unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#63314] [PATCH 0/2] Add PAM shepherd requirements
@ 2023-05-05 17:50 Josselin Poiret via Guix-patches via
  2023-05-05 17:51 ` [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add " Josselin Poiret via Guix-patches via
  2023-05-05 17:51 ` [bug#63314] [PATCH " Josselin Poiret via Guix-patches via
  0 siblings, 2 replies; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-05 17:50 UTC (permalink / raw)
  To: 63314; +Cc: Josselin Poiret

Hi everyone,

With shepherd 0.10 incoming, I've been running into a nasty issue: I use
elogind and greetd, and greetd, when starting needs to let its greeter log-in
through PAM.  However, its PAM entry requires pam_elogind.so, which might not
work if elogind isn't started yet, and so my greetd would just fail to start.
This patch adds a shepherd synchronization point for services needed by PAM,
and any PAM-using program should have the synchronization point as a
requirement.  I've mostly tested this with greetd only, so I would appreciate
if other PAM users could try it out.

Best,

Josselin Poiret (2):
  system: pam: Let PAM extenders add shepherd requirements.
  services: elogind: Add elogind as a shepherd PAM requirement.

 gnu/services/authentication.scm | 28 +++++++++--------
 gnu/services/base.scm           | 54 +++++++++++++++++---------------
 gnu/services/desktop.scm        | 45 +++++++++++++++------------
 gnu/services/kerberos.scm       | 44 +++++++++++++-------------
 gnu/services/lightdm.scm        |  2 +-
 gnu/services/mail.scm           |  4 +--
 gnu/services/pam-mount.scm      | 23 ++++++++------
 gnu/services/sddm.scm           |  2 +-
 gnu/services/ssh.scm            | 10 +++---
 gnu/services/xorg.scm           |  4 +--
 gnu/system/pam.scm              | 55 ++++++++++++++++++++++++++-------
 11 files changed, 161 insertions(+), 110 deletions(-)


base-commit: 6922069bcbe5c08da09c00e5aad44e390ebd1cc7
-- 
2.39.2





^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add shepherd requirements.
  2023-05-05 17:50 [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Josselin Poiret via Guix-patches via
@ 2023-05-05 17:51 ` Josselin Poiret via Guix-patches via
  2023-05-08  9:45   ` [bug#63314] [PATCH 0/2] Add PAM " Ludovic Courtès
  2023-05-05 17:51 ` [bug#63314] [PATCH " Josselin Poiret via Guix-patches via
  1 sibling, 1 reply; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-05 17:51 UTC (permalink / raw)
  To: 63314; +Cc: Josselin Poiret

From: Josselin Poiret <dev@jpoiret.xyz>

* gnu/system/pam.scm (<pam-extender>): New record type.
(pam-shepherd-service): Add Shepherd synchronization point.

* gnu/services/mail.scm (dovecot-shepherd-service)
* gnu/services/lightdm.scm (lightdm-shepherd-service)
* gnu/services/mail.scm (opensmtpd-shepherd-service)
* gnu/services/sddm.scm (sddm-shepherd-service)
* gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service)
* gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service)
* gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement.

* gnu/system/pam.scm (/etc-entry, extend-configuration,
pam-root-service-type, pam-root-service)
* gnu/services/authentication.scm (pam-ldap-pam-service)
* gnu/services/base.scm (pam-limits-service-type)
(greetd-pam-service)
* gnu/services/desktop.scm (pam-gnome-keyring)
* gnu/services/kerberos.scm (pam-krb5-pam-service)
* gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to pam-extenders.
---
 gnu/services/authentication.scm | 28 +++++++++--------
 gnu/services/base.scm           | 54 +++++++++++++++++---------------
 gnu/services/desktop.scm        | 44 ++++++++++++++------------
 gnu/services/kerberos.scm       | 44 +++++++++++++-------------
 gnu/services/lightdm.scm        |  2 +-
 gnu/services/mail.scm           |  4 +--
 gnu/services/pam-mount.scm      | 23 ++++++++------
 gnu/services/sddm.scm           |  2 +-
 gnu/services/ssh.scm            | 10 +++---
 gnu/services/xorg.scm           |  4 +--
 gnu/system/pam.scm              | 55 ++++++++++++++++++++++++++-------
 11 files changed, 160 insertions(+), 110 deletions(-)

diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f7becdfafb..5ec7634789 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -506,19 +506,21 @@ (define (pam-ldap-pam-service config)
   (define pam-ldap-module
     #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
                      "/lib/security/pam_ldap.so"))
-  (lambda (pam)
-    (if (member (pam-service-name pam)
-                (nslcd-configuration-pam-services config))
-        (let ((sufficient
-               (pam-entry
-                (control "sufficient")
-                (module pam-ldap-module))))
-          (pam-service
-           (inherit pam)
-           (auth (cons sufficient (pam-service-auth pam)))
-           (session (cons sufficient (pam-service-session pam)))
-           (account (cons sufficient (pam-service-account pam)))))
-        pam)))
+  (pam-extender
+    (transformer
+     (lambda (pam)
+       (if (member (pam-service-name pam)
+                   (nslcd-configuration-pam-services config))
+           (let ((sufficient
+                  (pam-entry
+                   (control "sufficient")
+                   (module pam-ldap-module))))
+             (pam-service
+              (inherit pam)
+              (auth (cons sufficient (pam-service-auth pam)))
+              (session (cons sufficient (pam-service-session pam)))
+              (account (cons sufficient (pam-service-account pam)))))
+           pam)))))
 
 (define (pam-ldap-pam-services config)
   (list (pam-ldap-pam-service config)))
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4adb551796..eaf5030935 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1608,20 +1608,22 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
 
 (define pam-limits-service-type
   (let ((pam-extension
-         (lambda (pam)
-           (let ((pam-limits (pam-entry
-                              (control "required")
-                              (module "pam_limits.so")
-                              (arguments
-                               '("conf=/etc/security/limits.conf")))))
-             (if (member (pam-service-name pam)
-                         '("login" "greetd" "su" "slim" "gdm-password" "sddm"
-                           "sudo" "sshd"))
-                 (pam-service
-                  (inherit pam)
-                  (session (cons pam-limits
-                                 (pam-service-session pam))))
-                 pam))))
+         (pam-extender
+          (transformer
+           (lambda (pam)
+             (let ((pam-limits (pam-entry
+                                (control "required")
+                                (module "pam_limits.so")
+                                (arguments
+                                 '("conf=/etc/security/limits.conf")))))
+               (if (member (pam-service-name pam)
+                           '("login" "greetd" "su" "slim" "gdm-password"
+                             "sddm" "sudo" "sshd"))
+                   (pam-service
+                    (inherit pam)
+                    (session (cons pam-limits
+                                   (pam-service-session pam))))
+                   pam))))))
 
         ;; XXX: Using file-like objects is deprecated, use lists instead.
         ;;      This is to be reduced into the list? case when the deprecated
@@ -3269,16 +3271,18 @@ (define (greetd-pam-service config)
                      (greetd-allow-empty-passwords? config)
                      #:motd
                      (greetd-motd config))
-   (lambda (pam)
-     (if (member (pam-service-name pam)
-                 '("login" "greetd" "su" "slim" "gdm-password"))
-         (pam-service
-          (inherit pam)
-          (auth (append (pam-service-auth pam)
-                        (list optional-pam-mount)))
-          (session (append (pam-service-session pam)
-                           (list optional-pam-mount))))
-         pam))))
+   (pam-extender
+    (transformer
+     (lambda (pam)
+       (if (member (pam-service-name pam)
+                   '("login" "greetd" "su" "slim" "gdm-password"))
+           (pam-service
+            (inherit pam)
+            (auth (append (pam-service-auth pam)
+                          (list optional-pam-mount)))
+            (session (append (pam-service-session pam)
+                             (list optional-pam-mount))))
+           pam))))))
 
 (define (greetd-shepherd-services config)
   (map
@@ -3290,7 +3294,7 @@ (define (greetd-shepherd-services config)
           (greetd-vt (greetd-terminal-vt tc)))
        (shepherd-service
         (documentation "Minimal and flexible login manager daemon")
-        (requirement '(user-processes host-name udev virtual-terminal))
+        (requirement '(pam user-processes host-name udev virtual-terminal))
         (provision (list (symbol-append
                           'term-tty
                           (string->symbol (greetd-terminal-vt tc)))))
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index adea5b38dd..3adcfe8e5d 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1187,10 +1187,12 @@ (define (pam-extension-procedure config)
      (module (file-append (elogind-package config)
                           "/lib/security/pam_elogind.so"))))
 
-  (list (lambda (pam)
-          (pam-service
-           (inherit pam)
-           (session (cons pam-elogind (pam-service-session pam)))))))
+  (list (pam-extender
+         (transformer
+          (lambda (pam)
+            (pam-service
+             (inherit pam)
+             (session (cons pam-elogind (pam-service-session pam)))))))))
 
 (define (elogind-shepherd-service config)
   "Return a Shepherd service to start elogind according to @var{config}."
@@ -1703,22 +1705,24 @@ (define (pam-gnome-keyring config)
      (arguments arguments)))
 
   (list
-   (lambda (service)
-     (case (assoc-ref (gnome-keyring-pam-services config)
-                      (pam-service-name service))
-       ((login)
-        (pam-service
-         (inherit service)
-         (auth (append (pam-service-auth service)
-                       (list (%pam-keyring-entry))))
-         (session (append (pam-service-session service)
-                          (list (%pam-keyring-entry "auto_start"))))))
-       ((passwd)
-        (pam-service
-         (inherit service)
-         (password (append (pam-service-password service)
-                           (list (%pam-keyring-entry))))))
-       (else service)))))
+   (pam-extender
+    (transformer
+     (lambda (service)
+       (case (assoc-ref (gnome-keyring-pam-services config)
+                        (pam-service-name service))
+         ((login)
+          (pam-service
+           (inherit service)
+           (auth (append (pam-service-auth service)
+                         (list (%pam-keyring-entry))))
+           (session (append (pam-service-session service)
+                            (list (%pam-keyring-entry "auto_start"))))))
+         ((passwd)
+          (pam-service
+           (inherit service)
+           (password (append (pam-service-password service)
+                             (list (%pam-keyring-entry))))))
+         (else service)))))))
 
 (define gnome-keyring-service-type
   (service-type
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index c3c7872734..0ae7c127d1 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -428,27 +428,29 @@ (define-record-type* <pam-krb5-configuration>
 
 (define (pam-krb5-pam-service config)
   "Return a PAM service for Kerberos authentication."
-  (lambda (pam)
-    (define pam-krb5-module
-      #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
-                       "/lib/security/pam_krb5.so"))
-
-    (let ((pam-krb5-sufficient
-           (pam-entry
-            (control "sufficient")
-            (module pam-krb5-module)
-            (arguments
-             (list
-              (format #f "minimum_uid=~a"
-                      (pam-krb5-configuration-minimum-uid config)))))))
-      (pam-service
-       (inherit pam)
-       (auth (cons* pam-krb5-sufficient
-                    (pam-service-auth pam)))
-       (session (cons* pam-krb5-sufficient
-                       (pam-service-session pam)))
-       (account (cons* pam-krb5-sufficient
-                       (pam-service-account pam)))))))
+  (pam-extender
+   (transformer
+    (lambda (pam)
+      (define pam-krb5-module
+        #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
+                         "/lib/security/pam_krb5.so"))
+
+      (let ((pam-krb5-sufficient
+             (pam-entry
+              (control "sufficient")
+              (module pam-krb5-module)
+              (arguments
+               (list
+                (format #f "minimum_uid=~a"
+                        (pam-krb5-configuration-minimum-uid config)))))))
+        (pam-service
+         (inherit pam)
+         (auth (cons* pam-krb5-sufficient
+                      (pam-service-auth pam)))
+         (session (cons* pam-krb5-sufficient
+                         (pam-service-session pam)))
+         (account (cons* pam-krb5-sufficient
+                         (pam-service-account pam)))))))))
 
 (define (pam-krb5-pam-services config)
   (list (pam-krb5-pam-service config)))
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index 0b9094cda1..b966f402d6 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -616,7 +616,7 @@ (define (lightdm-shepherd-service config)
   (list
    (shepherd-service
     (documentation "LightDM display manager")
-    (requirement '(dbus-system user-processes host-name))
+    (requirement '(pam dbus-system user-processes host-name))
     (provision '(lightdm display-manager xorg-server))
     (respawn? #f)
     (start
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index bf4948dcfb..12dcc8e71d 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1578,7 +1578,7 @@ (define (dovecot-shepherd-service config)
     (list (shepherd-service
            (documentation "Run the Dovecot POP3/IMAP mail server.")
            (provision '(dovecot))
-           (requirement '(networking))
+           (requirement '(pam networking))
            (start #~(make-forkexec-constructor
                      (list (string-append #$dovecot "/sbin/dovecot")
                            "-F")))
@@ -1676,7 +1676,7 @@ (define (opensmtpd-shepherd-service config)
                        (package config-file shepherd-requirement)
     (list (shepherd-service
            (provision '(smtpd))
-           (requirement `(loopback ,@shepherd-requirement))
+           (requirement `(pam loopback ,@shepherd-requirement))
            (documentation "Run the OpenSMTPD daemon.")
            (start (let ((smtpd (file-append package "/sbin/smtpd")))
                     #~(make-forkexec-constructor
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index e60781d05b..3e6667af9c 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -88,16 +88,19 @@ (define (pam-mount-pam-service config)
     (pam-entry
      (control "optional")
      (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
-  (list (lambda (pam)
-          (if (member (pam-service-name pam)
-                      '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
-              (pam-service
-               (inherit pam)
-               (auth (append (pam-service-auth pam)
-                             (list optional-pam-mount)))
-               (session (append (pam-service-session pam)
-                                (list optional-pam-mount))))
-              pam))))
+  (list
+   (pam-extender
+    (transformer
+     (lambda (pam)
+       (if (member (pam-service-name pam)
+                   '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
+           (pam-service
+            (inherit pam)
+            (auth (append (pam-service-auth pam)
+                          (list optional-pam-mount)))
+            (session (append (pam-service-session pam)
+                             (list optional-pam-mount))))
+           pam))))))
 
 (define pam-mount-service-type
   (service-type
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 9e02f1cc81..c9a7ba96f4 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -169,7 +169,7 @@ (define (sddm-shepherd-service config)
 
   (list (shepherd-service
          (documentation "SDDM display manager.")
-         (requirement '(user-processes elogind))
+         (requirement '(user-processes elogind pam))
          (provision '(xorg-server display-manager))
          (start #~(make-forkexec-constructor #$sddm-command))
          (stop #~(make-kill-destructor)))))
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index b76544c1a8..de5afdaa1a 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -197,9 +197,11 @@ (define (lsh-shepherd-service config)
                      interfaces)))))
 
   (define requires
-    (if (and daemonic? (lsh-configuration-syslog-output? config))
-        '(networking syslogd)
-        '(networking)))
+    `(networking
+      pam
+      ,@(if (and daemonic? (lsh-configuration-syslog-output? config))
+            '(syslogd)
+            '())))
 
   (list (shepherd-service
          (documentation "GNU lsh SSH server")
@@ -566,7 +568,7 @@ (define (openssh-shepherd-service config)
 
   (list (shepherd-service
          (documentation "OpenSSH server.")
-         (requirement '(syslogd loopback))
+         (requirement '(pam syslogd loopback))
          (provision '(ssh-daemon ssh sshd))
 
          (start #~(if #$inetd-style?
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..8b6080fd26 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -667,7 +667,7 @@ (define (slim-shepherd-service config)
 
                        (list (symbol-append 'xorg-server-
                                             (string->symbol vt)))))
-           (requirement '(user-processes host-name udev))
+           (requirement '(pam user-processes host-name udev))
            (start
             #~(lambda ()
                 ;; A stale lock file can prevent SLiM from starting, so remove it to
@@ -1119,7 +1119,7 @@ (define (gdm-shepherd-service config)
   (list (shepherd-service
          (documentation "Xorg display server (GDM)")
          (provision '(xorg-server))
-         (requirement '(dbus-system user-processes host-name udev elogind))
+         (requirement '(dbus-system pam user-processes host-name udev elogind))
          (start #~(lambda ()
                     (fork+exec-command
                      (list #$(file-append (gdm-configuration-gdm config)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index b635681642..6d9a7484c3 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
   #:use-module (guix derivations)
   #:use-module (guix gexp)
   #:use-module (gnu services)
+  #:use-module (gnu services shepherd)
   #:use-module (gnu system setuid)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1)
@@ -55,6 +56,10 @@ (define-module (gnu system pam)
             session-environment-service
             session-environment-service-type
 
+            pam-extender
+            pam-extender-transformer
+            pam-extender-shepherd-requirements
+
             pam-root-service-type
             pam-root-service))
 
@@ -347,32 +352,58 @@ (define (session-environment-service vars)
 ;;; PAM root service.
 ;;;
 
+;; A PAM transformer consists of a procedure acting on each PAM entry, with an
+;; additional list of shepherd-requirements that the meta PAM sheherd service
+;; will rely on.
+(define-record-type* <pam-extender>
+  pam-extender make-pam-extender pam-extender?
+  (transformer pam-extender-transformer)
+  (shepherd-requirements pam-extender-shepherd-requirements
+                         (default '())))
+
 ;; Overall PAM configuration: a list of services, plus a procedure that takes
 ;; one <pam-service> and returns a <pam-service>.  The procedure is used to
 ;; implement cross-cutting concerns such as the use of the 'elogind.so'
 ;; session module that keeps track of logged-in users.
 (define-record-type* <pam-configuration>
-  pam-configuration make-pam-configuration? pam-configuration?
+  pam-configuration make-pam-configuration pam-configuration?
   (services  pam-configuration-services)          ;list of <pam-service>
-  (transform pam-configuration-transform))        ;procedure
+  (extenders pam-configuration-extenders))        ;list of <pam-extender>
 
 (define (/etc-entry config)
   "Return the /etc/pam.d entry corresponding to CONFIG."
   (match config
-    (($ <pam-configuration> services transform)
-     (let ((services (map transform services)))
+    (($ <pam-configuration> services extenders)
+     (let ((services
+            (map
+             ;; XXX We need to add identity because compose expects at least
+             ;; one argument for some reason.
+             (apply compose (cons identity (map pam-extender-transformer extenders)))
+             services)))
        `(("pam.d" ,(pam-services->directory services)))))))
 
+(define (pam-shepherd-service config)
+  (define requirements
+    (match config
+      (($ <pam-configuration> services extenders)
+       (concatenate (map pam-extender-shepherd-requirements extenders)))))
+  (list (shepherd-service
+         (documentation "Synchronization point for services that need to be
+started for PAM to work.")
+         (provision '(pam))
+         (requirement requirements)
+         (start #~(const #t))
+         (stop #~(const #t)))))
+
 (define (extend-configuration initial extensions)
   "Extend INITIAL with NEW."
-  (let-values (((services procs)
+  (let-values (((services extenders)
                 (partition pam-service? extensions)))
     (pam-configuration
      (services (append (pam-configuration-services initial)
                        services))
-     (transform (apply compose
-                       (pam-configuration-transform initial)
-                       procs)))))
+     (extenders (append (pam-configuration-extenders initial)
+                        extenders)))))
 
 (define pam-root-service-type
   (service-type (name 'pam)
@@ -382,7 +413,9 @@ (define pam-root-service-type
                         (lambda (_)
                           (list (file-like->setuid-program
                                  (file-append linux-pam "/sbin/unix_chkpwd")))))
-                       (service-extension etc-service-type /etc-entry)))
+                       (service-extension etc-service-type /etc-entry)
+                       (service-extension shepherd-root-service-type
+                                          pam-shepherd-service)))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)
@@ -394,7 +427,7 @@ (define pam-root-service-type
 program may authenticate users or what it should do when opening a new
 session.")))
 
-(define* (pam-root-service base #:key (transform identity))
+(define* (pam-root-service base #:key (extenders '()))
   "The \"root\" PAM service, which collects <pam-service> instance and turns
 them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
 TRANSFORM is a procedure that takes a <pam-service> and returns a
@@ -402,6 +435,6 @@ (define* (pam-root-service base #:key (transform identity))
 all the PAM services."
   (service pam-root-service-type
            (pam-configuration (services base)
-                              (transform transform))))
+                              (extenders extenders))))
 
 
-- 
2.39.2





^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#63314] [PATCH 2/2] services: elogind: Add elogind as a shepherd PAM requirement.
  2023-05-05 17:50 [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Josselin Poiret via Guix-patches via
  2023-05-05 17:51 ` [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add " Josselin Poiret via Guix-patches via
@ 2023-05-05 17:51 ` Josselin Poiret via Guix-patches via
  2023-05-08  9:46   ` [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Ludovic Courtès
  1 sibling, 1 reply; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-05 17:51 UTC (permalink / raw)
  To: 63314; +Cc: Josselin Poiret

From: Josselin Poiret <dev@jpoiret.xyz>

* gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd
requirement to the PAM extender.
---
 gnu/services/desktop.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 3adcfe8e5d..d62536a27e 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config)
           (lambda (pam)
             (pam-service
              (inherit pam)
-             (session (cons pam-elogind (pam-service-session pam)))))))))
+             (session (cons pam-elogind (pam-service-session pam))))))
+         (shepherd-requirements '(elogind)))))
 
 (define (elogind-shepherd-service config)
   "Return a Shepherd service to start elogind according to @var{config}."
-- 
2.39.2





^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#63314] [PATCH 0/2] Add PAM shepherd requirements
  2023-05-05 17:51 ` [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add " Josselin Poiret via Guix-patches via
@ 2023-05-08  9:45   ` Ludovic Courtès
  2023-05-09 16:45     ` [bug#63314] [PATCH v2 " Josselin Poiret via Guix-patches via
  0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2023-05-08  9:45 UTC (permalink / raw)
  To: Josselin Poiret; +Cc: 63314

Hello!

Josselin Poiret <dev@jpoiret.xyz> skribis:

> From: Josselin Poiret <dev@jpoiret.xyz>
>
> * gnu/system/pam.scm (<pam-extender>): New record type.
> (pam-shepherd-service): Add Shepherd synchronization point.
>
> * gnu/services/mail.scm (dovecot-shepherd-service)
> * gnu/services/lightdm.scm (lightdm-shepherd-service)
> * gnu/services/mail.scm (opensmtpd-shepherd-service)
> * gnu/services/sddm.scm (sddm-shepherd-service)
> * gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service)
> * gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service)
> * gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement.
>
> * gnu/system/pam.scm (/etc-entry, extend-configuration,
> pam-root-service-type, pam-root-service)
> * gnu/services/authentication.scm (pam-ldap-pam-service)
> * gnu/services/base.scm (pam-limits-service-type)
> (greetd-pam-service)
> * gnu/services/desktop.scm (pam-gnome-keyring)
> * gnu/services/kerberos.scm (pam-krb5-pam-service)
> * gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to pam-extenders.

The approach looks reasonable to me, well done!

> +;; A PAM transformer consists of a procedure acting on each PAM entry, with an
> +;; additional list of shepherd-requirements that the meta PAM sheherd service
> +;; will rely on.
> +(define-record-type* <pam-extender>
> +  pam-extender make-pam-extender pam-extender?
> +  (transformer pam-extender-transformer)
> +  (shepherd-requirements pam-extender-shepherd-requirements
> +                         (default '())))

I would call it <pam-extension> (similar to <home-bash-extension>).
There’s a typo in the comment (“sheherd”); s/rely on/depend on/.

>  ;; Overall PAM configuration: a list of services, plus a procedure that takes
>  ;; one <pam-service> and returns a <pam-service>.  The procedure is used to
>  ;; implement cross-cutting concerns such as the use of the 'elogind.so'
>  ;; session module that keeps track of logged-in users.
>  (define-record-type* <pam-configuration>
> -  pam-configuration make-pam-configuration? pam-configuration?
> +  pam-configuration make-pam-configuration pam-configuration?
>    (services  pam-configuration-services)          ;list of <pam-service>
> -  (transform pam-configuration-transform))        ;procedure
> +  (extenders pam-configuration-extenders))        ;list of <pam-extender>

Instead of storing extensions, we should keep the full configuration
here (similar to <home-bash-configuration>).  That is, remove
‘extenders’ and instead add ‘shepherd-requirements’.

> +(define (pam-shepherd-service config)
> +  (define requirements
> +    (match config
> +      (($ <pam-configuration> services extenders)
> +       (concatenate (map pam-extender-shepherd-requirements extenders)))))

Rather: (append-map …)

Also please add a docstring.

>  (define (extend-configuration initial extensions)
>    "Extend INITIAL with NEW."
> -  (let-values (((services procs)
> +  (let-values (((services extenders)
>                  (partition pam-service? extensions)))
>      (pam-configuration
>       (services (append (pam-configuration-services initial)
>                         services))
> -     (transform (apply compose
> -                       (pam-configuration-transform initial)
> -                       procs)))))
> +     (extenders (append (pam-configuration-extenders initial)
> +                        extenders)))))

This would need to be adjusted accordingly.

Also, we need to preserve backward compatibility, so we should first do
something like:

  (let ((extensions (map (lambda (extension)
                           (if (pam-extension? extension)
                               extension
                               (begin
                                 (warn-about-deprecation …)
                                 (pam-extension (transformer extension)))))
                         extensions)))
   …)                         

Ludo’.




^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#63314] [PATCH 0/2] Add PAM shepherd requirements
  2023-05-05 17:51 ` [bug#63314] [PATCH " Josselin Poiret via Guix-patches via
@ 2023-05-08  9:46   ` Ludovic Courtès
  0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2023-05-08  9:46 UTC (permalink / raw)
  To: Josselin Poiret; +Cc: 63314

Josselin Poiret <dev@jpoiret.xyz> skribis:

> From: Josselin Poiret <dev@jpoiret.xyz>
>
> * gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd
> requirement to the PAM extender.
> ---
>  gnu/services/desktop.scm | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
> index 3adcfe8e5d..d62536a27e 100644
> --- a/gnu/services/desktop.scm
> +++ b/gnu/services/desktop.scm
> @@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config)
>            (lambda (pam)
>              (pam-service
>               (inherit pam)
> -             (session (cons pam-elogind (pam-service-session pam)))))))))
> +             (session (cons pam-elogind (pam-service-session pam))))))
> +         (shepherd-requirements '(elogind)))))

LGTM.

Should we add a greetd system test that catches the bug?

Ludo’.




^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#63314] [PATCH v2 0/2] Add PAM shepherd requirements
  2023-05-08  9:45   ` [bug#63314] [PATCH 0/2] Add PAM " Ludovic Courtès
@ 2023-05-09 16:45     ` Josselin Poiret via Guix-patches via
  2023-05-09 16:45       ` [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add " Josselin Poiret via Guix-patches via
  2023-05-09 16:45       ` [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement Josselin Poiret via Guix-patches via
  0 siblings, 2 replies; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-09 16:45 UTC (permalink / raw)
  To: Ludovic Courtès, Josselin Poiret; +Cc: 63314

Hi Ludo,

Thanks for the review.  Here is an updated patchset with the changes you
requested.  I don't think it's possible to have a reliable system test to
check for the greetd issue, since it is a race problem in the end.

Best,

Josselin Poiret (2):
  system: pam: Let PAM extensions add shepherd requirements.
  services: elogind: Add elogind as a shepherd PAM requirement.

 gnu/services/authentication.scm | 28 ++++++------
 gnu/services/base.scm           | 54 +++++++++++-----------
 gnu/services/desktop.scm        | 45 ++++++++++---------
 gnu/services/kerberos.scm       | 44 +++++++++---------
 gnu/services/lightdm.scm        |  2 +-
 gnu/services/mail.scm           |  4 +-
 gnu/services/pam-mount.scm      | 23 +++++-----
 gnu/services/sddm.scm           |  2 +-
 gnu/services/ssh.scm            | 10 +++--
 gnu/services/xorg.scm           |  4 +-
 gnu/system/pam.scm              | 80 +++++++++++++++++++++++++++------
 11 files changed, 184 insertions(+), 112 deletions(-)


base-commit: a759cbffafbf67b3a03c80b5bdbe3f3478affc50
-- 
2.39.2





^ permalink raw reply	[flat|nested] 10+ messages in thread

* [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add shepherd requirements.
  2023-05-09 16:45     ` [bug#63314] [PATCH v2 " Josselin Poiret via Guix-patches via
@ 2023-05-09 16:45       ` Josselin Poiret via Guix-patches via
  2023-05-11 11:15         ` Ludovic Courtès
  2023-05-09 16:45       ` [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement Josselin Poiret via Guix-patches via
  1 sibling, 1 reply; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-09 16:45 UTC (permalink / raw)
  To: Ludovic Courtès, Josselin Poiret; +Cc: 63314

From: Josselin Poiret <dev@jpoiret.xyz>

* gnu/system/pam.scm (<pam-extension>): New record type.
(pam-shepherd-service): Add Shepherd synchronization point.

* gnu/services/mail.scm (dovecot-shepherd-service)
* gnu/services/lightdm.scm (lightdm-shepherd-service)
* gnu/services/mail.scm (opensmtpd-shepherd-service)
* gnu/services/sddm.scm (sddm-shepherd-service)
* gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service)
* gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service)
* gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement.

* gnu/system/pam.scm (/etc-entry, extend-configuration,
pam-root-service-type, pam-root-service)
* gnu/services/authentication.scm (pam-ldap-pam-service)
* gnu/services/base.scm (pam-limits-service-type)
(greetd-pam-service)
* gnu/services/desktop.scm (pam-gnome-keyring)
* gnu/services/kerberos.scm (pam-krb5-pam-service)
* gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to use
pam-extension.
---
 gnu/services/authentication.scm | 28 ++++++------
 gnu/services/base.scm           | 54 +++++++++++-----------
 gnu/services/desktop.scm        | 44 +++++++++---------
 gnu/services/kerberos.scm       | 44 +++++++++---------
 gnu/services/lightdm.scm        |  2 +-
 gnu/services/mail.scm           |  4 +-
 gnu/services/pam-mount.scm      | 23 +++++-----
 gnu/services/sddm.scm           |  2 +-
 gnu/services/ssh.scm            | 10 +++--
 gnu/services/xorg.scm           |  4 +-
 gnu/system/pam.scm              | 80 +++++++++++++++++++++++++++------
 11 files changed, 183 insertions(+), 112 deletions(-)

diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f7becdfafb..f1ad1b1afe 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -506,19 +506,21 @@ (define (pam-ldap-pam-service config)
   (define pam-ldap-module
     #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
                      "/lib/security/pam_ldap.so"))
-  (lambda (pam)
-    (if (member (pam-service-name pam)
-                (nslcd-configuration-pam-services config))
-        (let ((sufficient
-               (pam-entry
-                (control "sufficient")
-                (module pam-ldap-module))))
-          (pam-service
-           (inherit pam)
-           (auth (cons sufficient (pam-service-auth pam)))
-           (session (cons sufficient (pam-service-session pam)))
-           (account (cons sufficient (pam-service-account pam)))))
-        pam)))
+  (pam-extension
+    (transformer
+     (lambda (pam)
+       (if (member (pam-service-name pam)
+                   (nslcd-configuration-pam-services config))
+           (let ((sufficient
+                  (pam-entry
+                   (control "sufficient")
+                   (module pam-ldap-module))))
+             (pam-service
+              (inherit pam)
+              (auth (cons sufficient (pam-service-auth pam)))
+              (session (cons sufficient (pam-service-session pam)))
+              (account (cons sufficient (pam-service-account pam)))))
+           pam)))))
 
 (define (pam-ldap-pam-services config)
   (list (pam-ldap-pam-service config)))
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4adb551796..a69e99343b 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1608,20 +1608,22 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
 
 (define pam-limits-service-type
   (let ((pam-extension
-         (lambda (pam)
-           (let ((pam-limits (pam-entry
-                              (control "required")
-                              (module "pam_limits.so")
-                              (arguments
-                               '("conf=/etc/security/limits.conf")))))
-             (if (member (pam-service-name pam)
-                         '("login" "greetd" "su" "slim" "gdm-password" "sddm"
-                           "sudo" "sshd"))
-                 (pam-service
-                  (inherit pam)
-                  (session (cons pam-limits
-                                 (pam-service-session pam))))
-                 pam))))
+         (pam-extension
+          (transformer
+           (lambda (pam)
+             (let ((pam-limits (pam-entry
+                                (control "required")
+                                (module "pam_limits.so")
+                                (arguments
+                                 '("conf=/etc/security/limits.conf")))))
+               (if (member (pam-service-name pam)
+                           '("login" "greetd" "su" "slim" "gdm-password"
+                             "sddm" "sudo" "sshd"))
+                   (pam-service
+                    (inherit pam)
+                    (session (cons pam-limits
+                                   (pam-service-session pam))))
+                   pam))))))
 
         ;; XXX: Using file-like objects is deprecated, use lists instead.
         ;;      This is to be reduced into the list? case when the deprecated
@@ -3269,16 +3271,18 @@ (define (greetd-pam-service config)
                      (greetd-allow-empty-passwords? config)
                      #:motd
                      (greetd-motd config))
-   (lambda (pam)
-     (if (member (pam-service-name pam)
-                 '("login" "greetd" "su" "slim" "gdm-password"))
-         (pam-service
-          (inherit pam)
-          (auth (append (pam-service-auth pam)
-                        (list optional-pam-mount)))
-          (session (append (pam-service-session pam)
-                           (list optional-pam-mount))))
-         pam))))
+   (pam-extension
+    (transformer
+     (lambda (pam)
+       (if (member (pam-service-name pam)
+                   '("login" "greetd" "su" "slim" "gdm-password"))
+           (pam-service
+            (inherit pam)
+            (auth (append (pam-service-auth pam)
+                          (list optional-pam-mount)))
+            (session (append (pam-service-session pam)
+                             (list optional-pam-mount))))
+           pam))))))
 
 (define (greetd-shepherd-services config)
   (map
@@ -3290,7 +3294,7 @@ (define (greetd-shepherd-services config)
           (greetd-vt (greetd-terminal-vt tc)))
        (shepherd-service
         (documentation "Minimal and flexible login manager daemon")
-        (requirement '(user-processes host-name udev virtual-terminal))
+        (requirement '(pam user-processes host-name udev virtual-terminal))
         (provision (list (symbol-append
                           'term-tty
                           (string->symbol (greetd-terminal-vt tc)))))
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index adea5b38dd..6b1b21cf80 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1187,10 +1187,12 @@ (define (pam-extension-procedure config)
      (module (file-append (elogind-package config)
                           "/lib/security/pam_elogind.so"))))
 
-  (list (lambda (pam)
-          (pam-service
-           (inherit pam)
-           (session (cons pam-elogind (pam-service-session pam)))))))
+  (list (pam-extension
+         (transformer
+          (lambda (pam)
+            (pam-service
+             (inherit pam)
+             (session (cons pam-elogind (pam-service-session pam)))))))))
 
 (define (elogind-shepherd-service config)
   "Return a Shepherd service to start elogind according to @var{config}."
@@ -1703,22 +1705,24 @@ (define (pam-gnome-keyring config)
      (arguments arguments)))
 
   (list
-   (lambda (service)
-     (case (assoc-ref (gnome-keyring-pam-services config)
-                      (pam-service-name service))
-       ((login)
-        (pam-service
-         (inherit service)
-         (auth (append (pam-service-auth service)
-                       (list (%pam-keyring-entry))))
-         (session (append (pam-service-session service)
-                          (list (%pam-keyring-entry "auto_start"))))))
-       ((passwd)
-        (pam-service
-         (inherit service)
-         (password (append (pam-service-password service)
-                           (list (%pam-keyring-entry))))))
-       (else service)))))
+   (pam-extension
+    (transformer
+     (lambda (service)
+       (case (assoc-ref (gnome-keyring-pam-services config)
+                        (pam-service-name service))
+         ((login)
+          (pam-service
+           (inherit service)
+           (auth (append (pam-service-auth service)
+                         (list (%pam-keyring-entry))))
+           (session (append (pam-service-session service)
+                            (list (%pam-keyring-entry "auto_start"))))))
+         ((passwd)
+          (pam-service
+           (inherit service)
+           (password (append (pam-service-password service)
+                             (list (%pam-keyring-entry))))))
+         (else service)))))))
 
 (define gnome-keyring-service-type
   (service-type
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index c3c7872734..1a1b37f890 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -428,27 +428,29 @@ (define-record-type* <pam-krb5-configuration>
 
 (define (pam-krb5-pam-service config)
   "Return a PAM service for Kerberos authentication."
-  (lambda (pam)
-    (define pam-krb5-module
-      #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
-                       "/lib/security/pam_krb5.so"))
-
-    (let ((pam-krb5-sufficient
-           (pam-entry
-            (control "sufficient")
-            (module pam-krb5-module)
-            (arguments
-             (list
-              (format #f "minimum_uid=~a"
-                      (pam-krb5-configuration-minimum-uid config)))))))
-      (pam-service
-       (inherit pam)
-       (auth (cons* pam-krb5-sufficient
-                    (pam-service-auth pam)))
-       (session (cons* pam-krb5-sufficient
-                       (pam-service-session pam)))
-       (account (cons* pam-krb5-sufficient
-                       (pam-service-account pam)))))))
+  (pam-extension
+   (transformer
+    (lambda (pam)
+      (define pam-krb5-module
+        #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
+                         "/lib/security/pam_krb5.so"))
+
+      (let ((pam-krb5-sufficient
+             (pam-entry
+              (control "sufficient")
+              (module pam-krb5-module)
+              (arguments
+               (list
+                (format #f "minimum_uid=~a"
+                        (pam-krb5-configuration-minimum-uid config)))))))
+        (pam-service
+         (inherit pam)
+         (auth (cons* pam-krb5-sufficient
+                      (pam-service-auth pam)))
+         (session (cons* pam-krb5-sufficient
+                         (pam-service-session pam)))
+         (account (cons* pam-krb5-sufficient
+                         (pam-service-account pam)))))))))
 
 (define (pam-krb5-pam-services config)
   (list (pam-krb5-pam-service config)))
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index 0b9094cda1..b966f402d6 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -616,7 +616,7 @@ (define (lightdm-shepherd-service config)
   (list
    (shepherd-service
     (documentation "LightDM display manager")
-    (requirement '(dbus-system user-processes host-name))
+    (requirement '(pam dbus-system user-processes host-name))
     (provision '(lightdm display-manager xorg-server))
     (respawn? #f)
     (start
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index bf4948dcfb..12dcc8e71d 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1578,7 +1578,7 @@ (define (dovecot-shepherd-service config)
     (list (shepherd-service
            (documentation "Run the Dovecot POP3/IMAP mail server.")
            (provision '(dovecot))
-           (requirement '(networking))
+           (requirement '(pam networking))
            (start #~(make-forkexec-constructor
                      (list (string-append #$dovecot "/sbin/dovecot")
                            "-F")))
@@ -1676,7 +1676,7 @@ (define (opensmtpd-shepherd-service config)
                        (package config-file shepherd-requirement)
     (list (shepherd-service
            (provision '(smtpd))
-           (requirement `(loopback ,@shepherd-requirement))
+           (requirement `(pam loopback ,@shepherd-requirement))
            (documentation "Run the OpenSMTPD daemon.")
            (start (let ((smtpd (file-append package "/sbin/smtpd")))
                     #~(make-forkexec-constructor
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index e60781d05b..21c34ddd61 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -88,16 +88,19 @@ (define (pam-mount-pam-service config)
     (pam-entry
      (control "optional")
      (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
-  (list (lambda (pam)
-          (if (member (pam-service-name pam)
-                      '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
-              (pam-service
-               (inherit pam)
-               (auth (append (pam-service-auth pam)
-                             (list optional-pam-mount)))
-               (session (append (pam-service-session pam)
-                                (list optional-pam-mount))))
-              pam))))
+  (list
+   (pam-extension
+    (transformer
+     (lambda (pam)
+       (if (member (pam-service-name pam)
+                   '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
+           (pam-service
+            (inherit pam)
+            (auth (append (pam-service-auth pam)
+                          (list optional-pam-mount)))
+            (session (append (pam-service-session pam)
+                             (list optional-pam-mount))))
+           pam))))))
 
 (define pam-mount-service-type
   (service-type
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 9e02f1cc81..c9a7ba96f4 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -169,7 +169,7 @@ (define (sddm-shepherd-service config)
 
   (list (shepherd-service
          (documentation "SDDM display manager.")
-         (requirement '(user-processes elogind))
+         (requirement '(user-processes elogind pam))
          (provision '(xorg-server display-manager))
          (start #~(make-forkexec-constructor #$sddm-command))
          (stop #~(make-kill-destructor)))))
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index b76544c1a8..de5afdaa1a 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -197,9 +197,11 @@ (define (lsh-shepherd-service config)
                      interfaces)))))
 
   (define requires
-    (if (and daemonic? (lsh-configuration-syslog-output? config))
-        '(networking syslogd)
-        '(networking)))
+    `(networking
+      pam
+      ,@(if (and daemonic? (lsh-configuration-syslog-output? config))
+            '(syslogd)
+            '())))
 
   (list (shepherd-service
          (documentation "GNU lsh SSH server")
@@ -566,7 +568,7 @@ (define (openssh-shepherd-service config)
 
   (list (shepherd-service
          (documentation "OpenSSH server.")
-         (requirement '(syslogd loopback))
+         (requirement '(pam syslogd loopback))
          (provision '(ssh-daemon ssh sshd))
 
          (start #~(if #$inetd-style?
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..8b6080fd26 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -667,7 +667,7 @@ (define (slim-shepherd-service config)
 
                        (list (symbol-append 'xorg-server-
                                             (string->symbol vt)))))
-           (requirement '(user-processes host-name udev))
+           (requirement '(pam user-processes host-name udev))
            (start
             #~(lambda ()
                 ;; A stale lock file can prevent SLiM from starting, so remove it to
@@ -1119,7 +1119,7 @@ (define (gdm-shepherd-service config)
   (list (shepherd-service
          (documentation "Xorg display server (GDM)")
          (provision '(xorg-server))
-         (requirement '(dbus-system user-processes host-name udev elogind))
+         (requirement '(dbus-system pam user-processes host-name udev elogind))
          (start #~(lambda ()
                     (fork+exec-command
                      (list #$(file-append (gdm-configuration-gdm config)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index b635681642..f624064999 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -19,8 +19,11 @@
 (define-module (gnu system pam)
   #:use-module (guix records)
   #:use-module (guix derivations)
+  #:use-module (guix diagnostics)
   #:use-module (guix gexp)
+  #:use-module (guix i18n)
   #:use-module (gnu services)
+  #:use-module (gnu services shepherd)
   #:use-module (gnu system setuid)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1)
@@ -55,6 +58,10 @@ (define-module (gnu system pam)
             session-environment-service
             session-environment-service-type
 
+            pam-extension
+            pam-extension-transformer
+            pam-extension-shepherd-requirements
+
             pam-root-service-type
             pam-root-service))
 
@@ -347,32 +354,76 @@ (define (session-environment-service vars)
 ;;; PAM root service.
 ;;;
 
+;; A PAM transformer consists of a procedure acting on each PAM entry, with an
+;; additional list of shepherd-requirements that the meta PAM shepherd service
+;; will depend on.
+(define-record-type* <pam-extension>
+  pam-extension make-pam-extension pam-extension?
+  (transformer pam-extension-transformer)
+  (shepherd-requirements pam-extension-shepherd-requirements
+                         (default '())))
+
 ;; Overall PAM configuration: a list of services, plus a procedure that takes
 ;; one <pam-service> and returns a <pam-service>.  The procedure is used to
 ;; implement cross-cutting concerns such as the use of the 'elogind.so'
 ;; session module that keeps track of logged-in users.
 (define-record-type* <pam-configuration>
-  pam-configuration make-pam-configuration? pam-configuration?
-  (services  pam-configuration-services)          ;list of <pam-service>
-  (transform pam-configuration-transform))        ;procedure
+  pam-configuration make-pam-configuration pam-configuration?
+  ;list of <pam-service>
+  (services  pam-configuration-services)
+  ;list of procedures <pam-entry> -> <pam-entry>
+  (transformers pam-configuration-transformers)
+  ;list of symbols
+  (shepherd-requirements pam-configuration-shepherd-requirements))
 
 (define (/etc-entry config)
   "Return the /etc/pam.d entry corresponding to CONFIG."
   (match config
-    (($ <pam-configuration> services transform)
-     (let ((services (map transform services)))
+    (($ <pam-configuration> services transformers shepherd-requirements)
+     (let ((services
+            (map
+             ;; XXX We need to add identity because compose expects at least
+             ;; one argument for some reason.
+             (apply compose (cons identity transformers))
+             services)))
        `(("pam.d" ,(pam-services->directory services)))))))
 
+(define (pam-shepherd-service config)
+  "Return the PAM synchronization shepherd service corresponding to CONFIG."
+  (match config
+    (($ <pam-configuration> services transformers shepherd-requirements)
+     (list (shepherd-service
+            (documentation "Synchronization point for services that need to be
+started for PAM to work.")
+            (provision '(pam))
+            (requirement shepherd-requirements)
+            (start #~(const #t))
+            (stop #~(const #t)))))))
+
 (define (extend-configuration initial extensions)
   "Extend INITIAL with NEW."
-  (let-values (((services procs)
-                (partition pam-service? extensions)))
+  ;; TODO: Remove deprecation shim.
+  (define cleaned-extensions
+    (map
+     (lambda (ext)
+       (cond
+        ((procedure? ext)
+         (begin
+           (warning (G_ "pam-root-service-type transformer extensions should\
+now use the <pam-extension> record."))
+           (pam-extension (transformer ext))))
+        (#t ext)))
+     extensions))
+  (let-values (((services pam-extensions)
+                (partition pam-service? cleaned-extensions)))
     (pam-configuration
      (services (append (pam-configuration-services initial)
                        services))
-     (transform (apply compose
-                       (pam-configuration-transform initial)
-                       procs)))))
+     (transformers (append (pam-configuration-transformers initial)
+                           (map pam-extension-transformer pam-extensions)))
+     (shepherd-requirements
+      (append (pam-configuration-shepherd-requirements initial)
+              (append-map pam-extension-shepherd-requirements pam-extensions))))))
 
 (define pam-root-service-type
   (service-type (name 'pam)
@@ -382,7 +433,9 @@ (define pam-root-service-type
                         (lambda (_)
                           (list (file-like->setuid-program
                                  (file-append linux-pam "/sbin/unix_chkpwd")))))
-                       (service-extension etc-service-type /etc-entry)))
+                       (service-extension etc-service-type /etc-entry)
+                       (service-extension shepherd-root-service-type
+                                          pam-shepherd-service)))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)
@@ -394,7 +447,7 @@ (define pam-root-service-type
 program may authenticate users or what it should do when opening a new
 session.")))
 
-(define* (pam-root-service base #:key (transform identity))
+(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '()))
   "The \"root\" PAM service, which collects <pam-service> instance and turns
 them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
 TRANSFORM is a procedure that takes a <pam-service> and returns a
@@ -402,6 +455,7 @@ (define* (pam-root-service base #:key (transform identity))
 all the PAM services."
   (service pam-root-service-type
            (pam-configuration (services base)
-                              (transform transform))))
+                              (transformers transformers)
+                              (shepherd-requirements shepherd-requirements))))
 
 
-- 
2.39.2





^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement.
  2023-05-09 16:45     ` [bug#63314] [PATCH v2 " Josselin Poiret via Guix-patches via
  2023-05-09 16:45       ` [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add " Josselin Poiret via Guix-patches via
@ 2023-05-09 16:45       ` Josselin Poiret via Guix-patches via
  2023-05-11 11:16         ` bug#63314: " Ludovic Courtès
  1 sibling, 1 reply; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-09 16:45 UTC (permalink / raw)
  To: Ludovic Courtès, Josselin Poiret; +Cc: 63314

From: Josselin Poiret <dev@jpoiret.xyz>

* gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd
requirement to the PAM extension.
---
 gnu/services/desktop.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 6b1b21cf80..64eac1117d 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config)
           (lambda (pam)
             (pam-service
              (inherit pam)
-             (session (cons pam-elogind (pam-service-session pam)))))))))
+             (session (cons pam-elogind (pam-service-session pam))))))
+         (shepherd-requirements '(elogind)))))
 
 (define (elogind-shepherd-service config)
   "Return a Shepherd service to start elogind according to @var{config}."
-- 
2.39.2





^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add shepherd requirements.
  2023-05-09 16:45       ` [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add " Josselin Poiret via Guix-patches via
@ 2023-05-11 11:15         ` Ludovic Courtès
  0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2023-05-11 11:15 UTC (permalink / raw)
  To: Josselin Poiret; +Cc: 63314

[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]

Hi,

Josselin Poiret <dev@jpoiret.xyz> skribis:

> From: Josselin Poiret <dev@jpoiret.xyz>
>
> * gnu/system/pam.scm (<pam-extension>): New record type.
> (pam-shepherd-service): Add Shepherd synchronization point.
>
> * gnu/services/mail.scm (dovecot-shepherd-service)
> * gnu/services/lightdm.scm (lightdm-shepherd-service)
> * gnu/services/mail.scm (opensmtpd-shepherd-service)
> * gnu/services/sddm.scm (sddm-shepherd-service)
> * gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service)
> * gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service)
> * gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement.
>
> * gnu/system/pam.scm (/etc-entry, extend-configuration,
> pam-root-service-type, pam-root-service)
> * gnu/services/authentication.scm (pam-ldap-pam-service)
> * gnu/services/base.scm (pam-limits-service-type)
> (greetd-pam-service)
> * gnu/services/desktop.scm (pam-gnome-keyring)
> * gnu/services/kerberos.scm (pam-krb5-pam-service)
> * gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to use
> pam-extension.

Excellent!  I committed with the cosmetic changes below:


[-- Attachment #2: Type: text/x-patch, Size: 2608 bytes --]

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index f624064999..adc40c975f 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -354,9 +355,9 @@ (define (session-environment-service vars)
 ;;; PAM root service.
 ;;;
 
-;; A PAM transformer consists of a procedure acting on each PAM entry, with an
-;; additional list of shepherd-requirements that the meta PAM shepherd service
-;; will depend on.
+;; Extension of the PAM configuration.  A PAM transformer consists of a
+;; procedure acting on each PAM entry; 'shepherd-requirements' lists services
+;; that the meta 'pam' Shepherd service will depend on.
 (define-record-type* <pam-extension>
   pam-extension make-pam-extension pam-extension?
   (transformer pam-extension-transformer)
@@ -380,12 +381,8 @@ (define (/etc-entry config)
   "Return the /etc/pam.d entry corresponding to CONFIG."
   (match config
     (($ <pam-configuration> services transformers shepherd-requirements)
-     (let ((services
-            (map
-             ;; XXX We need to add identity because compose expects at least
-             ;; one argument for some reason.
-             (apply compose (cons identity transformers))
-             services)))
+     (let ((services (map (apply compose identity transformers)
+                          services)))
        `(("pam.d" ,(pam-services->directory services)))))))
 
 (define (pam-shepherd-service config)
@@ -404,16 +401,15 @@ (define (extend-configuration initial extensions)
   "Extend INITIAL with NEW."
   ;; TODO: Remove deprecation shim.
   (define cleaned-extensions
-    (map
-     (lambda (ext)
-       (cond
-        ((procedure? ext)
-         (begin
-           (warning (G_ "pam-root-service-type transformer extensions should\
-now use the <pam-extension> record."))
-           (pam-extension (transformer ext))))
-        (#t ext)))
-     extensions))
+    (map (lambda (ext)
+           (if (procedure? ext)
+               (begin
+                 (warning (G_ "'pam-root-service-type' extensions should \
+now use the <pam-extension> record~%"))
+                 (pam-extension (transformer ext)))
+               ext))
+         extensions))
+
   (let-values (((services pam-extensions)
                 (partition pam-service? cleaned-extensions)))
     (pam-configuration

[-- Attachment #3: Type: text/plain, Size: 12 bytes --]


Ludo’.

^ permalink raw reply related	[flat|nested] 10+ messages in thread

* bug#63314: [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement.
  2023-05-09 16:45       ` [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement Josselin Poiret via Guix-patches via
@ 2023-05-11 11:16         ` Ludovic Courtès
  0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2023-05-11 11:16 UTC (permalink / raw)
  To: Josselin Poiret; +Cc: 63314-done

Josselin Poiret <dev@jpoiret.xyz> skribis:

> From: Josselin Poiret <dev@jpoiret.xyz>
>
> * gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd
> requirement to the PAM extension.

Applied, thanks!




^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2023-05-11 11:17 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-05 17:50 [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Josselin Poiret via Guix-patches via
2023-05-05 17:51 ` [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add " Josselin Poiret via Guix-patches via
2023-05-08  9:45   ` [bug#63314] [PATCH 0/2] Add PAM " Ludovic Courtès
2023-05-09 16:45     ` [bug#63314] [PATCH v2 " Josselin Poiret via Guix-patches via
2023-05-09 16:45       ` [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add " Josselin Poiret via Guix-patches via
2023-05-11 11:15         ` Ludovic Courtès
2023-05-09 16:45       ` [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement Josselin Poiret via Guix-patches via
2023-05-11 11:16         ` bug#63314: " Ludovic Courtès
2023-05-05 17:51 ` [bug#63314] [PATCH " Josselin Poiret via Guix-patches via
2023-05-08  9:46   ` [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).