From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:59543)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gdcJ1-0005Jg-3L
	for guix-patches@gnu.org; Sun, 30 Dec 2018 09:43:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gdcIw-0004xe-5H
	for guix-patches@gnu.org; Sun, 30 Dec 2018 09:43:07 -0500
Received: from debbugsout.gnu.org ([209.51.188.43]:34662)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1gdcIv-0004wX-UM
	for guix-patches@gnu.org; Sun, 30 Dec 2018 09:43:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gdcIv-000408-Ja
	for guix-patches@gnu.org; Sun, 30 Dec 2018 09:43:01 -0500
Subject: [bug#33916] [PATCH 0/4] Make GDM usable
Resent-Message-ID: <handler.33916.D33916.154618095815349@debbugs.gnu.org>
From: Timothy Sample <samplet@ngyro.com>
References: <87bm53n3iu.fsf@ngyro.com>
	<20181230103046.5625831f@scratchpost.org>
Date: Sun, 30 Dec 2018 09:42:23 -0500
In-Reply-To: <20181230103046.5625831f@scratchpost.org> (Danny Milosavljevic's
	message of "Sun, 30 Dec 2018 10:30:46 +0100")
Message-ID: <877efrm5yo.fsf@ngyro.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Danny Milosavljevic <dannym@scratchpost.org>
Cc: 33916-done@debbugs.gnu.org

Hi Danny,

Danny Milosavljevic <dannym@scratchpost.org> writes:

> Hi Timothy,
>
> thanks!
>
> I've pushed this series to master as:
>
> 92deb5cc920fcc7617302986180f1abee5fd2b26
> 89c8656200a21485fd50fe4d277792d7d56c63e0
> de409e82261eb147b6614aef8731d795ca664ef0
> 48c8d067d4ded776939cda6f9c63c25b38ba77fc

Thank you!

> I've taken a look at gnu/system/pam.scm where unix-pam-service is defined,
> and it just does "auth sufficient pam_rootok.so".  This means that root
> will be allowed to log in without password (which is what is documented
> there, too).
>
> But how come it (or gdm) then allows any user?

More specifically, it means that root is authorized to perform whatever
action PAM is being asked about without providing a password.  In this
case, =E2=80=9Croot=E2=80=9D is GDM itself, and the action is =E2=80=9Clog =
in as so-and-so=E2=80=9D.
Hence, PAM says, =E2=80=9Csure thing, root, log in as whoever you like!=E2=
=80=9D

The part I=E2=80=99m not certain about is why GDM is running as root.  My
current understanding is that it is running with effective UID gdm and
real UID root.  I remember reading in the docs that =E2=80=9Cpam_rootok.so=
=E2=80=9D only
cares about real UID [1].

> Fedora does it differently:
>
> See https://fedoraproject.org/wiki/Enabling_Root_User_For_GNOME_Display_M=
anager
>
>> auth required pam_succeed_if.so user !=3D root quiet

That looks better.  That would be easy to add if people find it useful.
(I wouldn=E2=80=99t bother with it, but if Fedora does it, then it must be
popular enough.)


[1] http://www.linux-pam.org/Linux-PAM-html/sag-pam_rootok.html


-- Tim