From: "Ludovic Courtès" <ludo@gnu.org>
To: "Carlos Durán Domínguez" <wurt@wurtshell.com>
Cc: 65538@debbugs.gnu.org
Subject: [bug#65538] [PATCH v2] services: greetd: Add pam-gnupg support.
Date: Wed, 11 Oct 2023 22:54:25 +0200 [thread overview]
Message-ID: <87bkd4swvy.fsf_-_@gnu.org> (raw)
In-Reply-To: <20231006005327.13903-1-wurt@wurtshell.com> ("Carlos Durán Domínguez"'s message of "Fri, 6 Oct 2023 02:53:21 +0200")
Hi,
Carlos Durán Domínguez <wurt@wurtshell.com> skribis:
> My main concern is that the new 'pam-gnupg-module?' procedure could be wrong,
> but I did not find any other solution.
OK.
> I also think that using 'insert-before' in gnu/services/pam-mount.scm could be
> a problem. If other PAM modules needs to be on certain positions, it could be
> an “if mess” or maybe not, I do not know much about PAM modules.
Yeah, I’m also wondering what will happen if several services have
ordering requirements. This seems to break composability, but maybe
it’s a problem that PAM has.
> +@file{~/.pam-gnupg} (see
> +@url{https://github.com/cruegge/pam-gnupg#setup-guide, pam-gnupg setup
> +guide}), and can be queried with @code{gpg -K --with-keygrip}
> +(@pxref{Commands to select the type of operation,,,gnupg}). Presetting
> +passphrases must be enabled by adding @code{allow-preset-passphrase} in
> +@file{~/.gnupg/gpg-agent.conf} (@pxref{Put a passphrase into the
> +cache,,,gnupg}).
Note that @pxref should first name the “node” (section) of the manual
you’re referring to, and there should be one last argument giving the
title of the manual:
https://www.gnu.org/software/texinfo/manual/texinfo/html_node/Four-and-Five-Arguments.html
The ones above should be adjusted to refer to existing nodes of the
GnuPG manual.
> (if (member (pam-service-name pam)
> '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
> (pam-service
> + ;; pam-mount module must be before pam-gnupg, because the later
> + ;; needs to be at the end (See pam-gnupg README.md)
> (inherit pam)
I went to look at the ‘README.md’ file, and all I could find is:
At least, `pam_gnupg.so` should come after `pam_unix.so`,
`pam_systemd_home.so`, `pam_systemd.so` and `pam_env.so` in case you
use those modules.
Is it what you’re referring to?
The ‘README.md’ also gave me a sense that pam-gnupg is not fully baked:
The code was written mainly by looking at and occasionally copying
from Gnome Keyring's PAM module and pam_mount and is based on a
somewhat mediocre understanding of the details of both PAM and C. You
should be aware that there may be potentially dangerous bugs lurking.
It also makes this recommendation, which I find dubious security-wise:
- Add
allow-preset-passphrase
to `~/.gnupg/gpg-agent.conf`. Optionally, customize the cache timeout via
`max-cache-ttl`, e.g. set
max-cache-ttl 86400
to have it expire after a day.
I guess that’s expected given the purpose of the tool, but still.
Overall that made me wonder if this is something we should promote.
WDYT?
> +(define (pam-gnupg-module? name)
> + "Return `#t' if NAME is the path to the pam-gnupg module, `#f' otherwise."
> + (let ((module (pam-entry-module name)))
> + (and (file-append? module)
> + (equal? (first (file-append-suffix module))
> + "/lib/security/pam_gnupg.so"))))
This is not ideal, because someone might give a module that’s not a
<file-append>, but I can’t think of a better way.
> - #:use-module (rnrs io ports) ;need 'port-position' etc.
> + #:use-module (rnrs io ports) ;need 'port-position' etc.
> #:use-module ((rnrs bytevectors) #:select (bytevector-u8-set!))
> #:use-module (guix memoization)
> #:use-module ((guix build utils)
> #:select (dump-port mkdir-p delete-file-recursively
> - call-with-temporary-output-file %xz-parallel-args))
> + call-with-temporary-output-file %xz-parallel-args))
> #:use-module ((guix build syscalls) #:select (mkdtemp! fdatasync))
> #:use-module ((guix combinators) #:select (fold2))
> - #:use-module (guix diagnostics) ;<location>, &error-location, etc.
> + #:use-module (guix diagnostics) ;<location>, &error-location, etc.
> #:use-module (ice-9 format)
> #:use-module ((ice-9 iconv) #:prefix iconv:)
> #:use-module (ice-9 match)
> @@ -57,7 +58,7 @@ (define-module (guix utils)
> #:use-module (ice-9 vlist)
> #:autoload (zlib) (make-zlib-input-port make-zlib-output-port)
> #:use-module (system foreign)
> - #:re-export (<location> ;for backwards compatibility
> + #:re-export (<location> ;for backwards compatibility
Unnecessary changes. :-)
Thanks,
Ludo’.
next prev parent reply other threads:[~2023-10-11 20:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-06 0:53 [bug#65538] [PATCH v3] services: greetd: Add pam-gnupg support guix-patches--- via
2023-10-11 20:54 ` Ludovic Courtès [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-08-25 14:48 [bug#65538] [PATCH v2] " guix-patches--- via
2023-10-05 12:57 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bkd4swvy.fsf_-_@gnu.org \
--to=ludo@gnu.org \
--cc=65538@debbugs.gnu.org \
--cc=wurt@wurtshell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).