From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id uAtLMo8cGmQtYwAASxT56A (envelope-from ) for ; Tue, 21 Mar 2023 22:07:27 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id yPxTMo8cGmS3HwAAauVa8A (envelope-from ) for ; Tue, 21 Mar 2023 22:07:27 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 75F9E2E9F9 for ; Tue, 21 Mar 2023 22:07:27 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=spork.org header.s=dkim header.b=Hr8iP1Sh; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1679432847; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=aPqC8GElZtASYpSytu8stda4HJnyFtTbZBilz4+zvUw=; b=BM0I4KN3+4c6nZ8ycJfeJzPOAdAG8DpEZMs4rPGjjQ05BMU76ptm+S1KLDa331et6oBkj+ UoXTySejg5beP5+d515WX1+VUuRcdOxyjbvPAVYsBF3UV68ZTSefoR93zIqjXfNaZ+zsXx Vef7Fq/Ai/Cg1lXC//0y3bLEll1v5dFi2ugapQAAMj8GPJFItPnij2rGAsgZ1IKfxC9RbK /A6Vj8Zc1iYNwP3TWYwcl9erDGln+yke+F5z/CsgADuAizaExm0hEqyXqwHXw+vpFkjMC9 x4qpb2ZrXExqWMbS+aKp16QrrJp0hD5iKR0neSp/nIdVIz846V03j9VArvOq+A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=spork.org header.s=dkim header.b=Hr8iP1Sh; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1679432847; a=rsa-sha256; cv=none; b=WguEY3yFSJnu9g9jXubAclBUOQXs7PV2hX5Oz+/CTiJp6hqwHy3+I2madPolR+IlKriyTQ gAA2w48ZVYzQt1DHW90JCbNIQyUi37X6jQtfEMKwDBFX9f9IxjmFElukfl2KjQIOurJxAK uTm7Y6kbHyo+KLzmh2q8RUF6dTMcMO+ZnHDwt9jfZTV25p5o7nOohBv0BdAWZmbaBa/b40 k5imD7vlLMOqBXgTJ0ymWYKry1Dz4kWK+hLtVvJOeivnlHPoTlCOlclx2CLGCxYLT1cbKP gj6WxvQjqbQ3kgaKH1SDaUmVYh6kJmFyohdEe3VmzKC21B+w2+cUv2dOPJJR1Q== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pejCE-0005xx-MI; Tue, 21 Mar 2023 17:07:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pejCA-0005xT-FE for guix-patches@gnu.org; Tue, 21 Mar 2023 17:07:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pejC9-0006sG-S0; Tue, 21 Mar 2023 17:07:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pejC9-0002N5-NO; Tue, 21 Mar 2023 17:07:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#62357] [PATCH] services: base: add pam-mount-volume support for greetd Resent-From: Brian Cully Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, guix-patches@gnu.org Resent-Date: Tue, 21 Mar 2023 21:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62357 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 62357@debbugs.gnu.org Cc: Brian Cully , ludo@gnu.org X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: ludo@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16794328159100 (code B ref -1); Tue, 21 Mar 2023 21:07:01 +0000 Received: (at submit) by debbugs.gnu.org; 21 Mar 2023 21:06:55 +0000 Received: from localhost ([127.0.0.1]:60976 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pejC2-0002Mh-Gd for submit@debbugs.gnu.org; Tue, 21 Mar 2023 17:06:55 -0400 Received: from lists.gnu.org ([209.51.188.17]:45492) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pejC0-0002MZ-HK for submit@debbugs.gnu.org; Tue, 21 Mar 2023 17:06:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pejBv-0005sm-34 for guix-patches@gnu.org; Tue, 21 Mar 2023 17:06:48 -0400 Received: from coleridge.kublai.com ([166.84.7.167] helo=mail.spork.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pejBs-0006nk-9K for guix-patches@gnu.org; Tue, 21 Mar 2023 17:06:46 -0400 Received: from psyduck.jhoto.kublai.com (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id 1671094F2; Tue, 21 Mar 2023 17:06:28 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1679432788; bh=33K/anoJjVzHj0mYkJCBwe0/nTBePwhIfPUY0igiX1A=; h=From:To:Cc:Subject:Date; b=Hr8iP1ShM3rxsKigKZAhivgLUoK5I5WvdXTVRRwdBfZE52dSz98yFopkifJYdc9lu 1GPmu7C/FQx2OA/+iNAVW4AOoyaTvacOCUr/NsoBKn0inBXyIVIwJ/Ie2Sz/0ntvXn BehgxYoDPg37Yc5RgmGeS5Og4PuGwfe+3tBIT4Jk= Date: Tue, 21 Mar 2023 17:06:22 -0400 Message-Id: <3dc92c40bf6940f2453d1912af08c47771dfa42b.1679432782.git.bjc@spork.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=166.84.7.167; envelope-from=bjc@spork.org; helo=mail.spork.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Brian Cully X-Migadu-Queue-Id: 75F9E2E9F9 X-Spam-Score: -4.25 X-Migadu-Spam-Score: -4.25 X-Migadu-Scanner: scn0.migadu.com X-ACL-Warn: , Brian Cully via Guix-patches From: Brian Cully via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-TUID: 890ExfeRLEsa This patch lets users create mounts automatically on login with the greetd service by adding `pam-mount-volume' records via the `extra-pam-mount-volumes' field of `greetd-configuration'. The existing rules for XDG_RUNTIME_DIR have been migrated to `%base-pam-mount-volumes' and are installed by default. * gnu/services/base.scm (): new record (pam-mount-volume->sxml): new procedure (%base-pam-mount-volumes): new variable (greetd-pam-mount-rules): new function (%greetd-pam-mount-rules): removed variable (): new field `extra-pam-mount-volumes' --- gnu/services/base.scm | 114 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 107 insertions(+), 7 deletions(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 2c984a0747..4da2090141 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -248,6 +248,27 @@ (define-module (gnu services base) pam-limits-service-type pam-limits-service + pam-mount-volume + pam-mount-volume-user + pam-mount-volume-uid + pam-mount-volume-pgrp + pam-mount-volume-gid + pam-mount-volume-sgrp + pam-mount-volume-fstype + pam-mount-volume-noroot + pam-mount-volume-server + pam-mount-volume-path + pam-mount-volume-path + pam-mount-volume-mountpoint + pam-mount-volume-header + pam-mount-volume-options + pam-mount-volume-ssh + pam-mount-volume-cipher + pam-mount-volume-fskeycipher + pam-mount-volume-fskeyhash + pam-mount-volume-fskeypath + %base-pam-mount-volumes + greetd-service-type greetd-configuration greetd-terminal-configuration @@ -3170,6 +3191,82 @@ (define (make-greetd-terminal-configuration-file config) "user = " default-session-user "\n" "command = " default-session-command "\n"))) +(define-record-type* + pam-mount-volume make-pam-mount-volume + pam-mount-volume? + (user pam-mount-volume-user (default #f)) ; string + (uid pam-mount-volume-uid (default #f)) ; number or (number . number) + (pgrp pam-mount-volume-pgrp (default #f)) ; string + (gid pam-mount-volume-gid (default #f)) ; number or (number . number) + (sgrp pam-mount-volume-sgrp (default #f)) ; string + (fstype pam-mount-volume-fstype (default #f)) ; string + (noroot pam-mount-volume-noroot (default #f)) ; bool + (server pam-mount-volume-server (default #f)) ; string + (path pam-mount-volume-path (default #f)) ; string + (mountpoint pam-mount-volume-mountpoint (default #f)) ; string + (header pam-mount-volume-header (default #f)) ; string + (options pam-mount-volume-options (default #f)) ; string + (ssh pam-mount-volume-ssh (default #f)) ; bool + (cipher pam-mount-volume-cipher (default #f)) ; string + (fskeycipher pam-mount-volume-fskeycipher (default #f)) ; string + (fskeyhash pam-mount-volume-fskeyhash (default #f)) ; string + (fskeypath pam-mount-volume-fskeypath (default #f))) ; string + +(define (pam-mount-volume->sxml volume) + "Return SXML formatted VOLUME, suitable for pam_mount configuration." + (define (string-for value) + (and value (format #f "~a" value))) + + (define (bool-for value) + (if value + "1" + "0")) + + (define (number-or-range-for value) + (match value + (#f #f) + ((start . end) + (format #f "~a-~a" start end)) + (number + (format #f "~a" number)))) + + (define attrs + (filter + (cut cadr <>) + (map (lambda (field-desc) + (let* ((field-name (car field-desc)) + (field-formatter (cdr field-desc)) + (field-accessor (record-accessor field-name))) + (list field-name (field-formatter (field-accessor volume))))) + `((user . ,string-for) + (uid . ,number-or-range-for) + (pgrp . ,string-for) + (gid . ,number-or-range-for) + (sgrp . ,string-for) + (fstype . ,string-for) + (noroot . ,bool-for) + (server . ,string-for) + (path . ,string-for) + (mountpoint . ,string-for) + (header . ,string-for) + (options . ,string-for) + (ssh . ,bool-for) + (cipher . ,string-for) + (fskeycipher . ,string-for) + (fskeyhash . ,string-for) + (fskeypath . ,string-for))))) + + `(volume (@ ,@attrs))) + +(define %base-pam-mount-volumes + (list + (pam-mount-volume->sxml + (pam-mount-volume + (sgrp "users") + (fstype "tmpfs") + (mountpoint "/run/user/%(USERUID)") + (options "noexec,nosuid,nodev,size=1g,mode=0700,uid=%(USERUID),gid=%(USERGID)"))))) + (define %greetd-file-systems (list (file-system (device "none") @@ -3180,12 +3277,14 @@ (define %greetd-file-systems (options "mode=0755") (create-mount-point? #t)))) -(define %greetd-pam-mount-rules +(define (greetd-pam-mount-rules config) + (define volumes + (append (map pam-mount-volume->sxml + (greetd-extra-pam-mount-volumes config)) + %base-pam-mount-volumes)) + `((debug (@ (enable "0"))) - (volume (@ (sgrp "users") - (fstype "tmpfs") - (mountpoint "/run/user/%(USERUID)") - (options "noexec,nosuid,nodev,size=1g,mode=0700,uid=%(USERUID),gid=%(USERGID)"))) + ,@volumes (logout (@ (wait "0") (hup "0") (term "yes") @@ -3198,7 +3297,8 @@ (define-record-type* (motd greetd-motd (default %default-motd)) (allow-empty-passwords? greetd-allow-empty-passwords? (default #t)) (terminals greetd-terminals (default '())) - (greeter-supplementary-groups greetd-greeter-supplementary-groups (default '()))) + (greeter-supplementary-groups greetd-greeter-supplementary-groups (default '())) + (extra-pam-mount-volumes greetd-extra-pam-mount-volumes (default '()))) (define (greetd-accounts config) (list (user-group (name "greeter") (system? #t)) @@ -3219,7 +3319,7 @@ (define (make-greetd-pam-mount-conf-file config) '(*TOP* (*PI* xml "version='1.0' encoding='utf-8'") (pam_mount - #$@%greetd-pam-mount-rules + #$@(greetd-pam-mount-rules config) (pmvarrun #$(file-append greetd-pam-mount "/sbin/pmvarrun -u '%(USER)' -o '%(OPERATION)'")))) base-commit: 306bd7b8b952b1e721fd36a9d69b3373862e8087 -- 2.39.2