + (error "PAM include not implemented; send list of instead" + control module options entry)) + ((string=? "substack" control) + ;; this probably differs a little bit from Linux-PAM + #~(gate required (stack-pamda + (configuration-file->gates #$folder #$module + #:only-actions '#$only-actions + #:only-services '#$only-services)) + #:only-actions '#$only-actions + #:only-services '#$only-services)) + (else + #~(gate (legacy-plan->modern-plan #$control) + (legacy-or-modern-pamda #$module) + #:options (list #$@options) + #:only-actions '#$only-actions + #:only-services '#$only-services)))))) + + (define (service->gates service) + (match service + (($ name account auth password session) + (append (map (cut entry->gate <> + #:only-actions '(pam_sm_acct_mgmt) + #:only-services (list name)) + account) + (map (cut entry->gate <> + #:only-actions '(pam_sm_authenticate + pam_sm_setcred) + #:only-services (list name)) + auth) + (map (cut entry->gate <> + #:only-actions '(pam_sm_chauthtok) + #:only-services (list name)) + password) + (map (cut entry->gate <> + #:only-actions '(pam_sm_open_session + pam_sm_close_session) + #:only-services (list name)) + session))))) + + (let* ((gates (append-map service->gates services))) + (scheme-file + "guile-pam-stack.scm" + #~(begin + (use-modules (pam stack) + (pam legacy configuration) + (pam legacy module) + (pam legacy stack)) + (stack-pamda (list #$@gates)))))) + (define (/etc-entry config) "Return the /etc/pam.d entry corresponding to CONFIG." + (define (service->pam-entries service) + (match service + (($ name account auth password session) + (append account auth password session)))) (match config - (($ services transformers shepherd-requirements) - (let ((services (map (apply compose identity transformers) - services))) - `(("pam.d" ,(pam-services->directory services))))))) + (($ services + transformers + shared-object + guile-inputs + foreign-library-path + shepherd-requirements) + (let* ((services (map (apply compose identity transformers) + services)) + (all-entries (append-map service->pam-entries + services)) + (combined-inputs (delete-duplicates + (append guile-inputs + (append-map pam-entry-guile-inputs + all-entries)))) + (combined-library-path (delete-duplicates + (append foreign-library-path + (append-map pam-entry-foreign-library-path + all-entries))))) + `(("pam.d" ,(pam-services->directory shared-object + combined-inputs + combined-library-path + "pam.d" + services))))))) (define (pam-shepherd-service config) "Return the PAM synchronization shepherd service corresponding to CONFIG." (match config - (($ services transformers shepherd-requirements) + (($ services + transformers + shared-object + guile-inputs + foreign-library-path + shepherd-requirements) (list (shepherd-service (documentation "Synchronization point for services that need to be started for PAM to work.") @@ -417,6 +600,9 @@ (define (extend-configuration initial extensions) services)) (transformers (append (pam-configuration-transformers initial) (map pam-extension-transformer pam-extensions))) + (shared-object (pam-configuration-shared-object initial)) + (guile-inputs (pam-configuration-guile-inputs initial)) + (foreign-library-path (pam-configuration-foreign-library-path initial)) (shepherd-requirements (append (pam-configuration-shepherd-requirements initial) (append-map pam-extension-shepherd-requirements pam-extensions)))))) @@ -442,8 +628,19 @@ (define pam-root-service-type such as @command{login} or @command{sshd}, and specifies for instance how the program may authenticate users or what it should do when opening a new session."))) - -(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '())) +(define* (pam-root-service base + #:key + (transformers '()) + (shared-object + (file-append guile-pam "/lib/security/pam_guile.so")) + (guile-inputs + (list guile-3.0 + guile-bytestructures ;for (bytestructures guile) + guile-pam ;for (pam) and (ffi pam) + nyacc)) ;for (system ffi-helper-rt) + (foreign-library-path + (list (file-append linux-pam "/lib"))) ;for libpam.so + (shepherd-requirements '())) "The \"root\" PAM service, which collects instance and turns them into a /etc/pam.d directory, including the listed in BASE. TRANSFORM is a procedure that takes a and returns a @@ -452,6 +649,9 @@ (define* (pam-root-service base #:key (transformers '()) (shepherd-requirements (service pam-root-service-type (pam-configuration (services base) (transformers transformers) + (shared-object shared-object) + (guile-inputs guile-inputs) + (foreign-library-path foreign-library-path) (shepherd-requirements shepherd-requirements)))) -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 26 18:39:49 2024 Received: (at 72316) by debbugs.gnu.org; 26 Jul 2024 22:39:49 +0000 Received: from localhost ([127.0.0.1]:40241 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXTbJ-0002vr-2M for submit@debbugs.gnu.org; Fri, 26 Jul 2024 18:39:49 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:53130) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXTbG-0002vE-0W for 72316@debbugs.gnu.org; Fri, 26 Jul 2024 18:39:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=P914VhzHZge/Ys2 gSMkQvQFm7g/qfla3XtteUdQ0szs=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=WX/KfPa3em81GVHtY5pPPqQ8nKNiI/n9AFM5Syer W6bHbgwOSYSt3hmwH5jHP+Nta9MEyEiMLgyQbhSrwf+lLtF6rAzee8fQcw+Vrx4QlhH7bx aN5NWkNT6y09EESoCzEHM275MCxxXxSqMSYWZDdJucygCrhG+ud8Y2CZ8jVgE= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 386c1e8c (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Fri, 26 Jul 2024 22:39:35 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 52ef2285; Fri, 26 Jul 2024 22:39:35 +0000 (UTC) From: Felix Lechner To: 72316@debbugs.gnu.org Subject: [PATCH 3/3] Add a guile-pam-module service. Date: Fri, 26 Jul 2024 15:39:13 -0700 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Florian Pelz , Ludovic Courtès , Matthew Trzcinski , Maxim Cournoyer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: Felix Lechner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6 --- doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 195 insertions(+) create mode 100644 gnu/services/pam.scm diff --git a/doc/guix.texi b/doc/guix.texi index 41814042f5..a9bf00f0bb 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -403,6 +403,7 @@ Top * Telephony Services:: Telephony services. * File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. +* Guile-PAM Services:: Guile-PAM services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. * Web Services:: Web servers. @@ -18991,6 +18992,7 @@ Services * Telephony Services:: Telephony services. * File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. +* Guile-PAM Services:: Guile-PAM services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. * Web Services:: Web servers. @@ -30932,6 +30934,93 @@ Monitoring Services @end deftp +@c %end of fragment + +@node Guile-PAM Services +@subsection Guile-PAM Services +@cindex Guile-PAM + +The @code{(gnu services pam)} module provides services related to the +authentication mechanism @dfn{Guile-PAM}. + +Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM +authentication system. For details, please have a look at the Texinfo +manual in the @code{guile-pam} package. + +@defvar guile-pam-module-service-type +A service type for Guile-PAM modules. +@end defvar + +@noindent +Here is an example of its use: +@lisp +(define welcome-pamda-file + (scheme-file + "welcome-pamda-file" + #~(begin + (use-modules (ice-9 format)) + + (lambda (action handle flags options) + (case action + ;; authentication management + ((pam_sm_authenticate) + (format #t "In a working module, we would now identify you.~%")) + ((pam_sm_setcred) + (format #t "In a working module, we would now help you manage additional credentials.~%")) + ;; account management + ((pam_sm_acct_mgmt) + (format #t "In a working module, we would now confirm your access rights.~%")) + ;; password management + ((pam_sm_chauthtok) + (format #t "In a working module, we would now change your password.~%")) + ;; session management + ((pam_sm_open_session) + (format #t "In a working module, we would now open a session for you.~%")) + ((pam_sm_close_session) + (format #t "In a working module, we would now close your session.~%")) + (else + (format #t "In a working module, we would not know what to do about action '~s'.~%" + action))) + 'PAM_SUCCESS)))) + +(service guile-pam-module-service-type + (guile-pam-module-configuration + (rules "optional") + (module welcome-pamda-file) + (services '("login" + "greetd" + "su" + "slim" + "gdm-password" + "sddm")))) +@end lisp + +@c %start of fragment + +@deftp {Data Type} guile-pam-module-configuration +Available @code{guile-pam-module-configuration} fields are: + +@table @asis +@item @code{rules} (type: maybe-string) +Determines how the module's return value is evaluated. + +@item @code{module} (type: maybe-file-like) +A Guile-PAM pamda file or a classical PAM module. + +@item @code{services} (type: maybe-list-of-strings) +List of PAM service names for which to install the module. + +@item @code{guile-inputs} (type: maybe-list-of-packages) +Guile inputs available in the PAM module + +@item @code{foreign-library-path} (type: maybe-list-of-packages) +Search path for shared objects and libraries. + +@end table + +@end deftp + + @c %end of fragment @node Kerberos Services diff --git a/gnu/local.mk b/gnu/local.mk index fac7b5973b..30551971ac 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -733,6 +733,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/networking.scm \ %D%/services/nix.scm \ %D%/services/nfs.scm \ + %D%/services/pam.scm \ %D%/services/pam-mount.scm \ %D%/services/science.scm \ %D%/services/security.scm \ diff --git a/gnu/services/pam.scm b/gnu/services/pam.scm new file mode 100644 index 0000000000..a242067e38 --- /dev/null +++ b/gnu/services/pam.scm @@ -0,0 +1,105 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Felix Lechner +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services pam) + #:use-module (gnu packages guile) + #:use-module (gnu packages guile-xyz) + #:use-module (gnu packages linux) + #:use-module (gnu packages mes) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (guix utils) + #:use-module (srfi srfi-1) + #:export (guile-pam-module-configuration)) + +(define-maybe string) +(define-maybe list-of-strings) +(define-maybe file-like) + +(define-maybe string-or-file-like) +(define (string-or-file-like? val) + (or (string? val) (file-like? val))) + +(define-maybe list-of-packages) +(define (list-of-packages? val) + (and (list? val) (map package? val))) + +(define-configuration/no-serialization guile-pam-module-configuration + (rules + maybe-string + "Determines how the module's return value is evaluated.") + (module + maybe-file-like + "A Guile-PAM pamda file or a classical PAM module.") + (services + maybe-list-of-strings + "List of PAM service names for which to install the module.") + (guile-inputs + maybe-list-of-packages + "Guile inputs available in the PAM module") + (foreign-library-path + maybe-list-of-packages + "Search path for shared objects and libraries.") ) + +(define (guile-pam-module-service config) + "Return a list of for guile-pam-module for CONFIG." + (match-record + config (foreign-library-path + guile-inputs + module + rules + services) + (list + (pam-extension + (transformer + (lambda (pam) + (if (member (pam-service-name pam) services) + (let* ((new-entry + (pam-entry + (control rules) + (module module) + (guile-inputs (if (eq? %unset-value guile-inputs) + '() + guile-inputs)) + (foreign-library-path (if (eq? %unset-value foreign-library-path) + '() + foreign-library-path))))) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list new-entry))) + (account (append (pam-service-account pam) + (list new-entry))) + (session (append (pam-service-session pam) + (list new-entry))) + (password (append (pam-service-password pam) + (list new-entry))))) + pam))))))) + +(define-public guile-pam-module-service-type + (service-type + (name 'guile-pam-module) + (extensions (list (service-extension pam-root-service-type + guile-pam-module-service))) + (compose concatenate) + (default-value (guile-pam-module-configuration)) + (description "Load Guile code as part of Linux-PAM."))) -- 2.45.2 From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 29 06:22:57 2024 Received: (at 72316) by debbugs.gnu.org; 29 Jul 2024 10:22:57 +0000 Received: from localhost ([127.0.0.1]:44921 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sYNWr-0007gy-3W for submit@debbugs.gnu.org; Mon, 29 Jul 2024 06:22:57 -0400 Received: from relay.yourmailgateway.de ([188.68.61.103]:38605) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sYNWn-0007go-8E for 72316@debbugs.gnu.org; Mon, 29 Jul 2024 06:22:55 -0400 Received: from mors-relay-8403.netcup.net (localhost [127.0.0.1]) by mors-relay-8403.netcup.net (Postfix) with ESMTPS id 4WXZDb1sS6z82XG; Mon, 29 Jul 2024 12:22:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pelzflorian.de; s=key2; t=1722248559; bh=L9+2Xqj8bRsWzdC7SUUfsTZp+yrN8U0u6TDKVsQEFo8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=VtnIGu3SJ6ilOKMqoHcN4UXLOBDl2GI77lu7u/DTJCHzmgTYFstDJ/tIMcHz4Gq13 OrPeydWRZWUFnxcJNRX2w/D2MwPIsPU3Mu8KE5C4kT5n4JmQ8R+/Y3YfVvJcTo172N oMxRW52yMxBEPO2I7QHkhMkd/MvCVHG6lAYSxEL50OABp7RBDTa3/ivrQeZTBP55UM +UUB9W4zfiMwm/KHqXCcTFMce5dLHv+xbQLvRcyEcx8jhHlRCsWlHpcgS3MuH8L4+k 1T5OEz5ujJe5VsiE3GADZajGj2H8lDJIigtVTA49+l4aOreYEh26H02R9xgFM2MakD 3DmOlhOoKudUw== Received: from policy02-mors.netcup.net (unknown [46.38.225.35]) by mors-relay-8403.netcup.net (Postfix) with ESMTPS id 4WXZDb1Td9z82XD; Mon, 29 Jul 2024 12:22:39 +0200 (CEST) Received: from mxe217.netcup.net (unknown [10.243.12.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by policy02-mors.netcup.net (Postfix) with ESMTPS id 4WXZDY5mQHz8sZV; Mon, 29 Jul 2024 12:22:37 +0200 (CEST) Received: from florianhp (ipb2186896.dynamic.kabel-deutschland.de [178.24.104.150]) by mxe217.netcup.net (Postfix) with ESMTPSA id 20049835C0; Mon, 29 Jul 2024 12:22:28 +0200 (CEST) From: "pelzflorian (Florian Pelz)" To: Felix Lechner Subject: Re: [bug#72316] [PATCH 3/3] Add a guile-pam-module service. In-Reply-To: (Felix Lechner's message of "Fri, 26 Jul 2024 15:39:13 -0700") References: Date: Mon, 29 Jul 2024 12:22:27 +0200 Message-ID: <8734nsv6os.fsf@pelzflorian.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 20049835C0 X-Rspamd-Server: rspamd-worker-8404 X-NC-CID: IjWTGaFCMb7r82SqEuf4q9I5wPO+nnSSSU8lpsY/Edx0bqajjuxNM77a X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Maxim Cournoyer , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Felix. I don=E2=80=99t know linux-pam much but had been wary of its des= ign, but now that I started reading your guile-pam info manual, it is less of a riddle. By the way, guile-pam docs reference guile-wtut, which presumably should be guile-tut without w. About this doc/guix.texi addition, it is okay in my opinion, but it would be better giving one or two functional examples rather than only calling the (format) procedure. This would showcase to the uninitiated what PAM can do and how it looks in Guile. > + (foreign-library-path > + maybe-list-of-packages > + "Search path for shared objects and libraries.") ) > [=E2=80=A6] > + (foreign-library-path (if (eq? %unset-value fore= ign-library-path) > + '() > + foreign-library-path))= ))) It is repetitive that foreign-library-path must be set now everywhere for non-guile pam modules. Even though a foreign-library-path is not always needed, would it be better to always set it as default even when unneeded, then patch 2/3 =E2=80=9CSwitch to Guile-PAM.=E2=80=9D could be dr= opped? Disclaimer; I do not know PAM. I may well be wrong. Regards, Florian From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 30 13:01:03 2024 Received: (at 72316) by debbugs.gnu.org; 30 Jul 2024 17:01:03 +0000 Received: from localhost ([127.0.0.1]:48340 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sYqDe-0002Cd-SV for submit@debbugs.gnu.org; Tue, 30 Jul 2024 13:01:03 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:48366) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sYqDc-0002C5-0r for 72316@debbugs.gnu.org; Tue, 30 Jul 2024 13:01:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=Kpllv5LUCdMi6Ys n6LvgKukU5lvtdEkaGw3kNKRrmFo=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=oKwFPDXBUKD1tVPEaQep72OD+xIDbNMfPP2WQz6P ycTDFO27Eov04CndFVH7KohGpgtnrqbLYt/6txgneCk9CbvLCU9Hf8+AaZC77GKfOkudw0 feKoRh74MmGnb4cbV76vwZzLBP9kco0yMJ57ru72xvWts2X40YhJzS4SnUhls= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 2507a0c3 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Tue, 30 Jul 2024 17:00:43 +0000 (UTC) From: Felix Lechner To: "pelzflorian (Florian Pelz)" Subject: Re: [bug#72316] [PATCH 3/3] Add a guile-pam-module service. In-Reply-To: <8734nsv6os.fsf@pelzflorian.de> References: <8734nsv6os.fsf@pelzflorian.de> Date: Tue, 30 Jul 2024 10:00:43 -0700 Message-ID: <87wml27r2c.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Maxim Cournoyer , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Florian, On Mon, Jul 29 2024, pelzflorian (Florian Pelz) wrote: > guile-pam docs reference guile-wtut, which presumably should be > guile-tut without w. Thank you for your review! A baby has been typing extra letters. The typo was fixed. You were credited in the commit message. [1] > About this doc/guix.texi addition [...] it would be better giving one > or two functional examples rather than only calling the (format) > procedure. This would showcase to the uninitiated what PAM can do and > how it looks in Guile. I personally think that it would turn off new readers. Guix System configures PAM already. Only people hoping to accomplish something non-standard will look into Guile-PAM. Unfortunately, those readers have little in common. That's why I illustrated the way Guile-PAM works with a simple example. You are now saying we should instead solve a specialist case, but I believe that's likely to distract the diverse group of readers by drawing too much attention to what the module does, as opposed to how Guile-PAM works. The example was supposed to draw readers to Guile-PAM's Texinfo manual, which I mentioned nearby. Should we strike the example instead? > It is repetitive that foreign-library-path must be set now everywhere > for non-guile pam modules. The foreign-library-path only looks repetitive. It is the absolute path to each module. The modules just happen to be in the same place. Guix traditionally relied on a special feature in Linux-PAM: One can use absolute paths but, as many long-timer Guixers know, that is likely to cause stability issues. Guile-PAM solves that issue for Guix by separating the load path so a running process won't reload a newer version of the same shared object. Since the change has a logic to it, I have trouble relating to your observation that the load paths look repetitive. Please note that the foreign-library-path isn't actually needed for modules that ship with Linux-PAM. The Linux-PAM load path is added by default near the comment regarding "courtesy for historical usage" in the patch. It is being offered only for user customizations of the operating-system record, however, and may go away. The right thing is always list the load path for a module. That is what the patch does. > Even though a foreign-library-path is not always needed, would it be > better to always set it as default even when unneeded As I hoped to explain above, the load path is always needed. In my estimation, is not better to offer a default even though I did so for the time being in the interest of a smooth transition. Ultimately, the matter rests with the Guix maintainers. They will (or will not) decide if, when, and how to offer Guile-PAM to their users. Because Guile-PAM is a new and lightly tested package that strives to become an integral part of every Guix system, the decision will likely involve a lot more questions than the ones you and I are discussing in this thread here. At the same time, Guile-PAM is only 541 lines of code (in Scheme, not counting the examples) so maybe someone will get around to taking a look. > then patch 2/3 =E2=80=9CSwitch to Guile-PAM.=E2=80=9D could be dropped? No, the patch does other things. It switches all PAM configurations from Linux-PAM to Guile-PAM. The configured system will use Guile-PAM's stack implementation. Guile-PAM should be attractive to Guix for several reasons. One is that it may simplify Guix's existing PAM machinery, which is complex, because the same things can be accomplished better with quoted S-expressions (or G-expressions, depending on the context). There are also philosophical considerations which I hope will encourage Guix to adopt Guile-PAM. The code is short, written in Scheme, and licensed under the GPL. > Disclaimer; I do not know PAM. I may well be wrong. No worries, please, and thanks again for your review. Linux-PAM is arcane and complicated. I wrote Guile-PAM for you! Kind regards Felix [1] https://codeberg.org/lechner/guile-pam/commit/2f0f20a0a44f7672bfd93470c= 0562d19eb8ec511 From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 29 11:08:33 2025 Received: (at 72316) by debbugs.gnu.org; 29 Apr 2025 15:08:33 +0000 Received: from localhost ([127.0.0.1]:57722 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u9mZV-0003I8-22 for submit@debbugs.gnu.org; Tue, 29 Apr 2025 11:08:33 -0400 Received: from mail.z572.online ([88.99.160.180]:47858) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u9mZQ-0003Hp-IR for 72316@debbugs.gnu.org; Tue, 29 Apr 2025 11:08:30 -0400 Received: from m ( [115.198.129.146]) by mail.z572.online (OpenSMTPD) with ESMTPSA id f256276b (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 29 Apr 2025 15:15:09 +0000 (UTC) From: Z572 To: Felix Lechner via Guix-patches via Subject: Re: [bug#72316] [PATCH 0/3] Switch to Guile-PAM. In-Reply-To: (Felix Lechner via Guix-patches via's message of "Fri, 26 Jul 2024 15:01:08 -0700") References: User-Agent: mu4e 1.12.9; emacs 30.0.92 Date: Tue, 29 Apr 2025 23:08:14 +0800 Message-ID: <878qnj80pt.fsf@iscas.ac.cn> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: 72316 Cc: Maxim Cournoyer , Ludovic =?utf-8?Q?Court?= =?utf-8?Q?=C3=A8s?= , Florian Pelz , 72316@debbugs.gnu.org, Felix Lechner , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) --=-=-= Content-Type: text/plain Felix Lechner via Guix-patches via writes: > Guile-PAM reimplements the PAM stack in GNU Guile and allows system > administrators to write modules in GNU Guile. > > This patch series switches Guix System to Guile-PAM. It relies on the shared > objects from Linux-PAM until Guile implementations are available. > > In Guix, Guile-PAM could start Shepherd's user services or keep track of login > sessions similar to pam_systemd.so. > > The guile-pam package ships with a detailed Texinfo manual. > > The software is in alpha stage. For example, the interaction with sddm was > not well-tested. Please let me know how it goes---private email is okay! I think this is a cool approach, but switching directly to guile-pam might be too radical and probably shouldn't be enabled by default, but I think simply merging the guile-pam package definitions should be fine. What do you think? > > Kind regards > Felix > > > Felix Lechner (3): > Add guile-pam. > Switch to Guile-PAM. > Add a guile-pam-module service. > > doc/guix.texi | 89 ++++++++++ > gnu/local.mk | 1 + > gnu/packages/linux.scm | 56 ++++++ > gnu/services/authentication.scm | 9 +- > gnu/services/base.scm | 16 +- > gnu/services/desktop.scm | 14 +- > gnu/services/kerberos.scm | 12 +- > gnu/services/lightdm.scm | 69 ++++++-- > gnu/services/pam-mount.scm | 5 +- > gnu/services/pam.scm | 105 +++++++++++ > gnu/services/sddm.scm | 91 +++++++--- > gnu/services/xorg.scm | 17 +- > gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ > 13 files changed, 671 insertions(+), 109 deletions(-) > create mode 100644 gnu/services/pam.scm > > > base-commit: 862a9b5b25966845f71d218ad8c0c5655ffc479a --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfr6klGDOXiwIdX/bO1qpk+Gi3/AFAmgQ614ACgkQO1qpk+Gi 3/D/3A/9H0wLKiwqlQj5OiQKay53vn5qPm3fzkywlpz8BSJzQdWruaFdugzWzExW B2FawdmiLmhOwBaop4cl5r0pvbC4Q0mr15R3iD50Pj8T64VBUw4/8L2Egx7koQqR WxVcRAv57qkvJ75N9PBDtREpgMUlHy7R1MSGpbzGv+QwLRkyKxJCeiCo0NPuLEVW 08ZuTSSt9VUnUeal69EF3UI2nDHeGZt7qrA1fOtyCdBQbjFnVh7THd3yb+hhCCJC vqoDIKVecL6LMAKpo38hWSoqvy78YrPE+duxBefvQBfJIhYRNwtGl0RI7KkBC0zR I6U0LFa2LCShO1uakW9lnFyloxW0itxiO5bACQygcmS4RTt0uuAYa9R6U8ZiBcQi RSwWwzQ0+nA+0bArNIWfMiehbrAGUf3V3I8IqM29unKOzcS/WEHBuqifjzheubSI u7+Sf6DaXs75rnJO+1qOnPGOtybGOU2AHs9FESTnKdtBhpxRMdgAFGEE8Esqgmji upnQhWzEtoqZ19rReAovXxUXziBiAHc4cwTmQuQRxF/BUXDYmal+j75NaqGJ4cWg /hNLb3CII52xSDqq9Eo2yHRsC8eBftMoWyIA1sJxBFcVD5MHLieoBtAwWvvoXXyO 4LudWaJHgiR5kibxEQ5SBK9nt5SPFtDqJrFlRAwd38TtK06iEwo= =C4QO -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 09:42:58 2025 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 13:42:58 +0000 Received: from localhost ([127.0.0.1]:49838 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAUBk-0001IR-D8 for submit@debbugs.gnu.org; Thu, 01 May 2025 09:42:58 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:33450) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAUBf-0001I8-Ma for 72316@debbugs.gnu.org; Thu, 01 May 2025 09:42:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=EuxncZz/DJfZ0sQ t4sDe2L+/fnRqR+2UX83mbtcMJ94=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=kCcTVZg3uLpDTERDCiYFoZL1xfQPkiww9i04Rn1L sv1pCwzySOVNrCrrrtqT5OSkAmeU7jklpSrTkH5pjrq61GwWkVsWhJPYjVmlCaxoFzm31l ctL0DI//XGJ+/wkIPWSf3G9Vw+3J7d8KNY04G1mLkWXs9DDQPk5JQNIXMYuBs= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id f54253e1 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 1 May 2025 13:42:48 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 7f331031; Thu, 1 May 2025 13:42:48 +0000 (UTC) From: Felix Lechner To: 72316@debbugs.gnu.org Subject: [PATCH v2 0/3] Switch to Guile-PAM Date: Thu, 1 May 2025 06:42:34 -0700 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: <878qnj80pt.fsf@iscas.ac.cn> References: <878qnj80pt.fsf@iscas.ac.cn> MIME-Version: 1.0 X-Debbugs-Cc: Liliana Marie Prikler , Maxim Cournoyer , Noé Lopez , Vivien Kraus Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72316 Cc: Maxim Cournoyer , =?UTF-8?q?Ludovic=20Court=C3=A8s?= , Z572 , Florian Pelz , Felix Lechner , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Z572, Yes, you are right. More testing is needed before Guile-PAM can manage other modules. Will you push the package definition and the service, i.e. the first two commits? With the service, folks can write their own modules. Then they can do all the things they always wanted, like set kernel limits in one line [1] or mount FUSE based-drives upon login. [2] I worked on this thing for ten years and believe it could be a game changer. Switching to Guile-PAM is not that radical: The third commit merely runs the stack in Guile but still uses the modules from Linux-PAM. At about five hundred lines of code, the Guile stack is much easier to read (or audit) than the stack in Linux-PAM, but I agree we should wait. Please feel free to push the first two commits. I will show folks how to use them. Thanks! Kind regards Felix [1] https://codeberg.org/lechner/system-config/src/commit/0ca80a773408d5934285288ca8da03b9675e9f75/host/lechner-desktop/operating-system.scm#L75 [2] https://codeberg.org/lechner/away/src/commit/2aba38327c1ada959656c58c2f515072c864d983/pam.scm#L76-L80 Felix Lechner (3): Add guile-pam. Add a guile-pam-module service. Switch to Guile-PAM. doc/guix.texi | 89 ++++++++++ gnu/local.mk | 1 + gnu/packages/linux.scm | 71 ++++++++ gnu/services/authentication.scm | 9 +- gnu/services/base.scm | 16 +- gnu/services/desktop.scm | 14 +- gnu/services/kerberos.scm | 12 +- gnu/services/lightdm.scm | 69 ++++++-- gnu/services/pam-mount.scm | 5 +- gnu/services/pam.scm | 105 +++++++++++ gnu/services/sddm.scm | 91 +++++++--- gnu/services/xorg.scm | 17 +- gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ 13 files changed, 686 insertions(+), 109 deletions(-) create mode 100644 gnu/services/pam.scm base-commit: 304f8bebbb3bc77b27be7ead82f2d79a10fe1843 -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 09:42:59 2025 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 13:42:59 +0000 Received: from localhost ([127.0.0.1]:49841 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAUBm-0001Ie-Sp for submit@debbugs.gnu.org; Thu, 01 May 2025 09:42:59 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:33450) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAUBj-0001I8-N9 for 72316@debbugs.gnu.org; Thu, 01 May 2025 09:42:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=2n3KExTpnNjeJL6 +PepF9pvPo2XuvTFdY9ob4yFF6hw=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=AhsfleZ6XXDK9+XeN8yG5m0IYDyyUWx+Sn8NIL5L m90hoL0/+dYlyQmcRlxFMwes5B7059PeuXJz6wPamOjCW1z+au9h8TI68VyNVCBP9WNs4s xqNrYbnCn6W/HX1dVy5tp7OYBnFlJBG/om/vsBVR8w0vjt6brhELsfhR+5SEQ= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id dcd2c8d3 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 1 May 2025 13:42:55 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 2a763324; Thu, 1 May 2025 13:42:55 +0000 (UTC) From: Felix Lechner To: 72316@debbugs.gnu.org Subject: [PATCH v2 1/3] Add guile-pam. Date: Thu, 1 May 2025 06:42:35 -0700 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: <878qnj80pt.fsf@iscas.ac.cn> References: <878qnj80pt.fsf@iscas.ac.cn> MIME-Version: 1.0 X-Debbugs-Cc: Leo Famulari , Wilko Meyer Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72316 Cc: Maxim Cournoyer , =?UTF-8?q?Ludovic=20Court=C3=A8s?= , Z572 , Florian Pelz , Felix Lechner , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2 --- gnu/packages/linux.scm | 71 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index b4adf0c2b43..35ae4558043 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -113,6 +113,7 @@ (define-module (gnu packages linux) #:use-module (gnu packages bash) #:use-module (gnu packages bison) #:use-module (gnu packages boost) + #:use-module (gnu packages build-tools) #:use-module (gnu packages calendar) #:use-module (gnu packages check) #:use-module (gnu packages cpio) @@ -145,6 +146,7 @@ (define-module (gnu packages linux) #:use-module (gnu packages graphviz) #:use-module (gnu packages gstreamer) #:use-module (gnu packages gtk) + #:use-module (gnu packages guile) #:use-module (gnu packages haskell-apps) #:use-module (gnu packages haskell-xyz) #:use-module (gnu packages image) @@ -158,6 +160,7 @@ (define-module (gnu packages linux) #:use-module (gnu packages m4) #:use-module (gnu packages man) #:use-module (gnu packages maths) + #:use-module (gnu packages mes) #:use-module (gnu packages multiprecision) #:use-module (gnu packages ncurses) #:use-module (gnu packages netpbm) @@ -2412,6 +2415,74 @@ (define-public vendor-reset-linux-module ;;; Pluggable authentication modules (PAM). ;;; +(define-public guile-pam + (let ((commit "5ea70a5d88e7ade27ba9f231acab7d363b6400fb") + (revision "0")) + (package + (name "guile-pam") + (version (git-version "0.0" revision commit)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://codeberg.org/lechner/guile-pam") + (commit commit))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1i034f42wnmnsz76pcniif2ikpbamh0cki3ib2zwmbnvif4656av")))) + (native-inputs (list + autoconf + automake + gnulib + guile-3.0 + libtool + linux-pam + nyacc-2.01 + pkg-config + texinfo)) + (inputs (list + guile-3.0 + linux-pam)) + (propagated-inputs (list + nyacc-2.01)) + (build-system gnu-build-system) + (arguments + (list + #:make-flags + #~(list (string-append "ENTRY_POINT_DIR=" #$output "/share/entry-points")) + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'install-gnulib + ;; per https://lists.gnu.org/archive/html/guile-devel/2012-08/msg00042.html + (lambda* (#:key inputs #:allow-other-keys) + (let ((gnulib-build-aux (dirname + (search-input-file inputs + "/src/gnulib/build-aux/config.rpath")))) + (mkdir-p "build-aux") + (copy-recursively gnulib-build-aux "build-aux")) + (let ((gnulib-m4 (dirname (search-input-file inputs + "/src/gnulib/m4/lib-link.m4")))) + (mkdir-p "m4") + (copy-recursively gnulib-m4 "m4")))) + (add-after 'patch-source-shebangs 'fix-paths + (lambda* (#:key inputs #:allow-other-keys) + (for-each (lambda (file) + (substitute* file + (("/usr/bin/env -S guile ") + (string-append (search-input-file inputs "/bin/guile") " \\\n")))) + '("test/legacy-control-strings")) + (substitute* "scm/pam.scm" + (("[.]/wrap/c/[.]libs/conversation.so") + (string-append #$output "/lib/guile-pam/wrapper/conversation.so")))))))) + (home-page "https://codeberg.org/lechner/guile-pam") + (synopsis "Write your Linux-PAM authentication logic in Guile Scheme") + (description + "Guile-PAM provides a way to rewrite your authentication logic in the +Linux PAM (pluggable authentication modules) in Guile Scheme. It should make +those modules more transparent to the administrator and more intuitive to +use.") + (license license:gpl3+)))) + (define-public linux-pam (package (name "linux-pam") -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 09:43:06 2025 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 13:43:06 +0000 Received: from localhost ([127.0.0.1]:49851 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAUBt-0001JW-Nh for submit@debbugs.gnu.org; Thu, 01 May 2025 09:43:06 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:33450) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAUBq-0001I8-8h for 72316@debbugs.gnu.org; Thu, 01 May 2025 09:43:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=CSG8A4aL5+qEagR 8kBnXJg9L659smKP4AlYG2eoUdAo=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=AkzpUp5F1SZNdzJmLU34QDGJ9vWmpsV5KMFh9CkB cPurd0jCzO71TNkQyMcSVYiueo4f4mc5NQW9RkjwMQj99NGdikhFHWCflaZre2/LttEx7x qtG5tJayA6o7CZtgYmHGwm3AjDv/uKpSaswTpWRR+ynQA/0YujsejgMfrIdOA= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id b103aa7b (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 1 May 2025 13:43:01 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id eb4d078c; Thu, 1 May 2025 13:43:00 +0000 (UTC) From: Felix Lechner To: 72316@debbugs.gnu.org Subject: [PATCH v2 2/3] Add a guile-pam-module service. Date: Thu, 1 May 2025 06:42:36 -0700 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: <878qnj80pt.fsf@iscas.ac.cn> References: <878qnj80pt.fsf@iscas.ac.cn> MIME-Version: 1.0 X-Debbugs-Cc: Gabriel Wicki , Ludovic Courtès , Maxim Cournoyer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72316 Cc: Maxim Cournoyer , =?UTF-8?q?Ludovic=20Court=C3=A8s?= , Z572 , Florian Pelz , Felix Lechner , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6 --- doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 195 insertions(+) create mode 100644 gnu/services/pam.scm diff --git a/doc/guix.texi b/doc/guix.texi index 90d90b2e1eb..11480cb0ae5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -412,6 +412,7 @@ Top * Telephony Services:: Telephony services. * File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. +* Guile-PAM Services:: Guile-PAM services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. * Web Services:: Web servers. @@ -19437,6 +19438,7 @@ Services * Telephony Services:: Telephony services. * File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. +* Guile-PAM Services:: Guile-PAM services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. * Web Services:: Web servers. @@ -33149,6 +33151,93 @@ Monitoring Services @end deftp +@c %end of fragment + +@node Guile-PAM Services +@subsection Guile-PAM Services +@cindex Guile-PAM + +The @code{(gnu services pam)} module provides services related to the +authentication mechanism @dfn{Guile-PAM}. + +Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM +authentication system. For details, please have a look at the Texinfo +manual in the @code{guile-pam} package. + +@defvar guile-pam-module-service-type +A service type for Guile-PAM modules. +@end defvar + +@noindent +Here is an example of its use: +@lisp +(define welcome-pamda-file + (scheme-file + "welcome-pamda-file" + #~(begin + (use-modules (ice-9 format)) + + (lambda (action handle flags options) + (case action + ;; authentication management + ((pam_sm_authenticate) + (format #t "In a working module, we would now identify you.~%")) + ((pam_sm_setcred) + (format #t "In a working module, we would now help you manage additional credentials.~%")) + ;; account management + ((pam_sm_acct_mgmt) + (format #t "In a working module, we would now confirm your access rights.~%")) + ;; password management + ((pam_sm_chauthtok) + (format #t "In a working module, we would now change your password.~%")) + ;; session management + ((pam_sm_open_session) + (format #t "In a working module, we would now open a session for you.~%")) + ((pam_sm_close_session) + (format #t "In a working module, we would now close your session.~%")) + (else + (format #t "In a working module, we would not know what to do about action '~s'.~%" + action))) + 'PAM_SUCCESS)))) + +(service guile-pam-module-service-type + (guile-pam-module-configuration + (rules "optional") + (module welcome-pamda-file) + (services '("login" + "greetd" + "su" + "slim" + "gdm-password" + "sddm")))) +@end lisp + +@c %start of fragment + +@deftp {Data Type} guile-pam-module-configuration +Available @code{guile-pam-module-configuration} fields are: + +@table @asis +@item @code{rules} (type: maybe-string) +Determines how the module's return value is evaluated. + +@item @code{module} (type: maybe-file-like) +A Guile-PAM pamda file or a classical PAM module. + +@item @code{services} (type: maybe-list-of-strings) +List of PAM service names for which to install the module. + +@item @code{guile-inputs} (type: maybe-list-of-packages) +Guile inputs available in the PAM module + +@item @code{foreign-library-path} (type: maybe-list-of-packages) +Search path for shared objects and libraries. + +@end table + +@end deftp + + @c %end of fragment @node Kerberos Services diff --git a/gnu/local.mk b/gnu/local.mk index f6f95bbf10b..3d3da58d659 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,6 +764,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/networking.scm \ %D%/services/nix.scm \ %D%/services/nfs.scm \ + %D%/services/pam.scm \ %D%/services/pam-mount.scm \ %D%/services/power.scm \ %D%/services/science.scm \ diff --git a/gnu/services/pam.scm b/gnu/services/pam.scm new file mode 100644 index 00000000000..a242067e380 --- /dev/null +++ b/gnu/services/pam.scm @@ -0,0 +1,105 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Felix Lechner +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services pam) + #:use-module (gnu packages guile) + #:use-module (gnu packages guile-xyz) + #:use-module (gnu packages linux) + #:use-module (gnu packages mes) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (guix utils) + #:use-module (srfi srfi-1) + #:export (guile-pam-module-configuration)) + +(define-maybe string) +(define-maybe list-of-strings) +(define-maybe file-like) + +(define-maybe string-or-file-like) +(define (string-or-file-like? val) + (or (string? val) (file-like? val))) + +(define-maybe list-of-packages) +(define (list-of-packages? val) + (and (list? val) (map package? val))) + +(define-configuration/no-serialization guile-pam-module-configuration + (rules + maybe-string + "Determines how the module's return value is evaluated.") + (module + maybe-file-like + "A Guile-PAM pamda file or a classical PAM module.") + (services + maybe-list-of-strings + "List of PAM service names for which to install the module.") + (guile-inputs + maybe-list-of-packages + "Guile inputs available in the PAM module") + (foreign-library-path + maybe-list-of-packages + "Search path for shared objects and libraries.") ) + +(define (guile-pam-module-service config) + "Return a list of for guile-pam-module for CONFIG." + (match-record + config (foreign-library-path + guile-inputs + module + rules + services) + (list + (pam-extension + (transformer + (lambda (pam) + (if (member (pam-service-name pam) services) + (let* ((new-entry + (pam-entry + (control rules) + (module module) + (guile-inputs (if (eq? %unset-value guile-inputs) + '() + guile-inputs)) + (foreign-library-path (if (eq? %unset-value foreign-library-path) + '() + foreign-library-path))))) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list new-entry))) + (account (append (pam-service-account pam) + (list new-entry))) + (session (append (pam-service-session pam) + (list new-entry))) + (password (append (pam-service-password pam) + (list new-entry))))) + pam))))))) + +(define-public guile-pam-module-service-type + (service-type + (name 'guile-pam-module) + (extensions (list (service-extension pam-root-service-type + guile-pam-module-service))) + (compose concatenate) + (default-value (guile-pam-module-configuration)) + (description "Load Guile code as part of Linux-PAM."))) -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 09:43:41 2025 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 13:43:41 +0000 Received: from localhost ([127.0.0.1]:49856 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAUCF-0001KS-U7 for submit@debbugs.gnu.org; Thu, 01 May 2025 09:43:41 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:35942) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAUCB-0001K4-To for 72316@debbugs.gnu.org; Thu, 01 May 2025 09:43:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=tkGJZZht6wiRAOk zcj8LiIq/GzTLChYSPCG5QzyuAWw=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=CBnFFrTPl6mGFjVmg/mAeaJG7PrHGRwymIIf+mJD ln+GCBcdX+6Rdb/WugiUGPZu1m+JlwesA6d/jP1qSHya9/kNH/y77gCYzEaeBNetUYGYQ9 f4sNKBi8ixK21H4p7PSIw7Oe1Ii1eD5fCZg6MRYJZMDrdSu0fXVFnhmqAz1KI= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id b1894548 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 1 May 2025 13:43:20 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 605a020e; Thu, 1 May 2025 13:43:20 +0000 (UTC) From: Felix Lechner To: 72316@debbugs.gnu.org Subject: [PATCH v2 3/3] Switch to Guile-PAM. Date: Thu, 1 May 2025 06:42:37 -0700 Message-ID: <3ce2c97a2c23ba3eb0a9ff4544e686048fc46174.1746104902.git.felix.lechner@lease-up.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <878qnj80pt.fsf@iscas.ac.cn> References: <878qnj80pt.fsf@iscas.ac.cn> MIME-Version: 1.0 X-Debbugs-Cc: Liliana Marie Prikler , Maxim Cournoyer , Noé Lopez , Vivien Kraus Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72316 Cc: Maxim Cournoyer , =?UTF-8?q?Ludovic=20Court=C3=A8s?= , Z572 , Florian Pelz , Felix Lechner , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Change-Id: Ib691b41cdb152f508a4a8d1b12b2a20da8706fed --- gnu/services/authentication.scm | 9 +- gnu/services/base.scm | 16 +- gnu/services/desktop.scm | 14 +- gnu/services/kerberos.scm | 12 +- gnu/services/lightdm.scm | 69 ++++++-- gnu/services/pam-mount.scm | 5 +- gnu/services/sddm.scm | 91 +++++++--- gnu/services/xorg.scm | 17 +- gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ 9 files changed, 420 insertions(+), 109 deletions(-) diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm index fbfef2d3d0a..88ccba6ada4 100644 --- a/gnu/services/authentication.scm +++ b/gnu/services/authentication.scm @@ -503,9 +503,6 @@ (define (nslcd-shepherd-service config) (define (pam-ldap-pam-service config) "Return a PAM service for LDAP authentication." - (define pam-ldap-module - (file-append (nslcd-configuration-nss-pam-ldapd config) - "/lib/security/pam_ldap.so")) (pam-extension (transformer (lambda (pam) @@ -514,7 +511,11 @@ (define (pam-ldap-pam-service config) (let ((sufficient (pam-entry (control "sufficient") - (module pam-ldap-module)))) + (module "pam_ldap.so") + (foreign-library-path + (list + (file-append (nslcd-configuration-nss-pam-ldapd config) + "/lib/security")))))) (pam-service (inherit pam) (auth (cons sufficient (pam-service-auth pam))) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 650121be8f1..6fb84ce01e1 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -61,8 +61,8 @@ (define-module (gnu services base) #:use-module (gnu packages admin) #:use-module ((gnu packages linux) #:select (alsa-utils btrfs-progs crda eudev - e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools - util-linux xfsprogs)) + e2fsprogs f2fs-tools fuse gpm kbd linux-pam + lvm2 rng-tools util-linux xfsprogs)) #:use-module (gnu packages bash) #:use-module ((gnu packages base) #:select (coreutils glibc glibc/hurd @@ -1731,7 +1731,10 @@ (define pam-limits-service-type (control "required") (module "pam_limits.so") (arguments - (list #~(string-append "conf=" #$limits-file)))))) + (list #~(string-append "conf=" #$limits-file))) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (if (member (pam-service-name pam) '("login" "greetd" "su" "slim" "gdm-password" "sddm" "lightdm" "sudo" "sshd")) @@ -4032,8 +4035,11 @@ (define (greetd-pam-service config) (define optional-pam-mount (pam-entry (control "optional") - (module (file-append greetd-pam-mount "/lib/security/pam_mount.so")) - (arguments '("disable_interactive")))) + (module "pam_mount.so") + (arguments '("disable_interactive")) + (foreign-library-path + (list + (file-append greetd-pam-mount "/lib/security"))))) (list (unix-pam-service "greetd" diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index a586746cc59..ca1078f9df6 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1494,8 +1494,10 @@ (define (pam-extension-procedure config) (define pam-elogind (pam-entry (control "required") - (module (file-append (elogind-configuration-elogind config) - "/lib/security/pam_elogind.so")))) + (module "pam_elogind.so") + (foreign-library-path + (list + (file-append (elogind-configuration-elogind config) "/lib/security"))))) (list (pam-extension (transformer @@ -1712,9 +1714,11 @@ (define (pam-gnome-keyring config) (define (%pam-keyring-entry . arguments) (pam-entry (control "optional") - (module (file-append (gnome-keyring-package config) - "/lib/security/pam_gnome_keyring.so")) - (arguments arguments))) + (module ("pam_gnome_keyring.so")) + (arguments arguments) + (foreign-library-path + (list + (file-append (gnome-keyring-package config) "/lib/security"))))) (list (pam-extension diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm index a6f540a9b6a..d2d8988a837 100644 --- a/gnu/services/kerberos.scm +++ b/gnu/services/kerberos.scm @@ -431,18 +431,18 @@ (define (pam-krb5-pam-service config) (pam-extension (transformer (lambda (pam) - (define pam-krb5-module - (file-append (pam-krb5-configuration-pam-krb5 config) - "/lib/security/pam_krb5.so")) - (let ((pam-krb5-sufficient (pam-entry (control "sufficient") - (module pam-krb5-module) + (module "pam_krb5.so") (arguments (list (format #f "minimum_uid=~a" - (pam-krb5-configuration-minimum-uid config))))))) + (pam-krb5-configuration-minimum-uid config)))) + (foreign-library-path + (list + (file-append (pam-krb5-configuration-pam-krb5 config) + "/lib/security")))))) (pam-service (inherit pam) (auth (cons* pam-krb5-sufficient diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm index b69cc21322a..6cca06b827a 100644 --- a/gnu/services/lightdm.scm +++ b/gnu/services/lightdm.scm @@ -24,6 +24,7 @@ (define-module (gnu services lightdm) #:use-module (gnu packages display-managers) #:use-module (gnu packages freedesktop) #:use-module (gnu packages gnome) + #:use-module ((gnu packages linux) #:select (linux-pam)) #:use-module (gnu packages vnc) #:use-module (gnu packages xorg) #:use-module (gnu services configuration) @@ -546,15 +547,35 @@ (define (lightdm-greeter-pam-service) (name "lightdm-greeter") (auth (list ;; Load environment from /etc/environment and ~/.pam_environment. - (pam-entry (control "required") (module "pam_env.so")) + (pam-entry (control "required") + (module "pam_env.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) ;; Always let the greeter start without authentication. - (pam-entry (control "required") (module "pam_permit.so")))) + (pam-entry (control "required") + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; No action required for account management - (account (list (pam-entry (control "required") (module "pam_permit.so")))) + (account (list (pam-entry (control "required") + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Prohibit changing password. - (password (list (pam-entry (control "required") (module "pam_deny.so")))) + (password (list (pam-entry (control "required") + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Setup session. - (session (list (pam-entry (control "required") (module "pam_unix.so")))))) + (session (list (pam-entry (control "required") + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))))) (define (lightdm-autologin-pam-service) "Return a PAM service for @command{lightdm-autologin}}." @@ -563,17 +584,41 @@ (define (lightdm-autologin-pam-service) (auth (list ;; Block login if user is globally disabled. - (pam-entry (control "required") (module "pam_nologin.so")) - (pam-entry (control "required") (module "pam_succeed_if.so") - (arguments (list "uid >= 1000"))) + (pam-entry (control "required") + (module "pam_nologin.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) + (pam-entry (control "required") + (module "pam_succeed_if.so") + (arguments (list "uid >= 1000")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) ;; Allow access without authentication. - (pam-entry (control "required") (module "pam_permit.so")))) + (pam-entry (control "required") + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Stop autologin if account requires action. - (account (list (pam-entry (control "required") (module "pam_unix.so")))) + (account (list (pam-entry (control "required") + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Prohibit changing password. - (password (list (pam-entry (control "required") (module "pam_deny.so")))) + (password (list (pam-entry (control "required") + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) ;; Setup session. - (session (list (pam-entry (control "required") (module "pam_unix.so")))))) + (session (list (pam-entry (control "required") + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))))) (define (lightdm-pam-services config) (list (lightdm-pam-service config) diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm index b3a02e82e92..1eb5b44e315 100644 --- a/gnu/services/pam-mount.scm +++ b/gnu/services/pam-mount.scm @@ -94,7 +94,10 @@ (define (pam-mount-pam-service config) (define optional-pam-mount (pam-entry (control "optional") - (module (file-append pam-mount "/lib/security/pam_mount.so")))) + (module "pam_mount.so") + (foreign-library-path + (list + (file-append pam-mount "/lib/security"))))) (list (pam-extension (transformer diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm index 92d64cc5993..cb2c5a9276d 100644 --- a/gnu/services/sddm.scm +++ b/gnu/services/sddm.scm @@ -24,6 +24,7 @@ (define-module (gnu services sddm) #:use-module (gnu packages admin) #:use-module (gnu packages display-managers) #:use-module (gnu packages freedesktop) + #:use-module ((gnu packages linux) #:select (linux-pam)) #:use-module (gnu packages xorg) #:use-module (gnu services) #:use-module (gnu services shepherd) @@ -206,40 +207,61 @@ (define (sddm-pam-service config) (list (pam-entry (control "requisite") - (module "pam_nologin.so")) + (module "pam_nologin.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) (pam-entry (control "required") - (module "pam_env.so")) + (module "pam_env.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) (pam-entry (control "required") (module "pam_succeed_if.so") (arguments (list (string-append "uid >= " (number->string (sddm-configuration-minimum-uid config))) - "quiet"))) + "quiet")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) ;; should be factored out into system-auth (pam-entry (control "required") - (module "pam_unix.so")))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (account (list ;; should be factored out into system-account (pam-entry (control "required") - (module "pam_unix.so")))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (password (list ;; should be factored out into system-password (pam-entry (control "required") (module "pam_unix.so") - (arguments (list "sha512" "shadow" "try_first_pass"))))) + (arguments (list "sha512" "shadow" "try_first_pass")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (session (list ;; lfs has a required pam_limits.so ;; should be factored out into system-session (pam-entry (control "required") - (module "pam_unix.so")))))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))))) (define (sddm-greeter-pam-service) "Return a PAM service for @command{sddm-greeter}." @@ -250,29 +272,44 @@ (define (sddm-greeter-pam-service) ;; Load environment from /etc/environment and ~/.pam_environment (pam-entry (control "required") - (module "pam_env.so")) + (module "pam_env.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) ;; Always let the greeter start without authentication (pam-entry (control "required") - (module "pam_permit.so")))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (account (list ;; No action required for account management (pam-entry (control "required") - (module "pam_permit.so")))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (password (list ;; Can't change password (pam-entry (control "required") - (module "pam_deny.so")))) + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (session (list ;; Setup session (pam-entry (control "required") - (module "pam_unix.so")))))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))))) (define (sddm-autologin-pam-service config) "Return a PAM service for @command{sddm-autologin}" @@ -282,31 +319,37 @@ (define (sddm-autologin-pam-service config) (list (pam-entry (control "requisite") - (module "pam_nologin.so")) + (module "pam_nologin.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) (pam-entry (control "required") (module "pam_succeed_if.so") (arguments (list (string-append "uid >= " (number->string (sddm-configuration-minimum-uid config))) - "quiet"))) + "quiet")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) (pam-entry (control "required") - (module "pam_permit.so")))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (account - (list - (pam-entry - (control "include") - (module "sddm")))) + (pam-service-account (sddm-pam-service config))) (password (list (pam-entry (control "required") - (module "pam_deny.so")))) + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (session - (list - (pam-entry - (control "include") - (module "sddm")))))) + (pam-service-session (sddm-pam-service config))))) (define (sddm-pam-services config) (list (sddm-pam-service config) diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index bef05b9bb9b..21f9924d166 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -1236,16 +1236,25 @@ (define (gdm-pam-service config) #:login-uid? #t)) (auth (list (pam-entry (control "optional") - (module (file-append (gdm-configuration-gdm config) - "/lib/security/pam_gdm.so"))) + (module "pam_gdm.so") + (foreign-library-path + (list + (file-append (gdm-configuration-gdm config) + "/lib/security/")))) (pam-entry (control "sufficient") - (module "pam_permit.so"))))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))))) (pam-service (inherit (unix-pam-service "gdm-launch-environment")) (auth (list (pam-entry (control "required") - (module "pam_permit.so"))))) + (module "pam_permit.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))))) (unix-pam-service "gdm-password" #:login-uid? #t #:allow-empty-passwords? diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index 07b84b04efe..08dc4693297 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -32,7 +32,9 @@ (define-module (gnu system pam) #:use-module (srfi srfi-11) #:use-module (srfi srfi-26) #:use-module ((guix utils) #:select (%current-system)) + #:use-module (gnu packages guile) #:use-module (gnu packages linux) + #:use-module (gnu packages mes) #:export (pam-service pam-service? pam-service-name @@ -46,6 +48,8 @@ (define-module (gnu system pam) pam-entry-control pam-entry-module pam-entry-arguments + pam-entry-guile-inputs + pam-entry-foreign-library-path pam-limits-entry pam-limits-entry? @@ -95,10 +99,16 @@ (define-record-type* pam-service (define-record-type* pam-entry make-pam-entry pam-entry? - (control pam-entry-control) ; string + (control pam-entry-control) ; string, symbol or g-expression (module pam-entry-module) ; file name (arguments pam-entry-arguments ; list of string-valued g-expressions - (default '()))) + (default '())) + (guile-inputs pam-entry-guile-inputs ; list of package variables + (default '())) + (foreign-library-path pam-entry-foreign-library-path ; list of file-like folders + ;; courtesy for historical usage + (default (list + (file-append linux-pam "/lib/security"))))) ;; PAM limits entries are used by the pam_limits PAM module to set or override ;; limits on system resources for user sessions. The format is specified @@ -153,35 +163,80 @@ (define (pam-limits-entry->string entry) (number->string value)))) " ")))) -(define (pam-service->configuration service) +(define (pam-service->configuration service shared-object environment-file pamda-file) "Return the derivation building the configuration file for SERVICE, to be dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE." - (define (entry->gexp type entry) - (match entry - (($ control module (arguments ...)) - #~(format #t "~a ~a ~a ~a~%" - #$type #$control #$module - (string-join (list #$@arguments)))))) - - (match service - (($ name account auth password session) - (define builder - #~(begin - (with-output-to-file #$output - (lambda () - #$@(append (map (cut entry->gexp "account" <>) account) - (map (cut entry->gexp "auth" <>) auth) - (map (cut entry->gexp "password" <>) password) - (map (cut entry->gexp "session" <>) session)) - #t)))) - - (computed-file name builder)))) - -(define (pam-services->directory services) + (mixed-text-file (pam-service-name service) + "account required " shared-object " " environment-file " " pamda-file "\n" + "auth required " shared-object " " environment-file " " pamda-file "\n" + "password required " shared-object " " environment-file " " pamda-file "\n" + "session required " shared-object " " environment-file " " pamda-file "\n")) + +(define (intersperse a xs) + (if (null? xs) + '() + [cons (car xs) + (if (null? (cdr xs)) + (cdr xs) + (cons a (intersperse a (cdr xs))))])) + +;; should include locale, but keeping effects of pam_env.so +(define* (make-environment-file #:key + (guile-auto-compile? #f) + (guile-extensions-path '()) + (guile-install-locale? #f) + (guile-jit-log-level 0) + (guile-jit-pause-when-stopping? #f) + (guile-jit-stop-after -1) + (guile-jit-threshold 1000) + (guile-load-compiled-path '()) + (guile-load-path '()) + (guile-warn-deprecated "yes") + (ld-library-path '()) + (ltdl-library-path '())) + (let* ((lines `(("GUILE_AUTO_COMPILE=" ,(if guile-auto-compile? "1" "0")) + ("GUILE_EXTENSIONS_PATH=" ,@(intersperse ":" guile-extensions-path)) + ("GUILE_INSTALL_LOCALE=" ,(if guile-install-locale? "1" "0")) + ("GUILE_JIT_LOG=" ,(number->string guile-jit-log-level)) + ("GUILE_JIT_PAUSE_WHEN_STOPPING=" ,(if guile-jit-pause-when-stopping? "1" "0")) + ("GUILE_JIT_STOP_AFTER=" ,(number->string guile-jit-stop-after)) + ("GUILE_JIT_THRESHOLD=" ,(number->string guile-jit-threshold)) + ("GUILE_LOAD_COMPILED_PATH=" ,@(intersperse ":" guile-load-compiled-path)) + ("GUILE_LOAD_PATH=" ,@(intersperse ":" guile-load-path)) + ("GUILE_WARN_DEPRECATED=" ,guile-warn-deprecated) + ("LD_LIBRARY_PATH=" ,@(intersperse ":" ld-library-path)) + ("LTDL_LIBRARY_PATH=" ,@(intersperse ":" ltdl-library-path)))) + (terminated (map (lambda (line) + (append line '("\0"))) + lines)) + (flattened (fold (lambda (right left) + (append left right)) + '() + terminated))) + (apply mixed-text-file "guile-pam-environment" flattened))) + +(define (pam-services->directory shared-object + guile-inputs + foreign-library-path + folder + services) "Return the derivation to build the configuration directory to be used as /etc/pam.d for SERVICES." - (let ((names (map pam-service-name services)) - (files (map pam-service->configuration services))) + (let* ((names (map pam-service-name services)) + (load-path (map (lambda (package) + (file-append package "/share/guile/site/3.0")) + guile-inputs)) + (load-compiled-path (map (lambda (package) + (file-append package "/lib/guile/3.0/site-ccache")) + guile-inputs)) + (environment-file (make-environment-file #:guile-extensions-path foreign-library-path + #:ld-library-path foreign-library-path + #:guile-load-path load-path + #:guile-load-compiled-path load-compiled-path)) + (pamda-file (make-pam-stack folder services)) + (files (map (cut pam-service->configuration <> + shared-object environment-file pamda-file) + services))) (define builder #~(begin (use-modules (ice-9 match) @@ -198,14 +253,17 @@ (define (pam-services->directory services) ;; instead. See . (delete-duplicates '#$(zip names files))))) - (computed-file "pam.d" builder))) + (computed-file folder builder))) (define %pam-other-services ;; The "other" PAM configuration, which denies everything (see ;; .) (let ((deny (pam-entry (control "required") - (module "pam_deny.so")))) + (module "pam_deny.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (pam-service (name "other") (account (list deny)) @@ -216,12 +274,18 @@ (define %pam-other-services (define unix-pam-service (let ((unix (pam-entry (control "required") - (module "pam_unix.so"))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))) (env (pam-entry ; to honor /etc/environment. (control "required") - (module "pam_env.so")))) + (module "pam_env.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (lambda* (name #:key allow-empty-passwords? allow-root? motd - login-uid? gnupg?) + login-uid? gnupg?) "Return a standard Unix-style PAM service for NAME. When ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is true, allow root to run the command without authentication. When MOTD is @@ -237,40 +301,61 @@ (define unix-pam-service (auth (append (if allow-root? (list (pam-entry (control "sufficient") - (module "pam_rootok.so"))) + (module "pam_rootok.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))) '()) (list (if allow-empty-passwords? (pam-entry (control "required") (module "pam_unix.so") - (arguments '("nullok"))) + (arguments '("nullok")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))) unix)) (if gnupg? (list (pam-entry (control "required") - (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) + (module "pam_gnupg.so") + (foreign-library-path + (list + (file-append pam-gnupg "/lib/security"))))) '()))) (password (list (pam-entry (control "required") (module "pam_unix.so") ;; Store SHA-512 encrypted passwords in /etc/shadow. - (arguments '("sha512" "shadow"))))) + (arguments '("sha512" "shadow")) + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (session `(,@(if motd (list (pam-entry (control "optional") (module "pam_motd.so") (arguments - (list #~(string-append "motd=" #$motd))))) + (list #~(string-append "motd=" #$motd))) + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))) '()) ,@(if login-uid? (list (pam-entry ;to fill in /proc/self/loginuid (control "required") - (module "pam_loginuid.so"))) + (module "pam_loginuid.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security"))))) '()) ,@(if gnupg? (list (pam-entry (control "required") - (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) + (module "pam_gnupg.so") + (foreign-library-path + (list + (file-append pam-gnupg "/lib/security"))))) '()) ,env ,unix)))))) @@ -279,13 +364,19 @@ (define (rootok-pam-service command) authenticate to run COMMAND." (let ((unix (pam-entry (control "required") - (module "pam_unix.so")))) + (module "pam_unix.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (pam-service (name command) (account (list unix)) (auth (list (pam-entry (control "sufficient") - (module "pam_rootok.so")))) + (module "pam_rootok.so") + (foreign-library-path + (list + (file-append linux-pam "/lib/security")))))) (password (list unix)) (session (list unix))))) @@ -377,21 +468,114 @@ (define-record-type* (services pam-configuration-services) ;list of procedures -> (transformers pam-configuration-transformers) + ;; file-like shared module + (shared-object pam-configuration-shared-object) + ;; list of package variables + (guile-inputs pam-configuration-guile-inputs) + ;; list of file-like folders + (foreign-library-path pam-configuration-foreign-library-path) ;list of symbols (shepherd-requirements pam-configuration-shepherd-requirements)) +(define (make-pam-stack folder services) + (define* (entry->gate entry + #:key + only-actions + only-services) + (match entry + (($ control module (options ...)) + ;; adapted from (pam legacy configuration) + (cond + ((string=? "include" control) + (error "PAM include not implemented; send list of instead" + control module options entry)) + ((string=? "substack" control) + ;; this probably differs a little bit from Linux-PAM + #~(gate required (stack-pamda + (configuration-file->gates #$folder #$module + #:only-actions '#$only-actions + #:only-services '#$only-services)) + #:only-actions '#$only-actions + #:only-services '#$only-services)) + (else + #~(gate (control-string->plan #$control) + (shared-object-or-pamda #$module) + #:options (list #$@options) + #:only-actions '#$only-actions + #:only-services '#$only-services)))))) + + (define (service->gates service) + (match service + (($ name account auth password session) + (append (map (cut entry->gate <> + #:only-actions '(pam_sm_acct_mgmt) + #:only-services (list name)) + account) + (map (cut entry->gate <> + #:only-actions '(pam_sm_authenticate + pam_sm_setcred) + #:only-services (list name)) + auth) + (map (cut entry->gate <> + #:only-actions '(pam_sm_chauthtok) + #:only-services (list name)) + password) + (map (cut entry->gate <> + #:only-actions '(pam_sm_open_session + pam_sm_close_session) + #:only-services (list name)) + session))))) + + (let* ((gates (append-map service->gates services))) + (scheme-file + "guile-pam-stack.scm" + #~(begin + (use-modules (pam stack) + (pam legacy configuration) + (pam legacy module) + (pam legacy stack)) + (stack-pamda (list #$@gates)))))) + (define (/etc-entry config) "Return the /etc/pam.d entry corresponding to CONFIG." + (define (service->pam-entries service) + (match service + (($ name account auth password session) + (append account auth password session)))) (match config - (($ services transformers shepherd-requirements) - (let ((services (map (apply compose identity transformers) - services))) - `(("pam.d" ,(pam-services->directory services))))))) + (($ services + transformers + shared-object + guile-inputs + foreign-library-path + shepherd-requirements) + (let* ((services (map (apply compose identity transformers) + services)) + (all-entries (append-map service->pam-entries + services)) + (combined-inputs (delete-duplicates + (append guile-inputs + (append-map pam-entry-guile-inputs + all-entries)))) + (combined-library-path (delete-duplicates + (append foreign-library-path + (append-map pam-entry-foreign-library-path + all-entries))))) + `(("pam.d" ,(pam-services->directory shared-object + combined-inputs + combined-library-path + "pam.d" + services))))))) (define (pam-shepherd-service config) "Return the PAM synchronization shepherd service corresponding to CONFIG." (match config - (($ services transformers shepherd-requirements) + (($ services + transformers + shared-object + guile-inputs + foreign-library-path + shepherd-requirements) (list (shepherd-service (documentation "Synchronization point for services that need to be started for PAM to work.") @@ -420,6 +604,9 @@ (define (extend-configuration initial extensions) services)) (transformers (append (pam-configuration-transformers initial) (map pam-extension-transformer pam-extensions))) + (shared-object (pam-configuration-shared-object initial)) + (guile-inputs (pam-configuration-guile-inputs initial)) + (foreign-library-path (pam-configuration-foreign-library-path initial)) (shepherd-requirements (append (pam-configuration-shepherd-requirements initial) (append-map pam-extension-shepherd-requirements pam-extensions)))))) @@ -445,8 +632,18 @@ (define pam-root-service-type such as @command{login} or @command{sshd}, and specifies for instance how the program may authenticate users or what it should do when opening a new session."))) - -(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '())) +(define* (pam-root-service base + #:key + (transformers '()) + (shared-object + (file-append guile-pam "/lib/security/pam_guile.so")) + (guile-inputs + (list guile-3.0 + guile-pam ;for (pam) and (ffi pam) + nyacc-2.01)) ;for (nyacc foreign cdata) + (foreign-library-path + (list (file-append linux-pam "/lib"))) ;for libpam.so + (shepherd-requirements '())) "The \"root\" PAM service, which collects instance and turns them into a /etc/pam.d directory, including the listed in BASE. TRANSFORM is a procedure that takes a and returns a @@ -455,6 +652,9 @@ (define* (pam-root-service base #:key (transformers '()) (shepherd-requirements (service pam-root-service-type (pam-configuration (services base) (transformers transformers) + (shared-object shared-object) + (guile-inputs guile-inputs) + (foreign-library-path foreign-library-path) (shepherd-requirements shepherd-requirements)))) -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 10:04:15 2025 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 14:04:15 +0000 Received: from localhost ([127.0.0.1]:51895 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAUWM-0005x7-VA for submit@debbugs.gnu.org; Thu, 01 May 2025 10:04:15 -0400 Received: from mail-pf1-x435.google.com ([2607:f8b0:4864:20::435]:48149) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uAUWJ-0005wd-2K for 72316@debbugs.gnu.org; Thu, 01 May 2025 10:04:12 -0400 Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-736aa9d0f2aso1418449b3a.0 for <72316@debbugs.gnu.org>; Thu, 01 May 2025 07:04:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746108245; x=1746713045; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=HLSbbJK28eYonDoXRDxi3H1/JcrOAauhtiIGePjS1L8=; b=MgAywunZ5i+jacHk1JMfmTMV7OTWMiQ+i/J7Kp0Axiqn/ocvXjmKHANwdmzRNyCOS2 zhfaDiNML95mWFJWZ2uv61tSutWaYhlhDF1w8OB/o5hcLuUBeBCdGUUOq2e4h5CTeZpz fbeduiRET1ArA5bYgQI71RcVC/tvFl1iGj+ynDcXtN4tfxGO54nYq7JS8eHcK3WApAbf J4JQKAh3GJ5bOA2Hq5jI5FIBt/WVoGpX2ReiVrqjoyZmMeBMZGZt1eje9fs1nraXxCXz w5ZX4JHpi9ClmvbiJvq42IhLjDlB8T4Rw3fv3PXp75iNPsFzPhWjR+Cg0Eq5XEJ8IaOp VOFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746108245; x=1746713045; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=HLSbbJK28eYonDoXRDxi3H1/JcrOAauhtiIGePjS1L8=; b=qbcH/GjBLPVVLN57NUbYfWGCnLehUiD517zsrB4ar9g70WFHSeUtiFKc0++rtcd/77 7o+fE0Ko3TKvhauIVO4kE5YQktf/2BLSs/4rEeZ1tF32NEA0QZDQtt9tjD1a4fIJdlNc DrugvRp5Reyxh8Q/oobIpKS78bXlXoeeVMqNw3/6oM3aZ+Z/qZokZBPI63PZD8e/TUOk TLVf/2TD7z0rub0lXje6o4qQrIwce59mClD32ONG4remEiT6fojwOt66T2DH+jp9QJoY Jm4E964j5LonEg1GuNfpNMwm5hGOY5fdo7cHGbk5Ic4MhYJmAHuBNpH41yNrkXdYiNjK 0mFQ== X-Gm-Message-State: AOJu0YzpdLf+MtvdsAp66z0yIbkrYo3LqDuXkB5ae3FW4trGffEeXCe4 PkZpEHgyKXwYAMee7acWr42DL6OfYFEnIKFwzi0/HK1Ao7msVW68 X-Gm-Gg: ASbGncv5Iz9znO7FpaLScSX2phr3j4eU0eCEqmcLryKeAxL/h92ckHQ0rKa4k4nZR9Y dVpvJwnDhbjx7wSbcQhMZwKPvDHTu9C22iDotRWHmb4b6N8HFQOC6KbXVzHhrW5x1EVeU2aiheD 8oyc3e4bsaBvzL2EWpy74aFmwVOQkbWleRlEhVehd79h9gJAc1GEN2UnoTdtlyuS0qfEDvErhE9 J/+yH3N7lVMCrPczybm40XOntaQdShbPLxkN/wq+OBf6LMg2AI1nTW/kaWEn/hrbdnAAlVxnKfD TfIy8QU/hf87dfLXsaVTELlmecnqIf486zOIk24= X-Google-Smtp-Source: AGHT+IEd1RkByC43u2TJFrnQjRK/5E0Z7IcFqR4nwHuGrOM0Yxd9qhr/agzF79u/a1tXlZCB+wBHQA== X-Received: by 2002:a05:6a00:4653:b0:736:3c2b:c38e with SMTP id d2e1a72fcca58-740477a2dcemr3908336b3a.13.1746108245035; Thu, 01 May 2025 07:04:05 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7404fa2072csm821123b3a.132.2025.05.01.07.04.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 May 2025 07:04:04 -0700 (PDT) From: Maxim Cournoyer To: Felix Lechner Subject: Re: [PATCH v2 1/3] Add guile-pam. In-Reply-To: (Felix Lechner's message of "Thu, 1 May 2025 06:42:35 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> Date: Thu, 01 May 2025 23:04:01 +0900 Message-ID: <87bjsc8m26.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Z572 , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Felix, Felix Lechner writes: [...] > +(define-public guile-pam > + (let ((commit "5ea70a5d88e7ade27ba9f231acab7d363b6400fb") > + (revision "0")) > + (package > + (name "guile-pam") > + (version (git-version "0.0" revision commit)) > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url "https://codeberg.org/lechner/guile-pam") > + (commit commit))) > + (file-name (git-file-name name version)) > + (sha256 > + (base32 > + "1i034f42wnmnsz76pcniif2ikpbamh0cki3ib2zwmbnvif4656av")))) > + (native-inputs (list > + autoconf > + automake > + gnulib > + guile-3.0 > + libtool > + linux-pam > + nyacc-2.01 > + pkg-config > + texinfo)) > + (inputs (list > + guile-3.0 > + linux-pam)) > + (propagated-inputs (list > + nyacc-2.01)) > + (build-system gnu-build-system) > + (arguments > + (list > + #:make-flags > + #~(list (string-append "ENTRY_POINT_DIR=" #$output "/share/entry-points")) > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'install-gnulib > + ;; per https://lists.gnu.org/archive/html/guile-devel/2012-08/msg00042.html > + (lambda* (#:key inputs #:allow-other-keys) > + (let ((gnulib-build-aux (dirname > + (search-input-file inputs > + "/src/gnulib/build-aux/config.rpath")))) It seems more conventional to avoid the leading '/' on the file name using `search-input-file'. > + (mkdir-p "build-aux") > + (copy-recursively gnulib-build-aux "build-aux")) > + (let ((gnulib-m4 (dirname (search-input-file inputs > + "/src/gnulib/m4/lib-link.m4")))) > + (mkdir-p "m4") > + (copy-recursively gnulib-m4 "m4")))) > + (add-after 'patch-source-shebangs 'fix-paths > + (lambda* (#:key inputs #:allow-other-keys) > + (for-each (lambda (file) > + (substitute* file > + (("/usr/bin/env -S guile ") > + (string-append (search-input-file inputs "/bin/guile") " \\\n")))) > + '("test/legacy-control-strings")) Perhaps not prominently mentioned enough, but our coding conventions (info "(guix) Formatting Code") suggests to keep the maximum line width <= 80 characters (it's in the linked style.txt document, and also in .editorconfig, and our .dir-locals.el sets the fill-column to 78, as some extra hints) > + (substitute* "scm/pam.scm" > + (("[.]/wrap/c/[.]libs/conversation.so") > + (string-append #$output "/lib/guile-pam/wrapper/conversation.so")))))))) > + (home-page "https://codeberg.org/lechner/guile-pam") > + (synopsis "Write your Linux-PAM authentication logic in Guile Scheme") > + (description > + "Guile-PAM provides a way to rewrite your authentication logic in the > +Linux PAM (pluggable authentication modules) in Guile Scheme. It should make > +those modules more transparent to the administrator and more intuitive to > +use.") Sentences should be separated by two spaces in every doc/text of the source, as another convention. Other than these nitpicks, LGTM! Could you please send a v3 with my small suggestions? -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 10:30:17 2025 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 14:30:17 +0000 Received: from localhost ([127.0.0.1]:52051 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAUvZ-0007aj-9m for submit@debbugs.gnu.org; Thu, 01 May 2025 10:30:17 -0400 Received: from mail-pg1-x536.google.com ([2607:f8b0:4864:20::536]:56325) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uAUvW-0007Xg-Fg for 72316@debbugs.gnu.org; Thu, 01 May 2025 10:30:15 -0400 Received: by mail-pg1-x536.google.com with SMTP id 41be03b00d2f7-af51596da56so887906a12.0 for <72316@debbugs.gnu.org>; Thu, 01 May 2025 07:30:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746109808; x=1746714608; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=RCOnPTT1AeH/fFbfj82XmglYYyV6NyUaLBmZnzTdaFc=; b=LvlK0qTGXhiiJiC6qgqxHD/QkjQ5jnfJ2klO2dkkZM1LjThOCxXQ2JFyTP9tJhsQ7j fFWiw7c+7Km5TNnk+V3PY9m2lCiWfcz0HNMRgc77B5kfbR4o7gpB3jq3gjG0oBRESyGC zMfiwXIDTthmPdAW0arHoQoqIVG2XcLeBuVhtnKN+bcDLMjvhrZqZhDNqDs6tlIbDg4/ kwqgD987EE3KC+ghgelSN6fsjuVZUJ9BS8CYreufpG1HcmE0En56S/ctTZkrEeI+rXSz qoqMVNhPVl/FuAKnuWLRNoU8dmzw6GrrwscVURtgGGbkqKh8kFZVrdTz4Gm/vN2/ITsz mKOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746109808; x=1746714608; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RCOnPTT1AeH/fFbfj82XmglYYyV6NyUaLBmZnzTdaFc=; b=KWX8DCz7UgU4Nz8Nn5qrQV1kXZwsZPqOig0CIutIqo3clHUcX7trK9w9RRvp+880U3 XTb7ns36JPH6RLnu7GxJoBZqQTTVThdb1rgHArMsJfLTw4QRV5QQl5fe7lSzBZBUjF3Q 0tG3BTPqu8+1iW8OwUtWGfXSPtOFVU/STVuUIG+iW49rO13N/sdqhUtf8LlLPdV5cOii rsV1+xHZyEy98LxksRgOZwx0QInrp9xSLhBuNhisKQhmzaqw432+f1vYcdmNkq9MI0Xb IXbj1lV99EshhbkhNNhlR4mKKLkphV+lli8YCgJOvhj+R2AsZxh1v5ANqak0e3RHv0Ik 1InA== X-Gm-Message-State: AOJu0YxLhkhJjZmMXfUW+5QJm00CSt5EqM82hFeOhoOMXq3Gde/4RWAc YyrbSJmMR9fGgcCplf7LycYMzxRzFrPzDrOBkfERY8w/kp2+6Ntx X-Gm-Gg: ASbGncsAbO0hOAz7jmDte1FdfLfF/6OwwPSe1LmTuZyfVFTA86nn5hEA6slPFwHbFDx bebc+lcm7Q3H90ry1Raxh3x2r6ngQVzG+JjEa4mbNz/mTaQ03m0AtDIasjZvmH+Ly6A/fe/qqVx uib0Wo68LxK/Iz2/cqs+QQMgNxtZLTYLewwLV7cOiUdoV3Xbn6AtvNOnNACmh4ryathrAJUPidq UbvkyASt+Tz+HXyw5A4M7VSzmlAGkLgWVmvlqxfKz2xq687U2x5nk8LVYSJmq+vORrNG5Mn3c8H opE/k2mGZm/jlon3o1bqZuFECeMhkVUxhVZfngo= X-Google-Smtp-Source: AGHT+IE1ZXezAzBKbpFxRdt8i4GQ3OeI2J7E8Hv2N32ph1LszlALBi+X8FYxm24ibuo+TSjxG2D4kg== X-Received: by 2002:a17:90b:2543:b0:2ee:741c:e9f4 with SMTP id 98e67ed59e1d1-30a41e50f6dmr4503496a91.11.1746109808013; Thu, 01 May 2025 07:30:08 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a3480ef8dsm3688515a91.31.2025.05.01.07.30.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 May 2025 07:30:07 -0700 (PDT) From: Maxim Cournoyer To: Felix Lechner Subject: Re: [PATCH v2 1/3] Add guile-pam. In-Reply-To: (Felix Lechner's message of "Thu, 1 May 2025 06:42:35 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> Date: Thu, 01 May 2025 23:30:04 +0900 Message-ID: <87y0vg76ab.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Z572 , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Felix Lechner writes: > Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2 I forgot, you need a GNU ChangeLog message for your commit message (that holds for any commit to be merged into Guix). You can use Magit 'C' on the git diffs while editing a commit message to automate some of it. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 10:33:43 2025 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 14:33:43 +0000 Received: from localhost ([127.0.0.1]:52064 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAUys-0007hn-8M for submit@debbugs.gnu.org; Thu, 01 May 2025 10:33:43 -0400 Received: from mail-pg1-x536.google.com ([2607:f8b0:4864:20::536]:45273) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uAUyp-0007hR-Ld for 72316@debbugs.gnu.org; Thu, 01 May 2025 10:33:40 -0400 Received: by mail-pg1-x536.google.com with SMTP id 41be03b00d2f7-b0b2d0b2843so841639a12.2 for <72316@debbugs.gnu.org>; Thu, 01 May 2025 07:33:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746110014; x=1746714814; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :importance:references:in-reply-to:subject:cc:to:from:from:to:cc :subject:date:message-id:reply-to; bh=ITNZuWSlYpJLX6YT+o1jRGYHSqVvZ/LfQmmC8QBQm/s=; b=jshPSzHrHTS2JqhYt0ch246sTOBz1VBeqX6FXlMJCEhCBXKiiIU6BpSOMvFHi9O2po NpnhimrBYlobWAnO1r/6L0MmpyhSjinTe6P4VFg7cpVVNqLUqTxX4p+FXhx9jR51ukbr BdZh7EXBx2yYXNWajttfiPBeZrRAdqKGOAqAhNt4wEcNkfqUfX6EK1Ih6o8JiEMbIgxT hkl2EMB7Ugei/7EOWFIierg773KTEbjephWzHDEMrrc9AQ+X5psNI8DBSES4PVU0k4n2 4jLbqyCmoxDUAkYL8a2/CM+fUohv46WGVb2GmKWpzplhg3AkpoSXNpZJNOYlYbwNjryb w+Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746110014; x=1746714814; h=content-transfer-encoding:mime-version:user-agent:message-id:date :importance:references:in-reply-to:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ITNZuWSlYpJLX6YT+o1jRGYHSqVvZ/LfQmmC8QBQm/s=; b=pCGUEMVQX4M/RsTOScOaJ8yAltQbzHveRTZaOH7xIQBg9jU8rLaD3awsaGruSlFsqE BN2mtmkzHxXYq8+u1arv7Rl8lGyXoYDyNMyFDTem3ukEqZY4qTyhPKkJf449CoNyx2NL 9lNPkq6P8ugNHTghZpXk685h0wwB2rblmCIfEKvgfin3nyBV6cj+xkz12BHK2tznXLRz FiO383HO+kcSAIEe1CCq8XlE0TA1EDbUqu/aNGFQO/SBNDCG+8dFI55ggqEXe9RaSxUk GD4Ntf5LQAKlZWaztjjvmLsmORsjjuW3uNKX6LZZFuTjUlLOT2nUOZsfiYoZdYCvH/Xc qfjQ== X-Gm-Message-State: AOJu0YzAIDPQm28g+cOlzpA+Bfvus8QPF5j8CZJfkob3HQoi3b6RzM4a vchfyzybYwEP9zsJz+hoSrKbCx8hR1UNeeE/XaC2+gcrzBp8V1rs X-Gm-Gg: ASbGncvoCHwdUeADaFDk4QG2X08BPozHO+CGkriPKA/IC2+okfSJV9d+uoplVdAw0Zn 0cl1R5zdMYW7b00EdtsU9evTyg9ClOuG7EXNKvjAHHFvUY/c4mT9wbP2bZ3ZSZ1tvXyPjPpMdtc oyhigvR4P5gIGMOHTlbEZFoerofkv8XHvIEhLHQMMcDtzVJeOYkA89bT/O6ADslmYIXX2wVlnQ4 j75KxZU4OAxehkRVpDETXZddHTuhm7gIHHBOlu/KoYr9MQR+RXIhHys/cxSx5p0pxtDhWf1V4bq gSKETNTD6WNT7CrdqfgZDn2yF786hgQMbjW7Xdg= X-Google-Smtp-Source: AGHT+IHIbUV+2nXh3a2e3V9ZzRpKkzV7j9oo2kawPN6qPZiqu7N4AfLTA5XdWwx5etyvS/xSnyTz8Q== X-Received: by 2002:a17:90a:d443:b0:301:9f62:a944 with SMTP id 98e67ed59e1d1-30a4337d688mr4982986a91.33.1746110013534; Thu, 01 May 2025 07:33:33 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34748914sm3666569a91.11.2025.05.01.07.33.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 May 2025 07:33:32 -0700 (PDT) From: Maxim Cournoyer To: Felix Lechner Subject: Re: [PATCH v2 2/3] Add a guile-pam-module service. In-Reply-To: (Felix Lechner's message of "Thu, 1 May 2025 06:42:36 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> Importance: high Date: Thu, 01 May 2025 23:33:30 +0900 Message-ID: <87tt64764l.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Z572 , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi! Felix Lechner writes: > Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6 Missing GNU ChangeLog message. A system test to ensure it keeps working n the future would be great. We already have a (gnu tests pam) module. > --- > doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++ > gnu/local.mk | 1 + > gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 195 insertions(+) > create mode 100644 gnu/services/pam.scm > > diff --git a/doc/guix.texi b/doc/guix.texi > index 90d90b2e1eb..11480cb0ae5 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -412,6 +412,7 @@ Top > * Telephony Services:: Telephony services. > * File-Sharing Services:: File-sharing services. > * Monitoring Services:: Monitoring services. > +* Guile-PAM Services:: Guile-PAM services. > * Kerberos Services:: Kerberos services. > * LDAP Services:: LDAP services. > * Web Services:: Web servers. > @@ -19437,6 +19438,7 @@ Services > * Telephony Services:: Telephony services. > * File-Sharing Services:: File-sharing services. > * Monitoring Services:: Monitoring services. > +* Guile-PAM Services:: Guile-PAM services. > * Kerberos Services:: Kerberos services. > * LDAP Services:: LDAP services. > * Web Services:: Web servers. > @@ -33149,6 +33151,93 @@ Monitoring Services > @end deftp >=20=20 >=20=20 > +@c %end of fragment Why do we get the %end before any %start? :-) > + > +@node Guile-PAM Services > +@subsection Guile-PAM Services > +@cindex Guile-PAM The contextual index could have extra context, like: --8<---------------cut here---------------start------------->8--- @cindex Guile-PAM, configuring PAM using Guile @cindex PAM configuration using Guile, Guile-PAM --8<---------------cut here---------------end--------------->8--- > + > +The @code{(gnu services pam)} module provides services related to the > +authentication mechanism @dfn{Guile-PAM}. > + > +Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM > +authentication system. For details, please have a look at the Texinfo > +manual in the @code{guile-pam} package. You can make a proper Texinfo cross-reference to your guile-pam Manual here, for extra convenience, see (info "(texinfo) Referring to a Manual as a Whole"). > +@defvar guile-pam-module-service-type > +A service type for Guile-PAM modules. > +@end defvar > + > +@noindent > +Here is an example of its use: > +@lisp > +(define welcome-pamda-file > + (scheme-file > + "welcome-pamda-file" > + #~(begin > + (use-modules (ice-9 format)) > + > + (lambda (action handle flags options) > + (case action > + ;; authentication management For all standalone comments, use complete sentences, or near complete sentences, like ;; Authentication management. for margin comment it's fine to use incomplete ones, e.g. ;authentication management > + ((pam_sm_authenticate) > + (format #t "In a working module, we would now identify you.~= %")) > + ((pam_sm_setcred) > + (format #t "In a working module, we would now help you manag= e additional credentials.~%")) > + ;; account management > + ((pam_sm_acct_mgmt) > + (format #t "In a working module, we would now confirm your a= ccess rights.~%")) > + ;; password management > + ((pam_sm_chauthtok) > + (format #t "In a working module, we would now change your pa= ssword.~%")) > + ;; session management > + ((pam_sm_open_session) > + (format #t "In a working module, we would now open a session= for you.~%")) > + ((pam_sm_close_session) > + (format #t "In a working module, we would now close your ses= sion.~%")) > + (else > + (format #t "In a working module, we would not know what to d= o about action '~s'.~%" > + action))) > + 'PAM_SUCCESS)))) Please mind the maximum 80 chars width. > +(service guile-pam-module-service-type > + (guile-pam-module-configuration > + (rules "optional") > + (module welcome-pamda-file) > + (services '("login" > + "greetd" > + "su" > + "slim" > + "gdm-password" > + "sddm")))) > +@end lisp > + > +@c %start of fragment > + > +@deftp {Data Type} guile-pam-module-configuration > +Available @code{guile-pam-module-configuration} fields are: > + > +@table @asis > +@item @code{rules} (type: maybe-string) > +Determines how the module's return value is evaluated. > + > +@item @code{module} (type: maybe-file-like) > +A Guile-PAM pamda file or a classical PAM module. > + > +@item @code{services} (type: maybe-list-of-strings) > +List of PAM service names for which to install the module. > + > +@item @code{guile-inputs} (type: maybe-list-of-packages) > +Guile inputs available in the PAM module Missing ending period. ^ [...] > +++ b/gnu/services/pam.scm > @@ -0,0 +1,105 @@ > +;;; GNU Guix --- Functional package management for GNU > +;;; Copyright =C2=A9 2024 Felix Lechner > +;;; > +;;; This file is part of GNU Guix. > +;;; > +;;; GNU Guix is free software; you can redistribute it and/or modify it > +;;; under the terms of the GNU General Public License as published by > +;;; the Free Software Foundation; either version 3 of the License, or (at > +;;; your option) any later version. > +;;; > +;;; GNU Guix is distributed in the hope that it will be useful, but > +;;; WITHOUT ANY WARRANTY; without even the implied warranty of > +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +;;; GNU General Public License for more details. > +;;; > +;;; You should have received a copy of the GNU General Public License > +;;; along with GNU Guix. If not, see . > + > +(define-module (gnu services pam) > + #:use-module (gnu packages guile) > + #:use-module (gnu packages guile-xyz) > + #:use-module (gnu packages linux) > + #:use-module (gnu packages mes) > + #:use-module (gnu services) > + #:use-module (gnu services configuration) > + #:use-module (gnu system pam) > + #:use-module (guix gexp) > + #:use-module (guix packages) > + #:use-module (guix records) > + #:use-module (guix utils) > + #:use-module (srfi srfi-1) > + #:export (guile-pam-module-configuration)) > + > +(define-maybe string) > +(define-maybe list-of-strings) > +(define-maybe file-like) > + > +(define-maybe string-or-file-like) > +(define (string-or-file-like? val) > + (or (string? val) (file-like? val))) > + > +(define-maybe list-of-packages) > +(define (list-of-packages? val) > + (and (list? val) (map package? val))) > + > +(define-configuration/no-serialization guile-pam-module-configuration > + (rules > + maybe-string > + "Determines how the module's return value is evaluated.") > + (module > + maybe-file-like > + "A Guile-PAM pamda file or a classical PAM module.") > + (services > + maybe-list-of-strings > + "List of PAM service names for which to install the module.") > + (guile-inputs > + maybe-list-of-packages > + "Guile inputs available in the PAM module") The trailing period, as mentioned earlier. > + (foreign-library-path > + maybe-list-of-packages > + "Search path for shared objects and libraries.") ) > + > +(define (guile-pam-module-service config) > + "Return a list of for guile-pam-module for CONFIG." > + (match-record > + config (foreign-library-path > + guile-inputs > + module > + rules > + services) The field names are more conventionally formatted on a line after the record type. You can use the ( one two three four five) Emacs trick (leading space inside the opening parenthesis) to have them indented as data rather than as a procedure call. > + (list > + (pam-extension > + (transformer > + (lambda (pam) > + (if (member (pam-service-name pam) services) > + (let* ((new-entry > + (pam-entry > + (control rules) > + (module module) > + (guile-inputs (if (eq? %unset-value guile-inputs) Better use (maybe-value-set? guile-inputs) here. > + '() > + guile-inputs)) > + (foreign-library-path (if (eq? %unset-value fore= ign-library-path) Likewise + 80 chars limit. > + '() > + foreign-library-path))= ))) > + (pam-service > + (inherit pam) > + (auth (append (pam-service-auth pam) > + (list new-entry))) > + (account (append (pam-service-account pam) > + (list new-entry))) > + (session (append (pam-service-session pam) > + (list new-entry))) > + (password (append (pam-service-password pam) > + (list new-entry))))) > + pam))))))) > + > +(define-public guile-pam-module-service-type > + (service-type > + (name 'guile-pam-module) > + (extensions (list (service-extension pam-root-service-type > + guile-pam-module-service))) > + (compose concatenate) > + (default-value (guile-pam-module-configuration)) > + (description "Load Guile code as part of Linux-PAM."))) Interesting. Other than my above comments, it LGTM. --=20 Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 10:39:00 2025 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 14:39:01 +0000 Received: from localhost ([127.0.0.1]:52100 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAV40-0007z7-JS for submit@debbugs.gnu.org; Thu, 01 May 2025 10:39:00 -0400 Received: from mail-pf1-x42d.google.com ([2607:f8b0:4864:20::42d]:61703) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uAV3y-0007yp-5C for 72316@debbugs.gnu.org; Thu, 01 May 2025 10:38:58 -0400 Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-73972a54919so1059573b3a.3 for <72316@debbugs.gnu.org>; Thu, 01 May 2025 07:38:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746110332; x=1746715132; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=yhNCAKRg1lXipK77vT1Ue8y6fdl7LrO07ZpAdz/IiyY=; b=ncdM24YxlMH6bWTkHTk6xrF/d/y1FhU0/GB6vA9zhdIZbxYRh+mTJghyCgQABknsQW bAGLAnocwS8i/NPjedPnXqqP34mxtQINjy3ss3xVqC9x+Dq6qftv4DR8rJDkyj+60foT iws8YC/7qUK3Ouqwsra91/8goONZk+WGdoX5pDlK4YpNL7ye6vSWnbK1MnOe24BewnYn zdc5Zoqc5zHDj2B7uLW/p1jbbDZ2w7n4y4vbI4olsGQZzCtbwBZz62kyi2Tj4KmG4Ihr k6ZXzB270jP7baqrIm4Y1VP5vu3Zox6Yph/dkcVa9Ng9bhpgHTYQaDGhwY05L67fHxyX EqjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746110332; x=1746715132; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yhNCAKRg1lXipK77vT1Ue8y6fdl7LrO07ZpAdz/IiyY=; b=pIlgfA6SMpRsoOisMnpd5LEtga4V0t9R/kZG0lci+H4X5OKHjY9wEQQBYcwa9BLFl1 xRFH5SBdPBjMhOSmk5AH9uoKORk1flWKsob2VfSKouRaYhjRDUbYuWczav7fNjINZSuc bCwk7ies9Ddqtw4w49mBSg6/68pwRoDmuw6GfBr5cS12cwCfgxeCXzTC71V8LBDa2XPR jDQt8iuur9spi+Xt+DGSQH++imbs5sN/XtZJwjVpwC9dD7g8CKBYsF2bbDJtZzCH8cL8 ryCVD1JHXCKvB37JJ2jIa4LDCogJhWFJDvQuFt+5FzfyGBssPAg9hj+idHyltf9g+jXw ms3Q== X-Gm-Message-State: AOJu0YyykaAowWDDmRv08ZqzS/z+ufDKmCYAHU+yq5/eHfhwxMimHGeC +sqn0QfVLkmC9FscEZ4jIFf7ZVoeNJedPi3VBOp9OKqApNGdFCVZ X-Gm-Gg: ASbGncsHrXPao0WNy0lKSi8wroNp87OdVkr5fRvexZB5Xy7Vx4cPsAxnOFTGoujksaP qXAdDYBK4R1zmJbswsf6MqQhDhBfO5R6hNZgvrug7S64JgI3LLsBfITdoKJvimN1bShpbZhv3Jc tbaDhfGm+yvRkEBA5o23UFLBzwtheuYk/eC2ZVH7Mmakdftpq/pBP5jBI/rpWs3ugppH2PQ7ojd OlfM6BSyWB6jxHTxfhRW19AL8V2IFnPCH1Lc9dmMcbvvCBWoD0ciqjZdczZn2Wwe6jhOegU+G47 79koCYgGOJ8UvHPmRwVznsy5WNX9xKekWNeiYrs= X-Google-Smtp-Source: AGHT+IGLsEdyxwgbECOjiqiTfxmz1fI/YrG6jV0aS7WOfPVcQ9kjGTzQLT85WuBift1MqDTmlnysRg== X-Received: by 2002:a05:6a00:2402:b0:736:41ec:aaad with SMTP id d2e1a72fcca58-740491f618dmr3694864b3a.14.1746110332103; Thu, 01 May 2025 07:38:52 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7404fa1f88bsm879773b3a.134.2025.05.01.07.38.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 May 2025 07:38:51 -0700 (PDT) From: Maxim Cournoyer To: Felix Lechner Subject: Re: [PATCH v2 3/3] Switch to Guile-PAM. In-Reply-To: <3ce2c97a2c23ba3eb0a9ff4544e686048fc46174.1746104902.git.felix.lechner@lease-up.com> (Felix Lechner's message of "Thu, 1 May 2025 06:42:37 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> <3ce2c97a2c23ba3eb0a9ff4544e686048fc46174.1746104902.git.felix.lechner@lease-up.com> Date: Thu, 01 May 2025 23:38:48 +0900 Message-ID: <87plgs75vr.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Z572 , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Felix, Felix Lechner writes: > Change-Id: Ib691b41cdb152f508a4a8d1b12b2a20da8706fed Missing GNU changelog. It seems there's already an agreement to postpone on this "big" change, until the service and documentation had some time to sink in, shake bugs (if any), and gather user feedback? That would be wise, I think. In the meantime, at least the patch would need reworking so the code fits our 80 columns maximum width convention. I'd defer this one until a later time, and present it with a GCD when the moment is ripe? -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 11:14:39 2025 Received: (at submit) by debbugs.gnu.org; 1 May 2025 15:14:39 +0000 Received: from localhost ([127.0.0.1]:52291 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAVcV-0001XD-0l for submit@debbugs.gnu.org; Thu, 01 May 2025 11:14:39 -0400 Received: from lists.gnu.org ([2001:470:142::17]:46232) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAVcR-0001Ws-A4 for submit@debbugs.gnu.org; Thu, 01 May 2025 11:14:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAVcJ-0003Gv-Jz for guix-patches@gnu.org; Thu, 01 May 2025 11:14:28 -0400 Received: from mail.z572.online ([88.99.160.180]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAVcH-0001q2-9Q; Thu, 01 May 2025 11:14:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=z572.online; s=me; t=1746112867; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=esLXqzGQKCT8OdFAhZ57vvReQW/ufkujYVE1nWAF9cc=; b=w4JLN3r8Eg+hCNf5YwzCmuVZDlwn6JRYYg+/1G/hgDT9fy6tzbII8DkHoCR88b7Fe2ZTYW mFrE37tpqB91tr+CjGooVmTfabRHODR2KtEI2RwicjIlHGrrsKyGI3i/qsdg5dxA0/YHGV KlolHhSQ3LFuZ6orNwqAKpmbYuyFsEY= Received: from m (mail1.85362086.com [107.174.64.25]) by mail.z572.online (OpenSMTPD) with ESMTPSA id e3cc6e82 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 1 May 2025 15:21:06 +0000 (UTC) From: Z572 To: Felix Lechner via Guix-patches via Subject: Re: [bug#72316] [PATCH v2 1/3] Add guile-pam. In-Reply-To: (Felix Lechner via Guix-patches via's message of "Thu, 1 May 2025 06:42:35 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> User-Agent: mu4e 1.12.9; emacs 30.0.92 Date: Thu, 01 May 2025 23:14:03 +0800 Message-ID: <871pt87490.fsf@z572.online> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=88.99.160.180; envelope-from=z572@z572.online; helo=mail.z572.online X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.498, PDS_OTHER_BAD_TLD=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Felix Lechner via Guix-patches via writes: > Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2 > --- > gnu/packages/linux.scm | 71 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 71 insertions(+) > > diff --git a/gnu/packages/l [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org] 0.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: z572.online (online)] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: submit Cc: Maxim Cournoyer , Wilko Meyer , Ludovic =?utf-8?Q?Court?= =?utf-8?Q?=C3=A8s?= , Z572 , Florian Pelz , Leo Famulari , 72316@debbugs.gnu.org, Felix Lechner , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Felix Lechner via Guix-patches via writes: > Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2 > --- > gnu/packages/linux.scm | 71 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 71 insertions(+) > > diff --git a/gnu/packages/l [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org] 0.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: z572.online (online)] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Felix Lechner via Guix-patches via writes: > Change-Id: I991ca32c8696de0e6751b0f4225bf24151ba22f2 > --- > gnu/packages/linux.scm | 71 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 71 insertions(+) > > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index b4adf0c2b43..35ae4558043 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -113,6 +113,7 @@ (define-module (gnu packages linux) > #:use-module (gnu packages bash) > #:use-module (gnu packages bison) > #:use-module (gnu packages boost) > + #:use-module (gnu packages build-tools) > #:use-module (gnu packages calendar) > #:use-module (gnu packages check) > #:use-module (gnu packages cpio) > @@ -145,6 +146,7 @@ (define-module (gnu packages linux) > #:use-module (gnu packages graphviz) > #:use-module (gnu packages gstreamer) > #:use-module (gnu packages gtk) > + #:use-module (gnu packages guile) > #:use-module (gnu packages haskell-apps) > #:use-module (gnu packages haskell-xyz) > #:use-module (gnu packages image) > @@ -158,6 +160,7 @@ (define-module (gnu packages linux) > #:use-module (gnu packages m4) > #:use-module (gnu packages man) > #:use-module (gnu packages maths) > + #:use-module (gnu packages mes) > #:use-module (gnu packages multiprecision) > #:use-module (gnu packages ncurses) > #:use-module (gnu packages netpbm) > @@ -2412,6 +2415,74 @@ (define-public vendor-reset-linux-module > ;;; Pluggable authentication modules (PAM). > ;;; >=20=20 > +(define-public guile-pam > + (let ((commit "5ea70a5d88e7ade27ba9f231acab7d363b6400fb") > + (revision "0")) > + (package > + (name "guile-pam") > + (version (git-version "0.0" revision commit)) i think should (git-version "0.0.1" revision commit) because this commit is after v0.0.1. > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url "https://codeberg.org/lechner/guile-pam") > + (commit commit))) > + (file-name (git-file-name name version)) > + (sha256 > + (base32 > + "1i034f42wnmnsz76pcniif2ikpbamh0cki3ib2zwmbnvif4656av"= )))) > + (native-inputs (list > + autoconf > + automake > + gnulib > + guile-3.0 > + libtool > + linux-pam why linux-pam both in native-inputs and inputs, is it required when cross compiling? > + nyacc-2.01 Please add a comment why we can't just use nyacc. > + pkg-config > + texinfo)) > + (inputs (list > + guile-3.0 > + linux-pam)) > + (propagated-inputs (list > + nyacc-2.01)) > + (build-system gnu-build-system) > + (arguments > + (list > + #:make-flags > + #~(list (string-append "ENTRY_POINT_DIR=3D" #$output "/share/ent= ry-points")) > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'install-gnulib > + ;; per https://lists.gnu.org/archive/html/guile-devel/2012= -08/msg00042.html > + (lambda* (#:key inputs #:allow-other-keys) > + (let ((gnulib-build-aux (dirname > + (search-input-file inputs > + "/src/gnulib= /build-aux/config.rpath")))) > + (mkdir-p "build-aux") > + (copy-recursively gnulib-build-aux "build-aux")) > + (let ((gnulib-m4 (dirname (search-input-file inputs > + "/src/gnuli= b/m4/lib-link.m4")))) > + (mkdir-p "m4") > + (copy-recursively gnulib-m4 "m4")))) > + (add-after 'patch-source-shebangs 'fix-paths > + (lambda* (#:key inputs #:allow-other-keys) > + (for-each (lambda (file) > + (substitute* file > + (("/usr/bin/env -S guile ") > + (string-append (search-input-file inputs = "/bin/guile") " \\\n")))) > + '("test/legacy-control-strings")) > + (substitute* "scm/pam.scm" > + (("[.]/wrap/c/[.]libs/conversation.so") > + (string-append #$output "/lib/guile-pam/wrapper/conve= rsation.so")))))))) > + (home-page "https://codeberg.org/lechner/guile-pam") > + (synopsis "Write your Linux-PAM authentication logic in Guile Sche= me") > + (description > + "Guile-PAM provides a way to rewrite your authentication logic in= the > +Linux PAM (pluggable authentication modules) in Guile Scheme. It should = make > +those modules more transparent to the administrator and more intuitive to > +use.") > + (license license:gpl3+)))) > + > (define-public linux-pam > (package > (name "linux-pam") --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfr6klGDOXiwIdX/bO1qpk+Gi3/AFAmgTj7sACgkQO1qpk+Gi 3/Bh0g//agM3l1IivGxIA9L26RPHX1WcmbgzqO0tF185LnGGLfcFkjk8jrgG/8b/ 8L59RvBzdumQfHJ8Iedhq6dgiglS2M/xdfKkP2fs6Ip1op4X0CUheGmONbPjgz3+ dbK1av60hm6TGJ+/CrWDZbmg7WS6bHBBwtSp1/l1bz5v1RwxmKKcwskwC/uXD2fH 1/AOH49XHiabH9ecmcxGMgqPuiotVm8Mb+whpQsSA7b6lmhXQiVHdLUHWsXyIRIx ErxqGZC3aySzcDSA40Y1FOgFC8+vsPeycD+sq3EUUMyWpd2//Bh6hGTTzZmduMTS gbN3/9w23oP0raOcgoFSTeDcdURs4HJr3fsbx8Yy1WbKDfjdl/0Lv8xOasgtR1wH +nNV13mMlfaMTKEB5/jgkgD0uEMU9+2iP3navj9/A7gqsawm95/cNwZjJ23BMZ3o qVf4gqFsOYYgmSLehaColBpREU1ejhKh+2tgWf19PBbptLnOq0t4IxYIOlHdTBdu BjRS4HBuFqJsHvea03pwWsnfMB5Bstj9CCtTv5FqBXp306kNzit72wiYMOvuZUyY JUluozVGfw0/BcnUbtQ5mcS5QWTwy39S2k7IDDuB4S3BbP5Vq5ZSxBaTfnJeEWrO /9M7FfxhLzyG/2RSj8/8+7yXbZXyZYwptvvMfAn4V2HuWGPYGKQ= =FIuE -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 11:27:25 2025 Received: (at submit) by debbugs.gnu.org; 1 May 2025 15:27:25 +0000 Received: from localhost ([127.0.0.1]:52349 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAVoq-0002Ec-Ux for submit@debbugs.gnu.org; Thu, 01 May 2025 11:27:25 -0400 Received: from lists.gnu.org ([2001:470:142::17]:55912) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAVon-0002EM-Mn for submit@debbugs.gnu.org; Thu, 01 May 2025 11:27:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAVoi-0002NS-1U for guix-patches@gnu.org; Thu, 01 May 2025 11:27:16 -0400 Received: from mail.z572.online ([88.99.160.180]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAVof-0006Tz-FW; Thu, 01 May 2025 11:27:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=z572.online; s=me; t=1746113632; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8VrYC/dirGdjgIMwPHDN57QmQZAooRVQAIwVDO0pLDE=; b=ZHPqMXb4cMVApT9CIoAqtAkLiWvfjlytma+rgUSD/Y8Adlrl6DoNBiHnMkQxt+jgQ/AsrS 6ZwvsafPsE776xRQyWmLN49dvhyZxKQsWFtX/0m/jEnahCdHD1uNuzW+eaL32IJzIyAI7A S1wEEqeUct3b7VE73a67kCk5T0DTnOc= Received: from m (mail1.85362086.com [107.174.64.25]) by mail.z572.online (OpenSMTPD) with ESMTPSA id af46634a (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 1 May 2025 15:33:50 +0000 (UTC) From: Z572 To: Felix Lechner via Guix-patches via Subject: Re: [bug#72316] [PATCH v2 0/3] Switch to Guile-PAM In-Reply-To: (Felix Lechner via Guix-patches via's message of "Thu, 1 May 2025 06:42:34 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> User-Agent: mu4e 1.12.9; emacs 30.0.92 Date: Thu, 01 May 2025 23:26:46 +0800 Message-ID: <87v7qk5p3d.fsf@z572.online> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=88.99.160.180; envelope-from=z572@z572.online; helo=mail.z572.online X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.498, PDS_OTHER_BAD_TLD=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 4.5 (++++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Felix Lechner via Guix-patches via writes: > Hi Z572, > > Yes, you are right. More testing is needed before Guile-PAM can manage other > modules. Will you push the package definition and the service, i.e. the first > two commits? Content analysis details: (4.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org] 3.0 MANY_TO_CC Sent to 10+ recipients 0.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: z572.online (online)] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: submit Cc: Vivien Kraus , Maxim Cournoyer , Ludovic =?utf-8?Q?Court?= =?utf-8?Q?=C3=A8s?= , Z572 , Florian Pelz , Liliana Marie Prikler , 72316@debbugs.gnu.org, Felix Lechner , =?utf-8?Q?No=C3=A9?= Lopez , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 4.5 (++++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Felix Lechner via Guix-patches via writes: > Hi Z572, > > Yes, you are right. More testing is needed before Guile-PAM can manage other > modules. Will you push the package definition and the service, i.e. the first > two commits? Content analysis details: (4.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org] 3.0 MANY_TO_CC Sent to 10+ recipients 0.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: z572.online (online)] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain Felix Lechner via Guix-patches via writes: > Hi Z572, > > Yes, you are right. More testing is needed before Guile-PAM can manage other > modules. Will you push the package definition and the service, i.e. the first > two commits? I think it's just a guile-pam package definition, like any other package, anyone can push it as long as it's ok. I'm not familiar with the service and can't make any guarantees. > > With the service, folks can write their own modules. Then they can do all the > things they always wanted, like set kernel limits in one line [1] or mount > FUSE based-drives upon login. [2] > > I worked on this thing for ten years and believe it could be a game changer. > > Switching to Guile-PAM is not that radical: The third commit merely runs the > stack in Guile but still uses the modules from Linux-PAM. At about five > hundred lines of code, the Guile stack is much easier to read (or audit) than > the stack in Linux-PAM, but I agree we should wait. I think you can propose a gcd later and see what people think. > > Please feel free to push the first two commits. I will show folks how to use > them. Thanks! > > Kind regards > Felix > > [1] https://codeberg.org/lechner/system-config/src/commit/0ca80a773408d5934285288ca8da03b9675e9f75/host/lechner-desktop/operating-system.scm#L75 > [2] https://codeberg.org/lechner/away/src/commit/2aba38327c1ada959656c58c2f515072c864d983/pam.scm#L76-L80 > > Felix Lechner (3): > Add guile-pam. > Add a guile-pam-module service. > Switch to Guile-PAM. > > doc/guix.texi | 89 ++++++++++ > gnu/local.mk | 1 + > gnu/packages/linux.scm | 71 ++++++++ > gnu/services/authentication.scm | 9 +- > gnu/services/base.scm | 16 +- > gnu/services/desktop.scm | 14 +- > gnu/services/kerberos.scm | 12 +- > gnu/services/lightdm.scm | 69 ++++++-- > gnu/services/pam-mount.scm | 5 +- > gnu/services/pam.scm | 105 +++++++++++ > gnu/services/sddm.scm | 91 +++++++--- > gnu/services/xorg.scm | 17 +- > gnu/system/pam.scm | 296 ++++++++++++++++++++++++++------ > 13 files changed, 686 insertions(+), 109 deletions(-) > create mode 100644 gnu/services/pam.scm > > > base-commit: 304f8bebbb3bc77b27be7ead82f2d79a10fe1843 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfr6klGDOXiwIdX/bO1qpk+Gi3/AFAmgTkrYACgkQO1qpk+Gi 3/B2fg/9HBHTDPmr+vNgaS5FgJpJGf9zY42zKtg+Q8jwLNmRABZt0YBGV8U7n9Xo iNJoKltnJ18SR/n9lPFDXQY5Ami9YIIfNtHzbZ9J95IcMDn+hJrhxmeUl9doBeDN Q0nfLNC8H5mUDDmcc5i9iEckEIRKQtCinFT6Mxmb2nomRMcuqaXQSGFO5AL4QQdg TK2BZ6MZ9FVGHGv3+FNtswVcthbw1EbsTboxJrTk6iD6tZqEWdVGMc5RuxS0YS7b 3TJOhR4qGf+tyImhIe0e1JUD/qmJWgSKrnMsH5QlcPcRmHKUspRL79c9k00VR1o7 i6UO/brWDai2TRzZXTSWrLeunNq8FEzvN1b6hKG334qSMS5kpVFXiHPWDdiP8KKo yRgadrkNh6ax0+BET27F/7WwgZ2HjckOQcIzJWH1sXLK0m2xnHctQERXwVxveUYW nQoZCDXrKztB4VhfefB87WUPASj0vRoLYR14jXa6sHEXJAd63bXSEYqQDF3A/Q4C XFLK9nXHYnEAEpA5zG2ZpltHzxlTu6XM4JALvxD/TX4c9ViKrBRG3VOulQbumors VPwG8yDbOn4MLKsZFpgwA16wRKw7qvMJzAp+dVj1H7x2HOmXNYfsseumEIQt3JhK YftLQIEyItzTwP7PionOwHfzrvj+71rOffRr7AXqAJpUxnCUDhM= =Ueor -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu May 01 13:05:41 2025 Received: (at submit) by debbugs.gnu.org; 1 May 2025 17:05:41 +0000 Received: from localhost ([127.0.0.1]:52758 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAXLw-0007Lt-14 for submit@debbugs.gnu.org; Thu, 01 May 2025 13:05:40 -0400 Received: from lists.gnu.org ([2001:470:142::17]:33580) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAXLs-0007LO-QV for submit@debbugs.gnu.org; Thu, 01 May 2025 13:05:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAXLh-0007e7-B5 for guix-patches@gnu.org; Thu, 01 May 2025 13:05:26 -0400 Received: from mail.z572.online ([88.99.160.180]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAXLd-00010m-LK; Thu, 01 May 2025 13:05:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=z572.online; s=me; t=1746119525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dul0IY+ZAQfoVJIR/StUbpDP/ZH0KcJ+zqZvKW4PfTg=; b=PKDnGEumhT5cWd6zdvHYo2pDQ50XB5xDNowyhV8r551CLYE4c7dd6p1q9JTXIWrWzU5HPo PZMUkI1JudY3zpw6Qsq8AjK/q34SCmbaoufVlgqhgzEjq5UdOPIePFPUCJcjhITbSB7a+q UgAoi3d93bgiKC6osN/z+kYS8Cnj41M= Received: from m (mail1.85362086.com [107.174.64.25]) by mail.z572.online (OpenSMTPD) with ESMTPSA id 68f16f78 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 1 May 2025 17:12:01 +0000 (UTC) From: Z572 To: Felix Lechner via Guix-patches via Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. In-Reply-To: (Felix Lechner via Guix-patches via's message of "Thu, 1 May 2025 06:42:36 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> User-Agent: mu4e 1.12.9; emacs 30.0.92 Date: Fri, 02 May 2025 01:04:58 +0800 Message-ID: <87jz705kjp.fsf@z572.online> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=88.99.160.180; envelope-from=z572@z572.online; helo=mail.z572.online X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.498, PDS_OTHER_BAD_TLD=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Felix Lechner via Guix-patches via writes: > Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6 > --- > doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++ > gnu/local.mk | 1 + > gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++ [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org] 0.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: z572.online (online)] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: submit Cc: Maxim Cournoyer , Ludovic =?utf-8?Q?Court?= =?utf-8?Q?=C3=A8s?= , Gabriel Wicki , Z572 , Florian Pelz , 72316@debbugs.gnu.org, Felix Lechner , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Felix Lechner via Guix-patches via writes: > Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6 > --- > doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++ > gnu/local.mk | 1 + > gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++ [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org] 0.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: z572.online (online)] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Felix Lechner via Guix-patches via writes: > Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6 > --- > doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++ > gnu/local.mk | 1 + > gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 195 insertions(+) > create mode 100644 gnu/services/pam.scm > > diff --git a/doc/guix.texi b/doc/guix.texi > index 90d90b2e1eb..11480cb0ae5 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -412,6 +412,7 @@ Top > * Telephony Services:: Telephony services. > * File-Sharing Services:: File-sharing services. > * Monitoring Services:: Monitoring services. > +* Guile-PAM Services:: Guile-PAM services. > * Kerberos Services:: Kerberos services. > * LDAP Services:: LDAP services. > * Web Services:: Web servers. > @@ -19437,6 +19438,7 @@ Services > * Telephony Services:: Telephony services. > * File-Sharing Services:: File-sharing services. > * Monitoring Services:: Monitoring services. > +* Guile-PAM Services:: Guile-PAM services. > * Kerberos Services:: Kerberos services. > * LDAP Services:: LDAP services. > * Web Services:: Web servers. > @@ -33149,6 +33151,93 @@ Monitoring Services > @end deftp >=20=20 >=20=20 > +@c %end of fragment > + > +@node Guile-PAM Services > +@subsection Guile-PAM Services > +@cindex Guile-PAM > + > +The @code{(gnu services pam)} module provides services related to the > +authentication mechanism @dfn{Guile-PAM}. > + > +Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM > +authentication system. For details, please have a look at the Texinfo > +manual in the @code{guile-pam} package. > + > +@defvar guile-pam-module-service-type > +A service type for Guile-PAM modules. > +@end defvar > + > +@noindent > +Here is an example of its use: > +@lisp > +(define welcome-pamda-file > + (scheme-file > + "welcome-pamda-file" > + #~(begin > + (use-modules (ice-9 format)) > + > + (lambda (action handle flags options) > + (case action > + ;; authentication management > + ((pam_sm_authenticate) > + (format #t "In a working module, we would now identify you.~= %")) > + ((pam_sm_setcred) > + (format #t "In a working module, we would now help you manag= e additional credentials.~%")) > + ;; account management > + ((pam_sm_acct_mgmt) > + (format #t "In a working module, we would now confirm your a= ccess rights.~%")) > + ;; password management > + ((pam_sm_chauthtok) > + (format #t "In a working module, we would now change your pa= ssword.~%")) > + ;; session management > + ((pam_sm_open_session) > + (format #t "In a working module, we would now open a session= for you.~%")) > + ((pam_sm_close_session) > + (format #t "In a working module, we would now close your ses= sion.~%")) > + (else > + (format #t "In a working module, we would not know what to d= o about action '~s'.~%" > + action))) > + 'PAM_SUCCESS)))) > + > +(service guile-pam-module-service-type > + (guile-pam-module-configuration > + (rules "optional") > + (module welcome-pamda-file) > + (services '("login" > + "greetd" > + "su" > + "slim" > + "gdm-password" > + "sddm")))) > +@end lisp > + > +@c %start of fragment > + > +@deftp {Data Type} guile-pam-module-configuration > +Available @code{guile-pam-module-configuration} fields are: > + > +@table @asis > +@item @code{rules} (type: maybe-string) > +Determines how the module's return value is evaluated. > + > +@item @code{module} (type: maybe-file-like) > +A Guile-PAM pamda file or a classical PAM module. > + > +@item @code{services} (type: maybe-list-of-strings) > +List of PAM service names for which to install the module. > + > +@item @code{guile-inputs} (type: maybe-list-of-packages) > +Guile inputs available in the PAM module > + > +@item @code{foreign-library-path} (type: maybe-list-of-packages) > +Search path for shared objects and libraries. > + > +@end table > + > +@end deftp > + > + > @c %end of fragment >=20=20 > @node Kerberos Services > diff --git a/gnu/local.mk b/gnu/local.mk > index f6f95bbf10b..3d3da58d659 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -764,6 +764,7 @@ GNU_SYSTEM_MODULES =3D \ > %D%/services/networking.scm \ > %D%/services/nix.scm \ > %D%/services/nfs.scm \ > + %D%/services/pam.scm \ > %D%/services/pam-mount.scm \ > %D%/services/power.scm \ > %D%/services/science.scm \ > diff --git a/gnu/services/pam.scm b/gnu/services/pam.scm > new file mode 100644 > index 00000000000..a242067e380 > --- /dev/null > +++ b/gnu/services/pam.scm > @@ -0,0 +1,105 @@ > +;;; GNU Guix --- Functional package management for GNU > +;;; Copyright =C2=A9 2024 Felix Lechner > +;;; > +;;; This file is part of GNU Guix. > +;;; > +;;; GNU Guix is free software; you can redistribute it and/or modify it > +;;; under the terms of the GNU General Public License as published by > +;;; the Free Software Foundation; either version 3 of the License, or (at > +;;; your option) any later version. > +;;; > +;;; GNU Guix is distributed in the hope that it will be useful, but > +;;; WITHOUT ANY WARRANTY; without even the implied warranty of > +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +;;; GNU General Public License for more details. > +;;; > +;;; You should have received a copy of the GNU General Public License > +;;; along with GNU Guix. If not, see . > + > +(define-module (gnu services pam) > + #:use-module (gnu packages guile) > + #:use-module (gnu packages guile-xyz) > + #:use-module (gnu packages linux) > + #:use-module (gnu packages mes) > + #:use-module (gnu services) > + #:use-module (gnu services configuration) > + #:use-module (gnu system pam) > + #:use-module (guix gexp) > + #:use-module (guix packages) > + #:use-module (guix records) > + #:use-module (guix utils) > + #:use-module (srfi srfi-1) > + #:export (guile-pam-module-configuration)) > + > +(define-maybe string) > +(define-maybe list-of-strings) > +(define-maybe file-like) > + > +(define-maybe string-or-file-like) > +(define (string-or-file-like? val) > + (or (string? val) (file-like? val))) > + > +(define-maybe list-of-packages) > +(define (list-of-packages? val) > + (and (list? val) (map package? val))) i think should use (@ (srfi srfi-1) every), not map, otherwise this has always been #t. And should use `file-like?', friendly to inferior packages. > + > +(define-configuration/no-serialization guile-pam-module-configuration > + (rules > + maybe-string > + "Determines how the module's return value is evaluated.") > + (module > + maybe-file-like > + "A Guile-PAM pamda file or a classical PAM module.") > + (services > + maybe-list-of-strings > + "List of PAM service names for which to install the module.") > + (guile-inputs > + maybe-list-of-packages > + "Guile inputs available in the PAM module") If I understand correctly, all guile-pam-modules share the same pam_guile and dependencies, can we restrict this so that each different pam-module is its own separate dependency (If possible in the future, I would even like to compile each of them to wasm separately, limiting the capabilities even more.) > + (foreign-library-path > + maybe-list-of-packages > + "Search path for shared objects and libraries.") ) > + > +(define (guile-pam-module-service config) > + "Return a list of for guile-pam-module for CONFIG." > + (match-record > + config (foreign-library-path > + guile-inputs > + module > + rules > + services) > + (list > + (pam-extension > + (transformer > + (lambda (pam) > + (if (member (pam-service-name pam) services) > + (let* ((new-entry > + (pam-entry > + (control rules) > + (module module) > + (guile-inputs (if (eq? %unset-value guile-inputs) > + '() > + guile-inputs)) looks like this patch depends on https://issues.guix.gnu.org/72316#10 ?. I think it may not be possible to merge directly > + (foreign-library-path (if (eq? %unset-value fore= ign-library-path) > + '() > + foreign-library-path))= ))) > + (pam-service > + (inherit pam) > + (auth (append (pam-service-auth pam) > + (list new-entry))) > + (account (append (pam-service-account pam) > + (list new-entry))) > + (session (append (pam-service-session pam) > + (list new-entry))) > + (password (append (pam-service-password pam) > + (list new-entry))))) > + pam))))))) > + > +(define-public guile-pam-module-service-type > + (service-type > + (name 'guile-pam-module) > + (extensions (list (service-extension pam-root-service-type > + guile-pam-module-service))) > + (compose concatenate) > + (default-value (guile-pam-module-configuration)) > + (description "Load Guile code as part of Linux-PAM."))) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfr6klGDOXiwIdX/bO1qpk+Gi3/AFAmgTqboACgkQO1qpk+Gi 3/DZ5A/+Moom1PAk63CeclqAUVFxGOF02hmZHYp5Et27rD1FreCUNy62HxE4Is/z 7COLJ0Mc5qoFAC/OkDarfTBilRMKqtAmAfsO9otoHMEmPj+a0vz5VOooBPtFYlx8 56nrGUfTexJUXlqN62hXmIyjcjStMr+/HfmtfIZSSZK7Y2AkYZhhCg1YQMHj69/G dNY1a0O+HvycO1fR38+RsZB3qj1uFF4FY2HO9uUYFe61bQkgFscbaBcNUv51NyB5 bujzV5qDvy+2HOUnsYiTSJyxuJeP/9KU61hjML8RwiD+FZ98YDB/mcFXT6bs5vib YG6/XUe/BwsnButgtg8j9TD055dlkz0mb6nmaf8+T3/XuU7FGW2g++eah6zxXMxi ubMDDneuPu1VQjdoTccp7XOSXRBEUYDkAd6KEk5LmV7lV4JKkqPMVXDc4yWV6MFs Epm6UN2X7PeMLLGa9K4f98ti2XDNm9QGAJGTo41cIRVMPlaEOfiX50izr3qpTmnQ 8kwRRmNKcFwOmSdz4jLAqbYY7vGKfDsUKLvLJGVBzP9m+XThrGp/p3uN2pH7BMeY 8tvqTjpCbpc5xUhuOhpNzA1Rpmf68fxr4OC1xqSpbyMI5lN1Gr0xF8DjRZgM07Tu 5PaWr+iWK9crkImXAMRbg9kpUVCCcED+2ShsKZrDodFQJopPpxo= =ZNUI -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun May 11 13:16:50 2025 Received: (at 72316) by debbugs.gnu.org; 11 May 2025 17:16:50 +0000 Received: from localhost ([127.0.0.1]:40115 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uEAID-0006HW-RE for submit@debbugs.gnu.org; Sun, 11 May 2025 13:16:50 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:36540) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uEAIA-0006HM-6b for 72316@debbugs.gnu.org; Sun, 11 May 2025 13:16:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=nI+xz4+7N5Qk19x eOgKz8ICN6uUn5b3M0NZHyK8oT14=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=nJkfHHfmkqzegZddlxjkLNiStG5+yvbjQjqy6QMY mHZvaVul1KJ9zfBDToWoD6kvGGlFWxx01kSDMJnEDhV956D97ny9eckPecJ3fEWdPvBoHO GrksESI2KXhMcxB96XjVetiihQ9ZcEgHAlhcXTeZiGQYpGU3s8rwlnaE4siB4= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 7a751e6c (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 11 May 2025 17:16:41 +0000 (UTC) From: Felix Lechner To: Maxim Cournoyer Subject: Re: [PATCH v2 1/3] Add guile-pam. In-Reply-To: <87y0vg76ab.fsf@gmail.com> (Maxim Cournoyer's message of "Thu, 01 May 2025 23:30:04 +0900") References: <878qnj80pt.fsf@iscas.ac.cn> <87y0vg76ab.fsf@gmail.com> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Sun, 11 May 2025 10:16:41 -0700 Message-ID: <87y0v3jcee.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Z572 , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxim, On Thu, May 01 2025, Maxim Cournoyer wrote: > you need a GNU ChangeLog message A ChangeLog message that's acceptable to you, together with the other adjustments you suggested, fall in my book within the responsibilities of the GNU Guix maintainers. Z572's comments have merit; I will address them in short order. Please just allow me to state that the package definition is useful on its own. Patch one provides the shared object pam_guile.so that allows users to deploy PAM modules written in GNU Guile. People have tried for decades to bring interpreted languages to PAM. Since GNU Guile is also the configuration language for Guix System, I believe there is potentially a benefit for your users. For details, please have a look at the upstream documentation. [1] I am Guile-PAM's upstream maintainer and hope to provide comprehensive and timely assistance over there. Kind regards Felix [1] https://juix.org/guile-pam/#From-PAM-to-Guile From debbugs-submit-bounces@debbugs.gnu.org Sun May 11 13:36:51 2025 Received: (at submit) by debbugs.gnu.org; 11 May 2025 17:36:51 +0000 Received: from localhost ([127.0.0.1]:40551 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uEAbZ-00083y-Pv for submit@debbugs.gnu.org; Sun, 11 May 2025 13:36:51 -0400 Received: from lists.gnu.org ([2001:470:142::17]:45506) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uEAbP-00082r-Sv for submit@debbugs.gnu.org; Sun, 11 May 2025 13:36:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uEAbF-0003Ql-Dy for guix-patches@gnu.org; Sun, 11 May 2025 13:36:30 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uEAbA-0007Nv-MF; Sun, 11 May 2025 13:36:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=53KmfsnP1/zIQOw CS7S/aqCI/m86EFOViWVeXBIOljQ=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=c2M4SPBt0gf3MhTZl38dOHB58G2AjZ/T4Q+npnza Nc/jUhFhmRyvtZ+i+uUTFRVB0NxPZ5lFekbGgP6Pt4lHsazP7wIzs9xm50AxIiTF+rjjl9 yZ40ZPA/jTb4GS80xL15Ufuq85UJoQA6KwR06b3cJwPuxQQ6Z2PiVxILInVh4= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 49d722a1 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 11 May 2025 17:36:19 +0000 (UTC) From: Felix Lechner To: Z572 Subject: Re: [bug#72316] [PATCH v2 1/3] Add guile-pam. In-Reply-To: <871pt87490.fsf@z572.online> (z572@z572.online's message of "Thu, 01 May 2025 23:14:03 +0800") References: <878qnj80pt.fsf@iscas.ac.cn> <871pt87490.fsf@z572.online> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Sun, 11 May 2025 10:36:18 -0700 Message-ID: <87selbjbhp.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=208.82.101.137; envelope-from=felix.lechner@lease-up.com; helo=sail-ipv4.us-core.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit Cc: Maxim Cournoyer , Wilko Meyer , Ludovic =?utf-8?Q?Court=C3=A8s?= , Z572 , Florian Pelz , Leo Famulari , 72316@debbugs.gnu.org, Matthew Trzcinski , Felix Lechner via Guix-patches via X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi Z572, On Thu, May 01 2025, Z572 wrote: > Felix Lechner via Guix-patches via writes: > > this commit is after v0.0.1. Nice catch, thank you! I created the tag v0.0.3 as an alias for commit 5ea70a5d. Feel free to use either. > why linux-pam both in native-inputs and inputs, is it required when > cross compiling? I cannot remember, and do not understand the function of native-inputs. > Please add a comment why we can't just use nyacc. Matt Wesche made changes and bug fixes on my behalf. Most notable is the new Cdata interface [1] which replaced Guile-Bytestructures. [2] [1] https://www.nongnu.org/nyacc/cdata.html [2] https://www.nongnu.org/nyacc/nyacc-fh-ug.html Kind regards Felix From debbugs-submit-bounces@debbugs.gnu.org Sun May 11 14:03:57 2025 Received: (at 72316) by debbugs.gnu.org; 11 May 2025 18:03:57 +0000 Received: from localhost ([127.0.0.1]:41076 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uEB1p-0001xy-8D for submit@debbugs.gnu.org; Sun, 11 May 2025 14:03:57 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:51964) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uEB1k-0001xl-66 for 72316@debbugs.gnu.org; Sun, 11 May 2025 14:03:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=lRGz9GTREW2S9Kj 2sf67u0qoLYWcHL57zr0Rk3Tq4G4=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=lWGCKlEXJEh/AJFHPYaPX7ywuPtsXp0bDUUeH61I oCdBjSJ3mHXdJpFwInI5wlez57BDwJedltrqGquDVEaVHKMwRRAY3/M1hthpfhn6346gax c6+LgP/dltC4ZOxv/1UTs5x8PLKf/hANR/pc0jDm3L1JvgG6rBKqt0+xGIzCc= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id e145adfb (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 11 May 2025 18:03:48 +0000 (UTC) From: Felix Lechner To: Z572 Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. In-Reply-To: <87jz705kjp.fsf@z572.online> (z572@z572.online's message of "Fri, 02 May 2025 01:04:58 +0800") References: <878qnj80pt.fsf@iscas.ac.cn> <87jz705kjp.fsf@z572.online> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Sun, 11 May 2025 11:03:47 -0700 Message-ID: <87jz6nja7w.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72316 Cc: Maxim Cournoyer , Ludovic =?utf-8?Q?Court=C3=A8s?= , Gabriel Wicki , Z572 , Florian Pelz , 72316@debbugs.gnu.org, Matthew Trzcinski , Felix Lechner via Guix-patches via X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Z572, On Fri, May 02 2025, Z572 wrote: > i think should use (@ (srfi srfi-1) every), not map, otherwise this has > always been #t. And should use `file-like?', friendly to inferior packages. You are probably right. Please feel free to adjust the validator. I personally do not use the configuration-record's type checking features anymore. I will present my configuration system, which also disentangles the painful splicing of values into the command line, soon. > If I understand correctly, all guile-pam-modules share the same > pam_guile and dependencies, can we restrict this so that each different > pam-module is its own separate dependency I do not understand your sentence (and am not sure it's true). The Guile prerequisites are for the modules your users write. > (If possible in the future, I would even like to compile each of them to > wasm separately, limiting the capabilities even more.) I am a fan of WASM. What does it have to do with Guile-PAM, please? > looks like this patch depends on https://issues.guix.gnu.org/72316#10 ?. Yeah, that happened because I wrote the service to integrate Guile-PAM into the existing Guix stack. It quickly proved superior, however, to use Guile-PAM's stack, which is nearly identical. [1][2] An easy solution would be to merge patches two and three into a single patch. Kind regards Felix [1] https://juix.org/guile-pam/#Skipping-of-actions-on-PAM_005fIGNORE_002e [2] https://juix.org/guile-pam/#Legacy-instruction-sets From debbugs-submit-bounces@debbugs.gnu.org Mon May 12 03:38:44 2025 Received: (at 72316) by debbugs.gnu.org; 12 May 2025 07:38:45 +0000 Received: from localhost ([127.0.0.1]:49687 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uENkK-00087Z-HZ for submit@debbugs.gnu.org; Mon, 12 May 2025 03:38:44 -0400 Received: from mail-pl1-x635.google.com ([2607:f8b0:4864:20::635]:43232) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uENkH-00087A-Sq for 72316@debbugs.gnu.org; Mon, 12 May 2025 03:38:42 -0400 Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-22e09f57ed4so52908945ad.0 for <72316@debbugs.gnu.org>; Mon, 12 May 2025 00:38:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747035516; x=1747640316; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=Lg3xQvLDrtXdZvntvpfaHrESiD0x2ZBZQvwAQuSf3kY=; b=hyolioFFtcIu0dJmuTjW5WPJRxalvZuWQzpGOIIfJ2MmlfGz1vADKTEn5loyBt119t SDGTt83lCbq3a8q5A9u3N5837VqmPUKfRz6ls1oinfgFw74u83DZ65MVhroJUhSJ+tDh iQvfp+aSovnzkLY7h0LBGhs8VKoxLxVLNgprGGiAKhRxrFZBTGZK9VOelwmbMN7BpnKD SDy9mkdY89B3F8503WnfYj246XdJDSBRQwJ9raSDQp4TSo3miZABk9Hmmakq71ICdH9u NnfGdFUT09ufHgB3sSUiRAfwPVigdrjI3bfeu1Wsx+tnlB8RaZIC8X5L3yNlHcS7OmRZ u1UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747035516; x=1747640316; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Lg3xQvLDrtXdZvntvpfaHrESiD0x2ZBZQvwAQuSf3kY=; b=Af3WDJBKcPOJlkbxC1cu5uyg5FENR+pJK3cc4XBq8tEsKqwllzHzSZzYfzacAw/Qbr v0XBwRe4k1tvNitO0dcv8LJ93aCARHrpc2WQo8hZbt0GMcxMaPfqlvwpvyACRV4DaS6C A3fECOIVcI+iRpEHgL5pniUn8qKRUj3vW0O0iHXOzb3WLr/ogVBNk0AT6qUOoPa7o2fL mFYDD/J8fo6wbhc+OlxTNmtreHRE61lHqaBrcK5grA9dr01IKAyCkFyZawPGDpzB5/It fBsl0IQhJSDfrSscNZOpsZXuTTEGujX47Hc+QGpjSImeWl3RMjs5tga08LCCCa9UdCB4 meEw== X-Gm-Message-State: AOJu0YzLjhRFswPR7/9VZkJd568AKGRQoGlwEU4+LYz4C1MkYK0QqDY+ NK2ZLFvElQawlpXdz8wf/PqXXFmh9PNPnmklD6KU0hoPYjFkG4191XVa1A== X-Gm-Gg: ASbGncvL9jkqHMKHBFvMmaSpjwiGoE/iu3Q2qMeQ4zDoy7f9I33FI5vZUfRPSNr1vwX CDxTnW08QsztgCQ9XzOp4teHwW8+dMMJ5jTJXL7TnTF6DCQQJ6W/dAwh9tMLYP0tuvS3yLcZA7/ i4Aoc21aqsLnARmF1+My30JGy/2EDEH5+9aUZA+SD9KyWr66J6OTkiePXEvQ9Ypq64KteBlpx33 o1UiXroX28E5TjKxelQHBITBElB6tGJe5w4Xilc16BpFncjwe62etHu+gS0Zhn9rVnN8YYq5nEq FqPcq+z6RAvkdOwgfjL3LTzBzL3k6aqzkemXkYcgc8mmKtxBLibWigAZgBn4 X-Google-Smtp-Source: AGHT+IExUAf2jXXwQGu8qf1AovHydvXPOAZEAIA1y84FlCiJlr411dETDVAduIuqJWuATem1TxxZSQ== X-Received: by 2002:a17:902:ccc3:b0:22d:c846:3e32 with SMTP id d9443c01a7336-22e847d1733mr223855525ad.25.1747035515906; Mon, 12 May 2025 00:38:35 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22fc7546850sm57428155ad.28.2025.05.12.00.38.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 May 2025 00:38:35 -0700 (PDT) From: Maxim Cournoyer To: Felix Lechner Subject: Re: [PATCH v2 1/3] Add guile-pam. In-Reply-To: <87y0v3jcee.fsf@lease-up.com> (Felix Lechner's message of "Sun, 11 May 2025 10:16:41 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> <87y0vg76ab.fsf@gmail.com> <87y0v3jcee.fsf@lease-up.com> Date: Mon, 12 May 2025 16:38:31 +0900 Message-ID: <87wmamqnwo.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Z572 , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Felix, Felix Lechner writes: > Hi Maxim, > > On Thu, May 01 2025, Maxim Cournoyer wrote: > >> you need a GNU ChangeLog message > > A ChangeLog message that's acceptable to you, together with the other > adjustments you suggested, fall in my book within the responsibilities > of the GNU Guix maintainers. I think you meant s/GNU Guix maintainers/committers/. I'd just say that it's more efficient if everybody does their part and strive to meet the standards rather than expect someone to fix it up. By leaving things like the GNU ChangeLog for someone else to write, you lower the chances that the change gets merged quickly, since it becomes more bothersome for someone else to fill the gaps themselves before pushing. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Mon May 12 20:51:11 2025 Received: (at 72316) by debbugs.gnu.org; 13 May 2025 00:51:11 +0000 Received: from localhost ([127.0.0.1]:56055 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uEdrT-0004xg-0i for submit@debbugs.gnu.org; Mon, 12 May 2025 20:51:11 -0400 Received: from mail.z572.online ([88.99.160.180]:34204) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uEdrM-0004xJ-TY for 72316@debbugs.gnu.org; Mon, 12 May 2025 20:51:08 -0400 Received: from m ( [125.119.189.205]) by mail.z572.online (OpenSMTPD) with ESMTPSA id 600088d6 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 13 May 2025 00:58:01 +0000 (UTC) From: Z572 To: Felix Lechner Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. In-Reply-To: <87jz6nja7w.fsf@lease-up.com> (Felix Lechner's message of "Sun, 11 May 2025 11:03:47 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> <87jz705kjp.fsf@z572.online> <87jz6nja7w.fsf@lease-up.com> User-Agent: mu4e 1.12.9; emacs 30.0.92 Date: Tue, 13 May 2025 08:50:51 +0800 Message-ID: <87frh9e3kk.fsf@iscas.ac.cn> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: 72316 Cc: Maxim Cournoyer , Ludovic =?utf-8?Q?Court=C3=A8s?= , Gabriel Wicki , Florian Pelz , 72316@debbugs.gnu.org, Z572 , Matthew Trzcinski , Felix Lechner via Guix-patches via X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) --=-=-= Content-Type: text/plain Felix Lechner writes: > Hi Z572, > > On Fri, May 02 2025, Z572 wrote: > >> i think should use (@ (srfi srfi-1) every), not map, otherwise this has >> always been #t. And should use `file-like?', friendly to inferior packages. > > You are probably right. Please feel free to adjust the validator. > > I personally do not use the configuration-record's type checking > features anymore. I will present my configuration system, which also > disentangles the painful splicing of values into the command line, soon. > >> If I understand correctly, all guile-pam-modules share the same >> pam_guile and dependencies, can we restrict this so that each different >> pam-module is its own separate dependency > > I do not understand your sentence (and am not sure it's true). The > Guile prerequisites are for the modules your users write. If my module a needs guile-json-1, module b needs guile-json-4, they cannot be used by the same guile. Also, if a pam module is broken, I don't want all pam modules to be broken. > >> (If possible in the future, I would even like to compile each of them to >> wasm separately, limiting the capabilities even more.) > > I am a fan of WASM. What does it have to do with Guile-PAM, please? For example, I use hoot to compile the code to wasm, and load and interpret the wasm in pam-guile. If I don't need to access the file, I don't need the ability to read the file. > >> looks like this patch depends on https://issues.guix.gnu.org/72316#10 ?. > > Yeah, that happened because I wrote the service to integrate Guile-PAM > into the existing Guix stack. It quickly proved superior, however, to > use Guile-PAM's stack, which is nearly identical. [1][2] I think it is possible to use gexp's with-extensions, with-imported-modules, etc., instead of adding a guile-inputs option. > > An easy solution would be to merge patches two and three into a single > patch. > > Kind regards > Felix > > [1] > https://juix.org/guile-pam/#Skipping-of-actions-on-PAM_005fIGNORE_002e > [2] https://juix.org/guile-pam/#Legacy-instruction-sets --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfr6klGDOXiwIdX/bO1qpk+Gi3/AFAmgil2sACgkQO1qpk+Gi 3/CYpxAAgDzUz8ugj3F9AO0nbNvACPwDvjzK/dRQeWY/0sKzMu+FXTULMEg0/Mhh 3XzxUnJIAXqWPyHvWZNy+aCJnLqKM//xfTDa3q/q9Rne/ORw5D2wqkgOpajdVXmm HZSdicZPboPuzZqiRrJwa/foy8rgOLiG90b5E8w4z9ohGLB5PypUGo2gJuR365mi u5LiGFR7YMNBrU0AlEevDehOFXBuGSfazSsZU0k+t/mCRARQxbzMXYDY2kZa5+q2 VZVOBrtw87qmRbGUvwz0RBOjO4CZQsfmQ8weJhr9LoCWQBo+42C/cz1b+vgDwsUq 4ESavrD76zS4SUy9mnStrWxDgKZwz8b3ZpELQfj2nkP/ZxNMfoUUz+kg2DaI0f1G 9Xit0xpgLSZQOqBBLDF/VkhxkNmN8vEO0xxa56Ck7wc+a1Ezl8DMjTfCexYyoK8e 3WHL+KOa2vdf94bjO+k1p5vA1y8zrNyC2I8fE19P31/0xajgZ/GrgW5iUilwal4u gok0JP+0dQMA9NQOraxcMx63XShps5/WAMr/rMvnhHg7yrqD9wJSKrP2nPwwCAU1 +lArxMCFwoDdm6QrDonsU4ZNrhK2GJvsmsFsHaJKlOiKNl7GnWDh4RgyKF3Z+zz1 hmTT3ZOp23VWE89YtM5kR77br+B9W23G9/jkvnBDPOFjYyCblC8= =4gS8 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon May 12 22:51:08 2025 Received: (at 72316) by debbugs.gnu.org; 13 May 2025 02:51:08 +0000 Received: from localhost ([127.0.0.1]:56419 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uEfjX-0002er-Fz for submit@debbugs.gnu.org; Mon, 12 May 2025 22:51:07 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:35402) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uEfjR-0002eJ-D5 for 72316@debbugs.gnu.org; Mon, 12 May 2025 22:51:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=bMYUHGUNF1Py+qC vdX3C3GOuljXxn0BdPlMSrd2L7RU=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=WJ3tA/TCAdl9+c+2W8oFivWfUJ06z2ZJecG6BXk6 0UFsMt1AVIlMrjQWW3WFmfjh36acTsvBt1HuwuTuiEZ1G9dqJdaLh1ADOVYNspyXsDRbiM duoE0H9WP9KWgJzkG+4kHLb2igh6nhjParH4EmAlilgY1GJJPjtIYgZO/qA3k= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 8f7fb430 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 13 May 2025 02:50:57 +0000 (UTC) From: Felix Lechner To: Maxim Cournoyer Subject: Re: [PATCH v2 1/3] Add guile-pam. In-Reply-To: <87wmamqnwo.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 12 May 2025 16:38:31 +0900") References: <878qnj80pt.fsf@iscas.ac.cn> <87y0vg76ab.fsf@gmail.com> <87y0v3jcee.fsf@lease-up.com> <87wmamqnwo.fsf@gmail.com> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Mon, 12 May 2025 19:50:57 -0700 Message-ID: <87v7q5gr5a.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72316 Cc: 72316@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= , Z572 , Florian Pelz , Matthew Trzcinski X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxim, On Mon, May 12 2025, Maxim Cournoyer wrote: > I think you meant s/GNU Guix maintainers/committers/. Well, I meant maintainers in the common sense. [1] [1] https://en.wikipedia.org/wiki/Software_maintainer > it's more efficient if everybody does their part It may be more efficient for you, but it's not more efficient for me. As an aside, I maintained a project with many contributors (Debian's Lintian) and didn't nitpick. I adjusted commits to my liking, credited authorship, and accepted contributions because they were beneficial to my project. That's also how I will treat you when you come to Guile-PAM. > By leaving things like the GNU ChangeLog for someone else to write, > you lower the chances that the change gets merged quickly Could I see your analysis, please? From my experience, a proper commit message does nothing to make acceptance in GNU Guix any faster. > it becomes more bothersome for someone else to fill the gaps > themselves before pushing. Okay, so you find tasks bothersome that I think are part of a maintainer's role. I think it would have been more productive than this exchange if you had simply added the missing space yourself and made other needed changes that your trained eyes, which know Guix much better than I, saw in seconds. How long does it take to type a space and write a one-line commit message you like? Kind regards, Felix From debbugs-submit-bounces@debbugs.gnu.org Mon May 12 22:57:38 2025 Received: (at submit) by debbugs.gnu.org; 13 May 2025 02:57:38 +0000 Received: from localhost ([127.0.0.1]:56458 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uEfpp-0002zb-6l for submit@debbugs.gnu.org; Mon, 12 May 2025 22:57:38 -0400 Received: from lists.gnu.org ([2001:470:142::17]:34486) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uEfpb-0002ym-Hw for submit@debbugs.gnu.org; Mon, 12 May 2025 22:57:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uEfpW-0002g0-6C for guix-patches@gnu.org; Mon, 12 May 2025 22:57:18 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uEfpU-00026K-M4; Mon, 12 May 2025 22:57:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=TUmtCaNUMoW2X6/ n1FicaDFMRBhvEssnr3ICDPsZu/A=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=RSGTY9pedkzgNkRZxaJofAn/PuMiu9Ab1RqUADza vQ1KBorwBz4Ah0xZ80vWGaXy8rbWpEEU9HE2vkIB3cBu/MTLG3HZifCRDlDc9iBo4VDoE6 wuBhsy5UpVNIMZ0gHWzPrG6oEvrOJxwfAHp2C5cBDkTt5CPzqhd4wIfbkj7E8= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 70ca36f5 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 13 May 2025 02:57:12 +0000 (UTC) From: Felix Lechner To: Z572 Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. In-Reply-To: <87frh9e3kk.fsf@iscas.ac.cn> (zhengjunjie@iscas.ac.cn's message of "Tue, 13 May 2025 08:50:51 +0800") References: <878qnj80pt.fsf@iscas.ac.cn> <87jz705kjp.fsf@z572.online> <87jz6nja7w.fsf@lease-up.com> <87frh9e3kk.fsf@iscas.ac.cn> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Mon, 12 May 2025 19:57:12 -0700 Message-ID: <87plgdgquv.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=208.82.101.137; envelope-from=felix.lechner@lease-up.com; helo=sail-ipv4.us-core.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit Cc: Maxim Cournoyer , Ludovic =?utf-8?Q?Court=C3=A8s?= , Gabriel Wicki , Florian Pelz , 72316@debbugs.gnu.org, Z572 , Matthew Trzcinski , Felix Lechner via Guix-patches via X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi Z572, On Tue, May 13 2025, Z572 wrote: > If my module a needs guile-json-1, > module b needs guile-json-4, they cannot be used by the same guile. > Also, if a pam module is broken, I don't want all pam modules to be broken. > For example, I use hoot to compile the code to wasm, and load and > interpret the wasm in pam-guile. If I don't need to access the file, I > don't need the ability to read the file. > > I think it is possible to use gexp's with-extensions, > with-imported-modules, etc., instead of adding a guile-inputs option. Feel free to adjust the patches. Otherwise, your ideas and demands are vaporware. The patches I sent have been working in production for a year. For any changes needed at Guile-PAM, I am happy to look at your contributions over there as long as you agree to release your code under the GPLv3+ license. Kind regards, Felix From debbugs-submit-bounces@debbugs.gnu.org Wed May 14 10:26:59 2025 Received: (at 72316) by debbugs.gnu.org; 14 May 2025 14:26:59 +0000 Received: from localhost ([127.0.0.1]:44210 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uFD4U-0004ZQ-QS for submit@debbugs.gnu.org; Wed, 14 May 2025 10:26:59 -0400 Received: from mail-pl1-x631.google.com ([2607:f8b0:4864:20::631]:60828) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uFD4S-0004Yz-CP for 72316@debbugs.gnu.org; Wed, 14 May 2025 10:26:56 -0400 Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-22e76850b80so47690975ad.1 for <72316@debbugs.gnu.org>; Wed, 14 May 2025 07:26:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747232810; x=1747837610; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=9EsGq6nGxHJXQArV8/6sxbOXk82F4wbfkdamCAV50Dg=; b=j8iWf3zHVmhtZBtJWVoEQYBhn8EpoyX/b+LjB7+4V9NKbAoNP0fPi2Fy6jQjZzafUY W8w11yuAHicauaN37X8vrsWfyjCfLPhgfNhlag1WyFH3SugoxQ0C9fyTstLlCyeadhMO TQV26xJtMAA3PaT/XE4ti2mTyZHBnv31sWx2dzFfXf2o2vqVeOL9qGpVIjEa5bU33S7D U/XOSllUsYS+1yaNnSO1JM0qS1mcW2ENHwHkgstrDds3Nz7kp7Etld3UscrsSv8zHoLo tofxjnGNt6XjJhvwsvQHPd4zMZnrh0E40lVZgqzDyg3lggVacV0Byv3f7Lu7XaW9Nj7Q eImQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747232810; x=1747837610; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9EsGq6nGxHJXQArV8/6sxbOXk82F4wbfkdamCAV50Dg=; b=EmAaO+1fw7pT9fsDQE2BtVYY0FfDI1psEIJ1/Q+BKbfG9NBUgL5mBriRxP7+VyCIH9 42fh/tJfawZhaPvWRgNpXtfRAV69baXSMf7BwfJxaO8IA5rfyr6go6B9KnvutpHOz4FP bcSTGuZ2bc7rC/KTIb5TX1BZuACJEACjvbsTGMXpudwv+O63KthdAvBfIW5cX2Sz0UF7 dp9RXrYRmFNUJFcsRIxzH8tphHfrZkdXsuNZPLVYxmf1LK3+4+hRPLOhf5i5mHiE58io P8FabGZeS83y9/mK4Omf3MfChk/o6j6DkGpV8d+N/lFtABVO3VFm2+KgoI+X5H5MObQq 9k6Q== X-Forwarded-Encrypted: i=1; AJvYcCXRZ83U79ebZdK1FUcD2f96xSwWa4k8i5CiLJaHbAbf6/dw7h+MLrTfj1dh+lYdIgUZnxXGcw==@debbugs.gnu.org X-Gm-Message-State: AOJu0YyUKhxyy/dapdLDGy1hmszbNG/SXUmy7XzqV+vLccSnTvYyMN7A OXyvK2CfAlMSYps1KJPnuDsu0uZ0/kQjliFq8+FCE49A5elD9HdD X-Gm-Gg: ASbGncurzp+D++DGu/C/0N4X2afjKWucL7bVouvM4X8U/kOgG9usZrkrp7w7bsrR78U MGYmRvlrZbc15yo77dw+uxMu8vcofPBhBK1j8XogDgJ98N1yBY2dW/ecR8Y+HW45XYUn1zQwrSF Vb0TOKgVeaCWcZ1F3uH78h6XtdfTVKzMeNhiEPoiQKLca0rPj9u2Q7oWizIkn7lDxElnNlAu0qe HjZhmR6FxFRoY9YXCscR1BbvqxNZM+ZmvJnKTB5FHYmDcPZhpmrwrWYe1QTkwJ7YSs7FQLFzm6/ DeLiH4nbCWtyVh4dNsmUOaqr5Hm+WA5luZxR0tHHX6wk59+d3Q== X-Google-Smtp-Source: AGHT+IH12hjlwiz7pU/k0dsOBRow67ssqditALseDgKf/iqIRS48a9zQ+/X0eGE6ZMo28eamYeeJLQ== X-Received: by 2002:a17:903:3c70:b0:22e:4c98:cd8b with SMTP id d9443c01a7336-231980c96ecmr47508575ad.3.1747232809900; Wed, 14 May 2025 07:26:49 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22fc828b183sm99413005ad.162.2025.05.14.07.26.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 May 2025 07:26:49 -0700 (PDT) From: Maxim Cournoyer To: Felix Lechner Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. In-Reply-To: <87plgdgquv.fsf@lease-up.com> (Felix Lechner's message of "Mon, 12 May 2025 19:57:12 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> <87jz705kjp.fsf@z572.online> <87jz6nja7w.fsf@lease-up.com> <87frh9e3kk.fsf@iscas.ac.cn> <87plgdgquv.fsf@lease-up.com> Date: Wed, 14 May 2025 23:26:45 +0900 Message-ID: <87o6vvl13u.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , Gabriel Wicki , Z572 , Florian Pelz , 72316@debbugs.gnu.org, Z572 , Matthew Trzcinski , Felix Lechner via Guix-patches via X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Felix, Felix Lechner writes: > Hi Z572, > > On Tue, May 13 2025, Z572 wrote: > >> If my module a needs guile-json-1, >> module b needs guile-json-4, they cannot be used by the same guile. >> Also, if a pam module is broken, I don't want all pam modules to be broken. > >> For example, I use hoot to compile the code to wasm, and load and >> interpret the wasm in pam-guile. If I don't need to access the file, I >> don't need the ability to read the file. >> >> I think it is possible to use gexp's with-extensions, >> with-imported-modules, etc., instead of adding a guile-inputs option. > > Feel free to adjust the patches. Otherwise, your ideas and demands are > vaporware. The patches I sent have been working in production for a > year. That's not a constructive way to approach code reviews. I'd like to remind you that we strive for a welcoming and positive interactions in the Guix project, as enshrined in our Code of Conduct. People have graciously taken their own time to look at your changes and suggest improvements or ideas. The least you can do in return is to show some gratitude for it, not dismiss their feedback as something you can't be bothered with. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Wed May 14 11:28:21 2025 Received: (at 72316) by debbugs.gnu.org; 14 May 2025 15:28:21 +0000 Received: from localhost ([127.0.0.1]:44422 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uFE1p-0007yC-99 for submit@debbugs.gnu.org; Wed, 14 May 2025 11:28:20 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:56632) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uFE1d-0007wt-QK for 72316@debbugs.gnu.org; Wed, 14 May 2025 11:28:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=YqG2PXvL5i95K95 b//tMuDCtMZbEFaH7Ftgli28u6Kk=; h=date:references:in-reply-to:subject: cc:to:from; d=lease-up.com; b=jLjGE86qF+ueavnAfdVuFqBGXL/Orcb+nVpNx2T6 vZyBLNVvymcukdYm2MgxpEXX+BjGIPJuM9v9hiZK2a17efS7mds15DZmzHyCWHRmXENjKx K8pzMV9+O6xNwD3IajfIkP8EcmuXxW8E9mO4nxaDmcaMANRYqA8tpky1uLjmg= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id f57c25be (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 14 May 2025 15:28:02 +0000 (UTC) From: Felix Lechner To: Maxim Cournoyer Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. In-Reply-To: <87o6vvl13u.fsf@gmail.com> (Maxim Cournoyer's message of "Wed, 14 May 2025 23:26:45 +0900") References: <878qnj80pt.fsf@iscas.ac.cn> <87jz705kjp.fsf@z572.online> <87jz6nja7w.fsf@lease-up.com> <87frh9e3kk.fsf@iscas.ac.cn> <87plgdgquv.fsf@lease-up.com> <87o6vvl13u.fsf@gmail.com> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Wed, 14 May 2025 08:28:02 -0700 Message-ID: <878qmzgqkd.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 72316 Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , Gabriel Wicki , Z572 , Florian Pelz , 72316@debbugs.gnu.org, Z572 , Matthew Trzcinski , Felix Lechner via Guix-patches via X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxim, On Wed, May 14 2025, Maxim Cournoyer wrote: > That's not a constructive way to approach code reviews. Nitpicking people for missing spaces or other form errors is not productive. As for the commit messages, I do not get their point: They duplicate facts from the diff and offer no forensic improvements over 'git blame.' Furthermore, their use as ChangeLog entries is an anachronism for a project with a rolling release model. > I'd like to remind you that we strive for a welcoming and positive > interactions in the Guix project, as enshrined in our Code of Conduct. Please focus on the merits of Guile-PAM! This is the second time you attacked my person and threatened me with condescending and moralizing messages. The other time was unsolicited and in private on March 9, for which you apologized. The code of conduct allows for these incidents to be reported. What do you think about my patches, please? Do you see any benefits or drawbacks in using Guile-PAM in Guix? Where do you want to take authentication in Guix System? Could Guile-PAM help your users to configure their authentication methods with greater flexibility and individuality, or do you prefer the trusted but precompiled modules of Linux-PAM? In short, wouldn't Guile-PAM be a cool addition to GNU Guix? > People have graciously taken their own time to look at your changes and > suggest improvements or ideas. The least you can do in return is to > show some gratitude for it, not dismiss their feedback as something you > can't be bothered with. As a maintainer, it your duty to review contributions. If that bothers you, you might want to think about stepping aside. Also, please stop using your elevated position to domineer people who try to contribute in good faith. It's not good stewardship. Thank you for GNU Guix! It's the coolest software project I ever saw. Let's make it better together! Kind regards Felix From debbugs-submit-bounces@debbugs.gnu.org Wed May 14 20:25:51 2025 Received: (at 72316) by debbugs.gnu.org; 15 May 2025 00:25:51 +0000 Received: from localhost ([127.0.0.1]:47926 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uFMQ3-0007dI-A0 for submit@debbugs.gnu.org; Wed, 14 May 2025 20:25:51 -0400 Received: from mail-pg1-x52e.google.com ([2607:f8b0:4864:20::52e]:52297) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uFMQ0-0007d3-GM for 72316@debbugs.gnu.org; Wed, 14 May 2025 20:25:49 -0400 Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-b1fd59851baso177577a12.0 for <72316@debbugs.gnu.org>; Wed, 14 May 2025 17:25:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747268742; x=1747873542; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=FOGUr3FvRvEtrRlDtxi/5eOFlknudN19ytKEHYQjVU8=; b=B6+I/39UW0/KpVwnC3Mr+ANztqTfVfpA9qxYN7PfeBF20HPG1TOcmn/w7shi37fD0x iIGoe5byo2zHCvFpp5NNnPgwo7XoEgO/3cTPmkpBU95jIJlPSaXCM48ymeOM7giVoXYQ PLsxIMgWFynQi4deynVG1IdqYbkFdTTM5ql5lXJIZUKgXOS1Kk13t9RBS/1ZyYksWs6X T+p2uf4IDhWYw/wevVSNZCNnm8R5+we7CKf9H29gZpRTmGYaepqgHTOc5ks3NHR58HQr y36v8DGZ/4G0aQP3dZ+mq4FTGW5XQqQ5iuJkVW5+w9l1TLl5KrYIhEh19DugcU/af2NA Pszw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747268742; x=1747873542; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FOGUr3FvRvEtrRlDtxi/5eOFlknudN19ytKEHYQjVU8=; b=Saq5221OeBI/ddhwXnYcMcL76dfnoRwvDHCBAGIhUadkpoJezeuyDgB3AbKIcu4xDZ +bA6dfV4jK1hP3ljZbPZXUQsfnlrtlplxPAXZxxfkOrFSk0GMTzXY8wNVkh/je9PjYzV XUEyUCgbB3n2yIsxoavCAUqcnTAKP7LLTFksEbdz+/mTBEqtKMkzkkhhjPQZpdtJc7Dx OjhLMS6+X0EhFBe5VCwEczLTW/LDDEum9zi894hau9kSHBMtclDQdAwO8lUad7Pyuq37 T9NOZB8/23sn3f3uTOcQ/ywrldkeTe8OCHyBpJstZu0yCPV+O2IbSVyFY9lU96oI7A71 5sZQ== X-Forwarded-Encrypted: i=1; AJvYcCWJDazkNZzCIO6pUGZnjg6oTxoY+UbQ7Pl3NCBoAY6HRWl8YD5cQLBYpJFekipV1NxCX0UJQA==@debbugs.gnu.org X-Gm-Message-State: AOJu0YxJsWQ3GPE3Y0NJ8dn7FXMfSD03NPbewITPJgtPwTdtAsM1JeI8 O4FU8fxn0NyB5SgZlnD2HQGgpWghwivp9lhV3WZ0l7FcZjrHiiq3 X-Gm-Gg: ASbGncuGfRQBvVdIEpF5WbR2JjUePWVrUKHTA+y5g2pehSoYH6pQBGtQUB4IrtWp3wQ QjmLYRaXnY0sYGyVhf13q+XU8F/cZmt4pWFOB0TI96P2+RVrrU3dL6xl4uIFF3qkhV4td65ANIj Ye2LbpCG850JJtzWUlL+sxfma9PcR+J/CEKLnBkAXEMLtCapJ05musi78/zBy28gSRd+fKyYUfR Zt0J0yEhELXDy6hjSAMLJauA57GSgaK4wR6WkADOP4au57ntECR18zhlN61JTRHYDbhAs5KyO2q qwckdthQX+GwiW8Z+kaaeJfGSat4qbSaJ5VL2gj+E8t6RxPFjg== X-Google-Smtp-Source: AGHT+IHYEV+u+7TseP6Gq5JVjzWRR4fXNcB30tvYY9Y2FoxIVUpODxqUFy89EES2V8xVxnHnsmOrNg== X-Received: by 2002:a17:90a:d610:b0:301:1d03:93cd with SMTP id 98e67ed59e1d1-30e51914e06mr872806a91.24.1747268742127; Wed, 14 May 2025 17:25:42 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30e3349b648sm2384205a91.41.2025.05.14.17.25.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 May 2025 17:25:41 -0700 (PDT) From: Maxim Cournoyer To: Felix Lechner Subject: Re: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. In-Reply-To: <878qmzgqkd.fsf@lease-up.com> (Felix Lechner's message of "Wed, 14 May 2025 08:28:02 -0700") References: <878qnj80pt.fsf@iscas.ac.cn> <87jz705kjp.fsf@z572.online> <87jz6nja7w.fsf@lease-up.com> <87frh9e3kk.fsf@iscas.ac.cn> <87plgdgquv.fsf@lease-up.com> <87o6vvl13u.fsf@gmail.com> <878qmzgqkd.fsf@lease-up.com> Date: Thu, 15 May 2025 09:25:37 +0900 Message-ID: <87cycalny6.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 72316 Cc: ludo@gnu.org, gabriel@erlikon.ch, zhengjunjie@iscas.ac.cn, pelzflorian@pelzflorian.de, 72316@debbugs.gnu.org, z572@z572.online, matt@excalamus.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Felix, My previous email was about your way to interact with others in this thread, which I think is below the expectations set in this community, namely, being dismissive of other's feedback. Guix is a social project before being a technical one, therefore being able to work together is more valuable than technical merits alone. I'm disappointed that instead of taking pause and adjusting, you appear to have chosen to deflect with passive-aggressive assertions and other not-so-kind suggestions. Please stop, and consider yourself warned. -- Thanks, Maxim