* [bug#63383] [PATCH 0/4] Various PAM improvements
@ 2023-05-09 0:56 Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
` (5 more replies)
0 siblings, 6 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-09 0:56 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
This commit series makes several improvements to the way Linux-PAM is used in
Guix. Most notably, it employs absolute paths into the store where
possible. The series also improves significantly on the system test for
pam_limits.
These commits have been tested and already being deployed in production.
Additional details are in the commit messages.
Felix Lechner (4):
In PAM test, confirm ulimits actually imposed instead of comparing
config files.
Drop limits.conf from /etc/security; use directly in
pam-limits-service-type.
Refer to the built-in Linux-PAM modules by their absolute paths.
Use more file-append.
gnu/services/authentication.scm | 2 +-
gnu/services/base.scm | 65 +++++++++++++++---------------
gnu/services/kerberos.scm | 2 +-
gnu/services/lightdm.scm | 60 ++++++++++++++++++++--------
gnu/services/pam-mount.scm | 2 +-
gnu/services/sddm.scm | 33 ++++++++--------
gnu/services/xorg.scm | 5 ++-
gnu/system/pam.scm | 20 +++++-----
gnu/tests/pam.scm | 70 ++++++++++++++++++---------------
9 files changed, 146 insertions(+), 113 deletions(-)
base-commit: d1aba42ad4e1909faa21d484975c5954c778e002
--
2.39.2
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files.
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
@ 2023-05-09 0:58 ` Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
` (4 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-09 0:58 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
This revised system test is superior to the one accepted when Bug#61744 was
closed because it confirms whether the configured limits are actually being
enforced upon login.
The previous test merely validated the serialization of one particular config
in the config file.
* gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on
login.
---
gnu/tests/pam.scm | 70 +++++++++++++++++++++++++----------------------
1 file changed, 38 insertions(+), 32 deletions(-)
diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm
index 1654396e42..fa480e69ff 100644
--- a/gnu/tests/pam.scm
+++ b/gnu/tests/pam.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -25,8 +26,7 @@ (define-module (gnu tests pam)
#:use-module (gnu system vm)
#:use-module (guix gexp)
#:use-module (ice-9 format)
- #:export (%test-pam-limits
- %test-pam-limits-deprecated))
+ #:export (%test-pam-limits))
\f
;;;
@@ -35,26 +35,29 @@ (define-module (gnu tests pam)
(define pam-limit-entries
(list
- (pam-limits-entry "@realtime" 'both 'rtprio 99)
- (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
+ ;; make sure the limits apply to root (uid 0)
+ (pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0
+ (pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes
(define (run-test-pam-limits config)
"Run tests in a os with pam-limits-service-type configured."
(define os
(marionette-operating-system
(simple-operating-system
- (service pam-limits-service-type config))))
+ (service pam-limits-service-type config))
+ #:imported-modules '((gnu services herd))))
(define vm
(virtual-machine os))
- (define name (format #f "pam-limit-service~:[~;-deprecated~]"
- (file-like? config)))
+ (define name "pam-limits-service")
(define test
- (with-imported-modules '((gnu build marionette))
+ (with-imported-modules '((gnu build marionette)
+ (guix build syscalls))
#~(begin
(use-modules (gnu build marionette)
+ (guix build syscalls)
(srfi srfi-64))
(let ((marionette (make-marionette (list #$vm))))
@@ -63,18 +66,32 @@ (define test
(test-begin #$name)
- (test-assert "/etc/security/limits.conf ready"
- (wait-for-file "/etc/security/limits.conf" marionette))
+ (test-equal "log in on tty1 and read limits"
+ '(("99") ;real-time priority
+ ("unlimited")) ;max locked memory
- (test-equal "/etc/security/limits.conf content matches"
- #$(string-join (map pam-limits-entry->string pam-limit-entries)
- "\n" 'suffix)
- (marionette-eval
- '(begin
- (use-modules (rnrs io ports))
- (call-with-input-file "/etc/security/limits.conf"
- get-string-all))
- marionette))
+ (begin
+ ;; Wait for tty1.
+ (marionette-eval '(begin
+ (use-modules (gnu services herd))
+ (start-service 'term-tty1))
+ marionette)
+
+ (marionette-control "sendkey ctrl-alt-f1" marionette)
+
+ ;; Now we can type.
+ (marionette-type "root\n" marionette)
+ (marionette-type "ulimit -r > real-time-priority\n" marionette)
+ (marionette-type "ulimit -l > max-locked-memory\n" marionette)
+
+ ;; Read the two files.
+ (marionette-eval '(use-modules (rnrs io ports)) marionette)
+ (let ((guest-file (lambda (file)
+ (string-tokenize
+ (wait-for-file file marionette
+ #:read 'get-string-all)))))
+ (list (guest-file "/root/real-time-priority")
+ (guest-file "/root/max-locked-memory")))))
(test-end)))))
@@ -83,17 +100,6 @@ (define test
(define %test-pam-limits
(system-test
(name "pam-limits-service")
- (description "Test that pam-limits-service can serialize its config
-(as a list) to @file{limits.conf}.")
+ (description "Test that pam-limits-service actually sets the limits as
+configured.")
(value (run-test-pam-limits pam-limit-entries))))
-
-(define %test-pam-limits-deprecated
- (system-test
- (name "pam-limits-service-deprecated")
- (description "Test that pam-limits-service can serialize its config
-(as a file-like object) to @file{limits.conf}.")
- (value (run-test-pam-limits
- (plain-file "limits.conf"
- (string-join (map pam-limits-entry->string
- pam-limit-entries)
- "\n" 'suffix))))))
--
2.39.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63383] [PATCH 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type.
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
@ 2023-05-09 0:58 ` Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
` (3 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-09 0:58 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
This commit was tested and is already deployed in production.
* gnu/services/base.scm: Drop config file limits.conf from /etc; use absolute
path in store instead.
---
gnu/services/base.scm | 59 ++++++++++++++++++++-----------------------
1 file changed, 28 insertions(+), 31 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4adb551796..16dcc55483 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1608,36 +1608,34 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
(define pam-limits-service-type
(let ((pam-extension
- (lambda (pam)
- (let ((pam-limits (pam-entry
- (control "required")
- (module "pam_limits.so")
- (arguments
- '("conf=/etc/security/limits.conf")))))
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password" "sddm"
- "sudo" "sshd"))
- (pam-service
- (inherit pam)
- (session (cons pam-limits
- (pam-service-session pam))))
- pam))))
-
- ;; XXX: Using file-like objects is deprecated, use lists instead.
- ;; This is to be reduced into the list? case when the deprecated
- ;; code gets removed.
- ;; Create /etc/security containing the provided "limits.conf" file.
- (security-limits
+ (lambda (limits-file)
+ (lambda (pam)
+ (let ((pam-limits (pam-entry
+ (control "required")
+ (module "pam_limits.so")
+ (arguments
+ (list #~(string-append "conf=" #$limits-file))))))
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password" "sddm"
+ "sudo" "sshd"))
+ (pam-service
+ (inherit pam)
+ (session (cons pam-limits
+ (pam-service-session pam))))
+ pam)))))
+ (make-limits-file
(match-lambda
+ ;; XXX: Using file-like objects is deprecated, use lists instead.
+ ;; This is to be reduced into the list? case when the deprecated
+ ;; code gets removed.
((? file-like? obj)
(warning (G_ "Using file-like value for \
'pam-limits-service-type' is deprecated~%"))
- `(("security/limits.conf" ,obj)))
+ obj)
((? list? lst)
- `(("security/limits.conf"
- ,(plain-file "limits.conf"
- (string-join (map pam-limits-entry->string lst)
- "\n" 'suffix)))))
+ (plain-file "limits.conf"
+ (string-join (map pam-limits-entry->string lst)
+ "\n" 'suffix)))
(_ (raise
(formatted-message
(G_ "invalid input for 'pam-limits-service-type'~%")))))))
@@ -1645,13 +1643,12 @@ (module "pam_limits.so")
(service-type
(name 'limits)
(extensions
- (list (service-extension etc-service-type security-limits)
- (service-extension pam-root-service-type
- (lambda _ (list pam-extension)))))
+ (list (service-extension pam-root-service-type
+ (lambda (config)
+ (list (pam-extension (make-limits-file config)))))))
(description
- "Install the specified resource usage limits by populating
-@file{/etc/security/limits.conf} and using the @code{pam_limits}
-authentication module.")
+ "Use the @code{pam_limits} authentication module to set the specified
+resource usage limits.")
(default-value '()))))
(define-deprecated (pam-limits-service #:optional (limits '()))
--
2.39.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63383] [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths.
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
@ 2023-05-09 0:58 ` Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 4/4] Use more file-append Felix Lechner via Guix-patches via
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-09 0:58 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.
An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.
[1] https://issues.guix.gnu.org/61744#6
This commit was tested and is already being deployed in production.
* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
gnu/services/base.scm | 6 ++--
gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
gnu/services/sddm.scm | 33 +++++++++++-----------
gnu/services/xorg.scm | 5 ++--
gnu/system/pam.scm | 20 +++++++-------
5 files changed, 77 insertions(+), 47 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 16dcc55483..9f1671e142 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils btrfs-progs crda eudev
- e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
- util-linux xfsprogs))
+ e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+ rng-tools util-linux xfsprogs))
#:use-module (gnu packages bash)
#:use-module ((gnu packages base)
#:select (coreutils glibc glibc-utf8-locales tar
@@ -1612,7 +1612,7 @@ (define pam-limits-service-type
(lambda (pam)
(let ((pam-limits (pam-entry
(control "required")
- (module "pam_limits.so")
+ (module (file-append linux-pam "/lib/security/pam_limits.so"))
(arguments
(list #~(string-append "conf=" #$limits-file))))))
(if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index 0b9094cda1..b820c7dcf3 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages vnc)
#:use-module (gnu packages xorg)
#:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
(name "lightdm-greeter")
(auth (list
;; Load environment from /etc/environment and ~/.pam_environment.
- (pam-entry (control "required") (module "pam_env.so"))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; No action required for account management
- (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-autologin-pam-service)
"Return a PAM service for @command{lightdm-autologin}}."
(pam-service
(name "lightdm-autologin")
- (auth
- (list
- ;; Block login if user is globally disabled.
- (pam-entry (control "required") (module "pam_nologin.so"))
- (pam-entry (control "required") (module "pam_succeed_if.so")
- (arguments (list "uid >= 1000")))
- ;; Allow access without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (auth (list
+ ;; Block login if user is globally disabled.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+ (arguments (list "uid >= 1000")))
+ ;; Allow access without authentication.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Stop autologin if account requires action.
- (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-pam-services config)
(list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 9e02f1cc81..6138a31f0d 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
#:use-module (gnu packages admin)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages xorg)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
;; should be factored out into system-auth
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(account
(list
;; should be factored out into system-account
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(password
(list
;; should be factored out into system-password
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments (list "sha512" "shadow" "try_first_pass")))))
(session
(list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
;; should be factored out into system-session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-greeter-pam-service)
"Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
;; Load environment from /etc/environment and ~/.pam_environment
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
;; No action required for account management
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(password
(list
;; Can't change password
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
;; Setup session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-autologin-pam-service config)
"Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
(pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
(list
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
(pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..878a336d0d 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnustep)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
#:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
"/lib/security/pam_gdm.so")))
(pam-entry
(control "sufficient")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(pam-service
(inherit (unix-pam-service "gdm-launch-environment"))
(auth (list (pam-entry
(control "required")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index b635681642..5e6a209caf 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -194,7 +194,7 @@ (define %pam-other-services
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
(let ((deny (pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(pam-service
(name "other")
(account (list deny))
@@ -205,10 +205,10 @@ (module "pam_deny.so"))))
(define unix-pam-service
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so")))
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))))
(env (pam-entry ; to honor /etc/environment.
(control "required")
- (module "pam_env.so"))))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))))
(lambda* (name #:key allow-empty-passwords? allow-root? motd
login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
@@ -226,12 +226,12 @@ (module "pam_env.so"))))
(auth (append (if allow-root?
(list (pam-entry
(control "sufficient")
- (module "pam_rootok.so")))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
'())
(list (if allow-empty-passwords?
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments '("nullok")))
unix))
(if gnupg?
@@ -241,20 +241,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())))
(password (list (pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
(session `(,@(if motd
(list (pam-entry
(control "optional")
- (module "pam_motd.so")
+ (module (file-append linux-pam "/lib/security/pam_motd.so"))
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
,@(if login-uid?
(list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
- (module "pam_loginuid.so")))
+ (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
'())
,@(if gnupg?
(list (pam-entry
@@ -268,13 +268,13 @@ (define (rootok-pam-service command)
authenticate to run COMMAND."
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(pam-service
(name command)
(account (list unix))
(auth (list (pam-entry
(control "sufficient")
- (module "pam_rootok.so"))))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
(password (list unix))
(session (list unix)))))
--
2.39.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63383] [PATCH 4/4] Use more file-append.
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
` (2 preceding siblings ...)
2023-05-09 0:58 ` [bug#63383] [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
@ 2023-05-09 0:58 ` Felix Lechner via Guix-patches via
2023-05-12 18:51 ` [bug#63383] rebased Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
5 siblings, 0 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-09 0:58 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
Based on the author's review of the code base as well as past commits, similar
invocations are in the process of being changed over from string-append to
file-append.
* gnu/services/authentication.scm
* gnu/services/base.scm
* gnu/services/kerberos.scm
* gnu/services/pam-mount.scm: Use more file-append instead of string-append.
---
gnu/services/authentication.scm | 2 +-
gnu/services/base.scm | 2 +-
gnu/services/kerberos.scm | 2 +-
gnu/services/pam-mount.scm | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f7becdfafb..7c8900a280 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -504,7 +504,7 @@ (define (nslcd-shepherd-service config)
(define (pam-ldap-pam-service config)
"Return a PAM service for LDAP authentication."
(define pam-ldap-module
- #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
+ (file-append (nslcd-configuration-nss-pam-ldapd config)
"/lib/security/pam_ldap.so"))
(lambda (pam)
(if (member (pam-service-name pam)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 9f1671e142..9555dc3a46 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3256,7 +3256,7 @@ (define (greetd-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module #~(string-append #$greetd-pam-mount "/lib/security/pam_mount.so"))
+ (module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
(arguments '("disable_interactive"))))
(list
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index c3c7872734..38e78a8014 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -430,7 +430,7 @@ (define (pam-krb5-pam-service config)
"Return a PAM service for Kerberos authentication."
(lambda (pam)
(define pam-krb5-module
- #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
+ (file-append (pam-krb5-configuration-pam-krb5 config)
"/lib/security/pam_krb5.so"))
(let ((pam-krb5-sufficient
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index e60781d05b..1be209dff5 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -87,7 +87,7 @@ (define (pam-mount-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
+ (module (file-append pam-mount "/lib/security/pam_mount.so"))))
(list (lambda (pam)
(if (member (pam-service-name pam)
'("login" "greetd" "su" "slim" "gdm-password" "sddm"))
--
2.39.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63383] rebased
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
` (3 preceding siblings ...)
2023-05-09 0:58 ` [bug#63383] [PATCH 4/4] Use more file-append Felix Lechner via Guix-patches via
@ 2023-05-12 18:51 ` Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
5 siblings, 0 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-12 18:51 UTC (permalink / raw)
To: 63383
This patch series was rebased due to changes on the 'master' branch.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files.
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
` (4 preceding siblings ...)
2023-05-12 18:51 ` [bug#63383] rebased Felix Lechner via Guix-patches via
@ 2023-05-12 18:52 ` Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
` (2 more replies)
5 siblings, 3 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-12 18:52 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
This revised system test is superior to the one accepted when Bug#61744 was
closed because it confirms whether the configured limits are actually being
enforced upon login.
The previous test merely validated the serialization of one particular config
in the config file.
* gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on
login.
---
gnu/tests/pam.scm | 70 +++++++++++++++++++++++++----------------------
1 file changed, 38 insertions(+), 32 deletions(-)
diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm
index 1654396e42..fa480e69ff 100644
--- a/gnu/tests/pam.scm
+++ b/gnu/tests/pam.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -25,8 +26,7 @@ (define-module (gnu tests pam)
#:use-module (gnu system vm)
#:use-module (guix gexp)
#:use-module (ice-9 format)
- #:export (%test-pam-limits
- %test-pam-limits-deprecated))
+ #:export (%test-pam-limits))
\f
;;;
@@ -35,26 +35,29 @@ (define-module (gnu tests pam)
(define pam-limit-entries
(list
- (pam-limits-entry "@realtime" 'both 'rtprio 99)
- (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
+ ;; make sure the limits apply to root (uid 0)
+ (pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0
+ (pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes
(define (run-test-pam-limits config)
"Run tests in a os with pam-limits-service-type configured."
(define os
(marionette-operating-system
(simple-operating-system
- (service pam-limits-service-type config))))
+ (service pam-limits-service-type config))
+ #:imported-modules '((gnu services herd))))
(define vm
(virtual-machine os))
- (define name (format #f "pam-limit-service~:[~;-deprecated~]"
- (file-like? config)))
+ (define name "pam-limits-service")
(define test
- (with-imported-modules '((gnu build marionette))
+ (with-imported-modules '((gnu build marionette)
+ (guix build syscalls))
#~(begin
(use-modules (gnu build marionette)
+ (guix build syscalls)
(srfi srfi-64))
(let ((marionette (make-marionette (list #$vm))))
@@ -63,18 +66,32 @@ (define test
(test-begin #$name)
- (test-assert "/etc/security/limits.conf ready"
- (wait-for-file "/etc/security/limits.conf" marionette))
+ (test-equal "log in on tty1 and read limits"
+ '(("99") ;real-time priority
+ ("unlimited")) ;max locked memory
- (test-equal "/etc/security/limits.conf content matches"
- #$(string-join (map pam-limits-entry->string pam-limit-entries)
- "\n" 'suffix)
- (marionette-eval
- '(begin
- (use-modules (rnrs io ports))
- (call-with-input-file "/etc/security/limits.conf"
- get-string-all))
- marionette))
+ (begin
+ ;; Wait for tty1.
+ (marionette-eval '(begin
+ (use-modules (gnu services herd))
+ (start-service 'term-tty1))
+ marionette)
+
+ (marionette-control "sendkey ctrl-alt-f1" marionette)
+
+ ;; Now we can type.
+ (marionette-type "root\n" marionette)
+ (marionette-type "ulimit -r > real-time-priority\n" marionette)
+ (marionette-type "ulimit -l > max-locked-memory\n" marionette)
+
+ ;; Read the two files.
+ (marionette-eval '(use-modules (rnrs io ports)) marionette)
+ (let ((guest-file (lambda (file)
+ (string-tokenize
+ (wait-for-file file marionette
+ #:read 'get-string-all)))))
+ (list (guest-file "/root/real-time-priority")
+ (guest-file "/root/max-locked-memory")))))
(test-end)))))
@@ -83,17 +100,6 @@ (define test
(define %test-pam-limits
(system-test
(name "pam-limits-service")
- (description "Test that pam-limits-service can serialize its config
-(as a list) to @file{limits.conf}.")
+ (description "Test that pam-limits-service actually sets the limits as
+configured.")
(value (run-test-pam-limits pam-limit-entries))))
-
-(define %test-pam-limits-deprecated
- (system-test
- (name "pam-limits-service-deprecated")
- (description "Test that pam-limits-service can serialize its config
-(as a file-like object) to @file{limits.conf}.")
- (value (run-test-pam-limits
- (plain-file "limits.conf"
- (string-join (map pam-limits-entry->string
- pam-limit-entries)
- "\n" 'suffix))))))
--
2.40.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63383] [PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type.
2023-05-12 18:52 ` [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
@ 2023-05-12 18:52 ` Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 4/4] Use more file-append Felix Lechner via Guix-patches via
2 siblings, 0 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-12 18:52 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
This commit was tested and is already deployed in production.
* gnu/services/base.scm: Drop config file limits.conf from /etc; use absolute
path in store instead.
---
gnu/services/base.scm | 63 +++++++++++++++++++++----------------------
1 file changed, 30 insertions(+), 33 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index fdc2c8c764..4bef781977 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1603,38 +1603,36 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
(define pam-limits-service-type
(let ((pam-extension
- (pam-extension
- (transformer
- (lambda (pam)
- (let ((pam-limits (pam-entry
- (control "required")
- (module "pam_limits.so")
- (arguments
- '("conf=/etc/security/limits.conf")))))
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password"
- "sddm" "sudo" "sshd"))
- (pam-service
- (inherit pam)
- (session (cons pam-limits
- (pam-service-session pam))))
- pam))))))
-
- ;; XXX: Using file-like objects is deprecated, use lists instead.
- ;; This is to be reduced into the list? case when the deprecated
- ;; code gets removed.
- ;; Create /etc/security containing the provided "limits.conf" file.
- (security-limits
+ (lambda (limits-file)
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (let ((pam-limits (pam-entry
+ (control "required")
+ (module "pam_limits.so")
+ (arguments
+ (list #~(string-append "conf=" #$limits-file))))))
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password" "sddm"
+ "sudo" "sshd"))
+ (pam-service
+ (inherit pam)
+ (session (cons pam-limits
+ (pam-service-session pam))))
+ pam)))))))
+ (make-limits-file
(match-lambda
+ ;; XXX: Using file-like objects is deprecated, use lists instead.
+ ;; This is to be reduced into the list? case when the deprecated
+ ;; code gets removed.
((? file-like? obj)
(warning (G_ "Using file-like value for \
'pam-limits-service-type' is deprecated~%"))
- `(("security/limits.conf" ,obj)))
+ obj)
((? list? lst)
- `(("security/limits.conf"
- ,(plain-file "limits.conf"
- (string-join (map pam-limits-entry->string lst)
- "\n" 'suffix)))))
+ (plain-file "limits.conf"
+ (string-join (map pam-limits-entry->string lst)
+ "\n" 'suffix)))
(_ (raise
(formatted-message
(G_ "invalid input for 'pam-limits-service-type'~%")))))))
@@ -1642,13 +1640,12 @@ (module "pam_limits.so")
(service-type
(name 'limits)
(extensions
- (list (service-extension etc-service-type security-limits)
- (service-extension pam-root-service-type
- (lambda _ (list pam-extension)))))
+ (list (service-extension pam-root-service-type
+ (lambda (config)
+ (list (pam-extension (make-limits-file config)))))))
(description
- "Install the specified resource usage limits by populating
-@file{/etc/security/limits.conf} and using the @code{pam_limits}
-authentication module.")
+ "Use the @code{pam_limits} authentication module to set the specified
+resource usage limits.")
(default-value '()))))
(define-deprecated (pam-limits-service #:optional (limits '()))
--
2.40.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths.
2023-05-12 18:52 ` [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
@ 2023-05-12 18:52 ` Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 4/4] Use more file-append Felix Lechner via Guix-patches via
2 siblings, 0 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-12 18:52 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.
An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.
[1] https://issues.guix.gnu.org/61744#6
This commit was tested and is already being deployed in production.
* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
gnu/services/base.scm | 6 ++--
gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
gnu/services/sddm.scm | 33 +++++++++++-----------
gnu/services/xorg.scm | 5 ++--
gnu/system/pam.scm | 20 +++++++-------
5 files changed, 77 insertions(+), 47 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4bef781977..5d0542b39d 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils btrfs-progs crda eudev
- e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
- util-linux xfsprogs))
+ e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+ rng-tools util-linux xfsprogs))
#:use-module (gnu packages bash)
#:use-module ((gnu packages base)
#:select (coreutils glibc glibc-utf8-locales tar
@@ -1609,7 +1609,7 @@ (define pam-limits-service-type
(lambda (pam)
(let ((pam-limits (pam-entry
(control "required")
- (module "pam_limits.so")
+ (module (file-append linux-pam "/lib/security/pam_limits.so"))
(arguments
(list #~(string-append "conf=" #$limits-file))))))
(if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index b966f402d6..9927e8769b 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages vnc)
#:use-module (gnu packages xorg)
#:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
(name "lightdm-greeter")
(auth (list
;; Load environment from /etc/environment and ~/.pam_environment.
- (pam-entry (control "required") (module "pam_env.so"))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; No action required for account management
- (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-autologin-pam-service)
"Return a PAM service for @command{lightdm-autologin}}."
(pam-service
(name "lightdm-autologin")
- (auth
- (list
- ;; Block login if user is globally disabled.
- (pam-entry (control "required") (module "pam_nologin.so"))
- (pam-entry (control "required") (module "pam_succeed_if.so")
- (arguments (list "uid >= 1000")))
- ;; Allow access without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (auth (list
+ ;; Block login if user is globally disabled.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+ (arguments (list "uid >= 1000")))
+ ;; Allow access without authentication.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Stop autologin if account requires action.
- (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-pam-services config)
(list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index c9a7ba96f4..9cd4d23bdb 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
#:use-module (gnu packages admin)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages xorg)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
;; should be factored out into system-auth
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(account
(list
;; should be factored out into system-account
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(password
(list
;; should be factored out into system-password
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments (list "sha512" "shadow" "try_first_pass")))))
(session
(list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
;; should be factored out into system-session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-greeter-pam-service)
"Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
;; Load environment from /etc/environment and ~/.pam_environment
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
;; No action required for account management
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(password
(list
;; Can't change password
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
;; Setup session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-autologin-pam-service config)
"Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
(pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
(list
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
(pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 8b6080fd26..97fbde3511 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnustep)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
#:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
"/lib/security/pam_gdm.so")))
(pam-entry
(control "sufficient")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(pam-service
(inherit (unix-pam-service "gdm-launch-environment"))
(auth (list (pam-entry
(control "required")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index adc40c975f..e3711e2b1e 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -202,7 +202,7 @@ (define %pam-other-services
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
(let ((deny (pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(pam-service
(name "other")
(account (list deny))
@@ -213,10 +213,10 @@ (module "pam_deny.so"))))
(define unix-pam-service
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so")))
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))))
(env (pam-entry ; to honor /etc/environment.
(control "required")
- (module "pam_env.so"))))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))))
(lambda* (name #:key allow-empty-passwords? allow-root? motd
login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
@@ -234,12 +234,12 @@ (module "pam_env.so"))))
(auth (append (if allow-root?
(list (pam-entry
(control "sufficient")
- (module "pam_rootok.so")))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
'())
(list (if allow-empty-passwords?
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments '("nullok")))
unix))
(if gnupg?
@@ -249,20 +249,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())))
(password (list (pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
(session `(,@(if motd
(list (pam-entry
(control "optional")
- (module "pam_motd.so")
+ (module (file-append linux-pam "/lib/security/pam_motd.so"))
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
,@(if login-uid?
(list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
- (module "pam_loginuid.so")))
+ (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
'())
,@(if gnupg?
(list (pam-entry
@@ -276,13 +276,13 @@ (define (rootok-pam-service command)
authenticate to run COMMAND."
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(pam-service
(name command)
(account (list unix))
(auth (list (pam-entry
(control "sufficient")
- (module "pam_rootok.so"))))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
(password (list unix))
(session (list unix)))))
--
2.40.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63383] [PATCH v2 4/4] Use more file-append.
2023-05-12 18:52 ` [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
@ 2023-05-12 18:52 ` Felix Lechner via Guix-patches via
2 siblings, 0 replies; 10+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-12 18:52 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
Based on the author's review of the code base as well as past commits, similar
invocations are in the process of being changed over from string-append to
file-append.
* gnu/services/authentication.scm
* gnu/services/base.scm
* gnu/services/kerberos.scm
* gnu/services/pam-mount.scm: Use more file-append instead of string-append.
---
gnu/services/authentication.scm | 2 +-
gnu/services/base.scm | 2 +-
gnu/services/kerberos.scm | 4 ++--
gnu/services/pam-mount.scm | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f1ad1b1afe..fbfef2d3d0 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -504,7 +504,7 @@ (define (nslcd-shepherd-service config)
(define (pam-ldap-pam-service config)
"Return a PAM service for LDAP authentication."
(define pam-ldap-module
- #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
+ (file-append (nslcd-configuration-nss-pam-ldapd config)
"/lib/security/pam_ldap.so"))
(pam-extension
(transformer
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 5d0542b39d..a6c501e2c2 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3253,7 +3253,7 @@ (define (greetd-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module #~(string-append #$greetd-pam-mount "/lib/security/pam_mount.so"))
+ (module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
(arguments '("disable_interactive"))))
(list
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 1a1b37f890..a6f540a9b6 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -432,8 +432,8 @@ (define (pam-krb5-pam-service config)
(transformer
(lambda (pam)
(define pam-krb5-module
- #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
- "/lib/security/pam_krb5.so"))
+ (file-append (pam-krb5-configuration-pam-krb5 config)
+ "/lib/security/pam_krb5.so"))
(let ((pam-krb5-sufficient
(pam-entry
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index 21c34ddd61..afaa2704cd 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -87,7 +87,7 @@ (define (pam-mount-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
+ (module (file-append pam-mount "/lib/security/pam_mount.so"))))
(list
(pam-extension
(transformer
--
2.40.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-05-12 18:54 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 4/4] Use more file-append Felix Lechner via Guix-patches via
2023-05-12 18:51 ` [bug#63383] rebased Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 4/4] Use more file-append Felix Lechner via Guix-patches via
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).