From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id aHw8JRVa/2E8LAAAgWs5BA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 06 Feb 2022 06:18:13 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id 0ADBIhVa/2HDyQAA9RJhRA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 06 Feb 2022 06:18:13 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 0CD9547314
	for <larch@yhetil.org>; Sun,  6 Feb 2022 06:18:13 +0100 (CET)
Received: from localhost ([::1]:44198 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1nGZwB-0002jp-Oj
	for larch@yhetil.org; Sun, 06 Feb 2022 00:18:11 -0500
Received: from eggs.gnu.org ([209.51.188.92]:46902)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1nGZw2-0002jd-OF
 for guix-patches@gnu.org; Sun, 06 Feb 2022 00:18:02 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:42284)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1nGZw2-00057E-E7
 for guix-patches@gnu.org; Sun, 06 Feb 2022 00:18:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1nGZw2-0002Bn-7P
 for guix-patches@gnu.org; Sun, 06 Feb 2022 00:18:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd
 helper.
Resent-From: Andrew Tropin <andrew@trop.in>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 06 Feb 2022 05:18:02 +0000
Resent-Message-ID: <handler.53468.B53468.16441246338354@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 53468
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 53468@debbugs.gnu.org
Received: via spool by 53468-submit@debbugs.gnu.org id=B53468.16441246338354
 (code B ref 53468); Sun, 06 Feb 2022 05:18:02 +0000
Received: (at 53468) by debbugs.gnu.org; 6 Feb 2022 05:17:13 +0000
Received: from localhost ([127.0.0.1]:36181 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1nGZvE-0002Ag-IA
 for submit@debbugs.gnu.org; Sun, 06 Feb 2022 00:17:12 -0500
Received: from mail-lf1-f52.google.com ([209.85.167.52]:39516)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <andrew@trop.in>) id 1nGZv7-0002A3-RV
 for 53468@debbugs.gnu.org; Sun, 06 Feb 2022 00:17:11 -0500
Received: by mail-lf1-f52.google.com with SMTP id b9so20630604lfq.6
 for <53468@debbugs.gnu.org>; Sat, 05 Feb 2022 21:17:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=trop-in.20210112.gappssmtp.com; s=20210112;
 h=from:to:cc:subject:in-reply-to:references:date:message-id
 :mime-version; bh=ulcpM5K5F1c2MEQvcHRaYh3z3LPHnI+ph/OxoPEJVRQ=;
 b=Z6ir9VFt7MBMut261Jq/1b047OFuzgKmUFpDnMqulSujgqvQ14PNuHQSOf2ycUvjG4
 TIQ+x8O0Goq9ZHlvcvWbCdevHbF2h+yHViUmmtZMAKeDyTl0vVJbFv3rjxFMpRI0NQ5X
 1heWyOLagV2TazpjFt4vliBPpLuRjUxifq/a1tJzFLSsNzzjq5td/jKiuxT52QPzY6td
 u8YDXqPyyzB7Z+jcUb6w7pDB7xHjJ8IMGJn2BVkdmYxolqHOX71Mx0WobDa2OPe3H/b7
 /qA+joVIvFs43o33V8c/pLx8/TkEsrMtxF6GseN+DZIw5xvCqzNXWvdIEqSx2MslCtGI
 quEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date
 :message-id:mime-version;
 bh=ulcpM5K5F1c2MEQvcHRaYh3z3LPHnI+ph/OxoPEJVRQ=;
 b=pdSSvDg37N9NReKoOdeS62pj3NJfDlMYKTM+IpWgUSe+Aer3V750WMoI+hGlZKrCBL
 e/vU4ilX25rib+huC/kiVsKhClG001HFSpBzYRTb1chPTCBEbQgaKcgOn9w2JRMFMDmW
 /q2nrSxidKFpP2+FkHi3Br/pAyTTOdTlKBCJYhd9ZdH/XMk1xq3iSKYSMB26I80oqHie
 aeM6hj0keaQfTEhP8wBI8hc3yLMQuMBHQTODo0rUOlHj3OSj8iuay35ChvqjopXHdXYg
 gO7tIgQaJiAHZ5GydKqOspiEyF3gaEwV/S3vxxn0YGya56f3eYjPHViun6ATv6o7vMhA
 Tupw==
X-Gm-Message-State: AOAM531qNDeNFXA6sdo1hasBNUnFLtBxDCbS8kD7cxaGFFIaU4MayhHc
 rv1s0kEN70aZWrGBF53KrHjlbw==
X-Google-Smtp-Source: ABdhPJxmNORqvlBx9BjAXw2nc6oBv6T/yRYdg7nzXNAolxpeQnw/arJAdOMkQUcunmrOPLwQCD7+GA==
X-Received: by 2002:ac2:5190:: with SMTP id u16mr4448829lfi.257.1644124619804; 
 Sat, 05 Feb 2022 21:16:59 -0800 (PST)
Received: from localhost (109-252-135-33.dynamic.spd-mgts.ru. [109.252.135.33])
 by smtp.gmail.com with ESMTPSA id e24sm1029162ljj.131.2022.02.05.21.16.57
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 05 Feb 2022 21:16:57 -0800 (PST)
From: Andrew Tropin <andrew@trop.in>
In-Reply-To: <877daamgf2.fsf_-_@gnu.org>
References: <87tudu38yz.fsf@trop.in> <87sftetuhg.fsf@trop.in>
 <877daamgf2.fsf_-_@gnu.org>
Date: Sun, 06 Feb 2022 08:16:54 +0300
Message-ID: <878ruo60c9.fsf@trop.in>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1644124693;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=ulcpM5K5F1c2MEQvcHRaYh3z3LPHnI+ph/OxoPEJVRQ=;
	b=rxfE1/cJOWLk+ZY+IPxYV/2Onyopw8zLcuOhGaoYXZ7i+EPjnVe0Mv4XtFsu5jc4DE37F0
	7V7chqD6o6ppI9nj9+wGIEwlmk5hxlmZpx+SP7DaG1STlWm2ojUf8w3OB+AyjAjMGmN+S/
	xiEZNbuwhR2YNJaRGhsaFeP6wBacIGW2UpdhVDizSkRwfKOiQACTZ6O8ouD5vGxvklu2Ix
	zb64S0EJvFd1uoxTa26/vyHffCrWqK3fVRtgDsPQpmfGObgL09nkQovTTrGyntzDvCE631
	FciKBCJUQVCuI/NAjaLuEfkAIIhiwENEbWB15RQDUte9hVZ9KR6cfBfM30bKlw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1644124693; a=rsa-sha256; cv=none;
	b=PmVNtq+UaaaX64o0vTUIl6GfvgCWON698Xmal1AajMeZz/WetmRlYshJfI60q+3jgmFaEe
	VkvlEwc3UA7paaUivK5fZDlVIiW5qnsrDN/Bq91L4ZE3lemBQaKqHSPuBjAZfYW+ELcTpL
	MtJxo4Zj689MXqH4QWNav+IgH4uP7F2Dfd0XtQtM57A9LcwNxI361cPDZx96oY4JUJnPoL
	J6jcW9gR+VOFJ4JupNCuAOJwe2bWDtHXHopW4urQQ3v5uNq2tUVCZp/rQarEij4mvnDJKE
	s83y9jLdC4jw6fPITAKKdo4Wo4obporLlVajxeergHTnt8dYCU1OEGIclq8avg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=trop-in.20210112.gappssmtp.com header.s=20210112 header.b=Z6ir9VFt;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -4.23
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=trop-in.20210112.gappssmtp.com header.s=20210112 header.b=Z6ir9VFt;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 0CD9547314
X-Spam-Score: -4.23
X-Migadu-Scanner: scn1.migadu.com
X-TUID: WkwaYPu9gyPt

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2022-02-04 23:10, Ludovic Court=C3=A8s wrote:

> Hi!
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
>> From: Andrew Tropin <andrew@trop.in>
>> Date: Thu, 13 Jan 2022 21:41:58 +0300
>> Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helpe=
r.
>>
>> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
>> * gnu/packages/linux.scm (linux-pam): Add patch.
>> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
>> binaries.
>
> [...]
>
>> +     DIAG_PUSH_IGNORE_CAST_QUAL;
>> +-    execve(CHKPWD_HELPER, (char *const *) args, envp);
>> ++    execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, e=
nvp);
>> +     DIAG_POP_IGNORE_CAST_QUAL;
>
> Looks reasonable to me.  However, could you change the CHKPWD_HELPER
> macro definition in the Makefile template, as you suggested, instead of
> patching the file?

Sure, done in v3.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=v3-0001-gnu-linux-pam-Change-path-to-unix_chkpwd-helper.patch
Content-Transfer-Encoding: quoted-printable

From=20e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Sun, 6 Feb 2022 08:13:49 +0300
Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.

* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.
=2D--
 gnu/packages/linux.scm                              |  3 ++-
 .../patches/change-path-to-unix_chkpwd.patch        | 13 +++++++++++++
 gnu/system/pam.scm                                  | 10 ++++++++--
 3 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2e2d01c656..bc2927d0b4 100644
=2D-- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1625,7 +1625,8 @@ (define-public linux-pam
        (sha256
         (base32
          "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
=2D       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (patches (search-patches "change-path-to-unix_chkpwd.patch"
+                                "linux-pam-no-setfsuid.patch"))))
=20
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/pa=
ckages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..e5c6d2649c
=2D-- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,13 @@
+From: Andrew Tropin <andrew@trop.in>
+Date: Sat, 5 Feb 2022 21:06:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+unix_chkpwd is designed to have a suid bit, but it's not possible to set it
+for files in /gnu/store, and this patch tells unix_pam.so to lookup up for
+unix_chkpwd in directory generated by setuid-program system service.
+
+--- a/modules/pam_unix/Makefile.in
++++ b/modules/pam_unix/Makefile.in
+@@ -651,1 +651,1 @@
+-	-DCHKPWD_HELPER=3D\"$(sbindir)/unix_chkpwd\" \
++	-DCHKPWD_HELPER=3D\"/run/setuid-programs/unix_chkpwd\" \
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
=2D-- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
   #:use-module (guix derivations)
   #:use-module (guix gexp)
   #:use-module (gnu services)
+  #:use-module (gnu system setuid)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
=20
 (define pam-root-service-type
   (service-type (name 'pam)
=2D                (extensions (list (service-extension etc-service-type
=2D                                                     /etc-entry)))
+                (extensions
+                 (list (service-extension
+                        setuid-program-service-type
+                        (lambda (_)
+                          (list (file-like->setuid-program
+                                 (file-append linux-pam "/sbin/unix_chkpwd=
")))))
+                       (service-extension etc-service-type /etc-entry)))
=20
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)
=2D-=20
2.34.0


--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


=2D-=20
Best regards,
Andrew Tropin

--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmH/WccPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wRmwQAIfjH18DlBQfHarDxPLXNBBAnRBB6D/HV2v0
0DZ7pZi6kI6EwHSCm3fIXooEzFdBVQWWw77nLu6VSgdY00lFYIr31xUtqX/vfI/b
YnpDPZ3MYBeW2Y1GOo0Zjqdco1J3u7oJdBlpt7U92Zh3KV6jBwQg7i5u8407PMYj
R810YoKU7mO8Cgf8oSSkK4JuN+3btyrXQ947cOSYPhY0gqAf9CPi3hKPTnjbUi83
tGH4UsI8E+bJpZUfhutbsK++faviByjFphz1XgHrzXttBmNp591LvUghVIIt5du4
tyVuWLRA99dQu+8PX1DJMGqFOG/fS2jJrpj5UiYKGNVleAnjV8K7DkjPadMxh4II
cHBDAaFnN7kR+SoJXct7c4wbScibzRqclTCuRe2EXMy3MNOxSSoXQHtnuhbyqUkf
spJSraVEdUF6VfxmeR9SeY4gJpKcd2WsJz3qe0NXE6lFmuZoxpzRLAhl2TcmVZaq
7/iCr+cMSc5Am7mgH6Q0q/PSEkvbfWuryKpCxH0+Tc/yJBibAuyhc/ClM6aWYVdJ
6DqNSMLKpywyeCAFF85DLkcdtEYhGjMXGt3J4yCmi0eDm4HdXj64/ZlTX7X8z5D0
a6wpc3JfT3bHJ81VbbuIEpekDUUZsaJIaLYvymZW+cLKeItGp+KLta29OovPoykI
ewmScXMb
=O9fk
-----END PGP SIGNATURE-----
--==-=-=--