* [bug#63314] [PATCH 0/2] Add PAM shepherd requirements
@ 2023-05-05 17:50 Josselin Poiret via Guix-patches via
2023-05-05 17:51 ` [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add " Josselin Poiret via Guix-patches via
2023-05-05 17:51 ` [bug#63314] [PATCH " Josselin Poiret via Guix-patches via
0 siblings, 2 replies; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-05 17:50 UTC (permalink / raw)
To: 63314; +Cc: Josselin Poiret
Hi everyone,
With shepherd 0.10 incoming, I've been running into a nasty issue: I use
elogind and greetd, and greetd, when starting needs to let its greeter log-in
through PAM. However, its PAM entry requires pam_elogind.so, which might not
work if elogind isn't started yet, and so my greetd would just fail to start.
This patch adds a shepherd synchronization point for services needed by PAM,
and any PAM-using program should have the synchronization point as a
requirement. I've mostly tested this with greetd only, so I would appreciate
if other PAM users could try it out.
Best,
Josselin Poiret (2):
system: pam: Let PAM extenders add shepherd requirements.
services: elogind: Add elogind as a shepherd PAM requirement.
gnu/services/authentication.scm | 28 +++++++++--------
gnu/services/base.scm | 54 +++++++++++++++++---------------
gnu/services/desktop.scm | 45 +++++++++++++++------------
gnu/services/kerberos.scm | 44 +++++++++++++-------------
gnu/services/lightdm.scm | 2 +-
gnu/services/mail.scm | 4 +--
gnu/services/pam-mount.scm | 23 ++++++++------
gnu/services/sddm.scm | 2 +-
gnu/services/ssh.scm | 10 +++---
gnu/services/xorg.scm | 4 +--
gnu/system/pam.scm | 55 ++++++++++++++++++++++++++-------
11 files changed, 161 insertions(+), 110 deletions(-)
base-commit: 6922069bcbe5c08da09c00e5aad44e390ebd1cc7
--
2.39.2
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add shepherd requirements.
2023-05-05 17:50 [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Josselin Poiret via Guix-patches via
@ 2023-05-05 17:51 ` Josselin Poiret via Guix-patches via
2023-05-08 9:45 ` [bug#63314] [PATCH 0/2] Add PAM " Ludovic Courtès
2023-05-05 17:51 ` [bug#63314] [PATCH " Josselin Poiret via Guix-patches via
1 sibling, 1 reply; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-05 17:51 UTC (permalink / raw)
To: 63314; +Cc: Josselin Poiret
From: Josselin Poiret <dev@jpoiret.xyz>
* gnu/system/pam.scm (<pam-extender>): New record type.
(pam-shepherd-service): Add Shepherd synchronization point.
* gnu/services/mail.scm (dovecot-shepherd-service)
* gnu/services/lightdm.scm (lightdm-shepherd-service)
* gnu/services/mail.scm (opensmtpd-shepherd-service)
* gnu/services/sddm.scm (sddm-shepherd-service)
* gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service)
* gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service)
* gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement.
* gnu/system/pam.scm (/etc-entry, extend-configuration,
pam-root-service-type, pam-root-service)
* gnu/services/authentication.scm (pam-ldap-pam-service)
* gnu/services/base.scm (pam-limits-service-type)
(greetd-pam-service)
* gnu/services/desktop.scm (pam-gnome-keyring)
* gnu/services/kerberos.scm (pam-krb5-pam-service)
* gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to pam-extenders.
---
gnu/services/authentication.scm | 28 +++++++++--------
gnu/services/base.scm | 54 +++++++++++++++++---------------
gnu/services/desktop.scm | 44 ++++++++++++++------------
gnu/services/kerberos.scm | 44 +++++++++++++-------------
gnu/services/lightdm.scm | 2 +-
gnu/services/mail.scm | 4 +--
gnu/services/pam-mount.scm | 23 ++++++++------
gnu/services/sddm.scm | 2 +-
gnu/services/ssh.scm | 10 +++---
gnu/services/xorg.scm | 4 +--
gnu/system/pam.scm | 55 ++++++++++++++++++++++++++-------
11 files changed, 160 insertions(+), 110 deletions(-)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f7becdfafb..5ec7634789 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -506,19 +506,21 @@ (define (pam-ldap-pam-service config)
(define pam-ldap-module
#~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
"/lib/security/pam_ldap.so"))
- (lambda (pam)
- (if (member (pam-service-name pam)
- (nslcd-configuration-pam-services config))
- (let ((sufficient
- (pam-entry
- (control "sufficient")
- (module pam-ldap-module))))
- (pam-service
- (inherit pam)
- (auth (cons sufficient (pam-service-auth pam)))
- (session (cons sufficient (pam-service-session pam)))
- (account (cons sufficient (pam-service-account pam)))))
- pam)))
+ (pam-extender
+ (transformer
+ (lambda (pam)
+ (if (member (pam-service-name pam)
+ (nslcd-configuration-pam-services config))
+ (let ((sufficient
+ (pam-entry
+ (control "sufficient")
+ (module pam-ldap-module))))
+ (pam-service
+ (inherit pam)
+ (auth (cons sufficient (pam-service-auth pam)))
+ (session (cons sufficient (pam-service-session pam)))
+ (account (cons sufficient (pam-service-account pam)))))
+ pam)))))
(define (pam-ldap-pam-services config)
(list (pam-ldap-pam-service config)))
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4adb551796..eaf5030935 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1608,20 +1608,22 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
(define pam-limits-service-type
(let ((pam-extension
- (lambda (pam)
- (let ((pam-limits (pam-entry
- (control "required")
- (module "pam_limits.so")
- (arguments
- '("conf=/etc/security/limits.conf")))))
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password" "sddm"
- "sudo" "sshd"))
- (pam-service
- (inherit pam)
- (session (cons pam-limits
- (pam-service-session pam))))
- pam))))
+ (pam-extender
+ (transformer
+ (lambda (pam)
+ (let ((pam-limits (pam-entry
+ (control "required")
+ (module "pam_limits.so")
+ (arguments
+ '("conf=/etc/security/limits.conf")))))
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password"
+ "sddm" "sudo" "sshd"))
+ (pam-service
+ (inherit pam)
+ (session (cons pam-limits
+ (pam-service-session pam))))
+ pam))))))
;; XXX: Using file-like objects is deprecated, use lists instead.
;; This is to be reduced into the list? case when the deprecated
@@ -3269,16 +3271,18 @@ (define (greetd-pam-service config)
(greetd-allow-empty-passwords? config)
#:motd
(greetd-motd config))
- (lambda (pam)
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password"))
- (pam-service
- (inherit pam)
- (auth (append (pam-service-auth pam)
- (list optional-pam-mount)))
- (session (append (pam-service-session pam)
- (list optional-pam-mount))))
- pam))))
+ (pam-extender
+ (transformer
+ (lambda (pam)
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password"))
+ (pam-service
+ (inherit pam)
+ (auth (append (pam-service-auth pam)
+ (list optional-pam-mount)))
+ (session (append (pam-service-session pam)
+ (list optional-pam-mount))))
+ pam))))))
(define (greetd-shepherd-services config)
(map
@@ -3290,7 +3294,7 @@ (define (greetd-shepherd-services config)
(greetd-vt (greetd-terminal-vt tc)))
(shepherd-service
(documentation "Minimal and flexible login manager daemon")
- (requirement '(user-processes host-name udev virtual-terminal))
+ (requirement '(pam user-processes host-name udev virtual-terminal))
(provision (list (symbol-append
'term-tty
(string->symbol (greetd-terminal-vt tc)))))
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index adea5b38dd..3adcfe8e5d 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1187,10 +1187,12 @@ (define (pam-extension-procedure config)
(module (file-append (elogind-package config)
"/lib/security/pam_elogind.so"))))
- (list (lambda (pam)
- (pam-service
- (inherit pam)
- (session (cons pam-elogind (pam-service-session pam)))))))
+ (list (pam-extender
+ (transformer
+ (lambda (pam)
+ (pam-service
+ (inherit pam)
+ (session (cons pam-elogind (pam-service-session pam)))))))))
(define (elogind-shepherd-service config)
"Return a Shepherd service to start elogind according to @var{config}."
@@ -1703,22 +1705,24 @@ (define (pam-gnome-keyring config)
(arguments arguments)))
(list
- (lambda (service)
- (case (assoc-ref (gnome-keyring-pam-services config)
- (pam-service-name service))
- ((login)
- (pam-service
- (inherit service)
- (auth (append (pam-service-auth service)
- (list (%pam-keyring-entry))))
- (session (append (pam-service-session service)
- (list (%pam-keyring-entry "auto_start"))))))
- ((passwd)
- (pam-service
- (inherit service)
- (password (append (pam-service-password service)
- (list (%pam-keyring-entry))))))
- (else service)))))
+ (pam-extender
+ (transformer
+ (lambda (service)
+ (case (assoc-ref (gnome-keyring-pam-services config)
+ (pam-service-name service))
+ ((login)
+ (pam-service
+ (inherit service)
+ (auth (append (pam-service-auth service)
+ (list (%pam-keyring-entry))))
+ (session (append (pam-service-session service)
+ (list (%pam-keyring-entry "auto_start"))))))
+ ((passwd)
+ (pam-service
+ (inherit service)
+ (password (append (pam-service-password service)
+ (list (%pam-keyring-entry))))))
+ (else service)))))))
(define gnome-keyring-service-type
(service-type
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index c3c7872734..0ae7c127d1 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -428,27 +428,29 @@ (define-record-type* <pam-krb5-configuration>
(define (pam-krb5-pam-service config)
"Return a PAM service for Kerberos authentication."
- (lambda (pam)
- (define pam-krb5-module
- #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
- "/lib/security/pam_krb5.so"))
-
- (let ((pam-krb5-sufficient
- (pam-entry
- (control "sufficient")
- (module pam-krb5-module)
- (arguments
- (list
- (format #f "minimum_uid=~a"
- (pam-krb5-configuration-minimum-uid config)))))))
- (pam-service
- (inherit pam)
- (auth (cons* pam-krb5-sufficient
- (pam-service-auth pam)))
- (session (cons* pam-krb5-sufficient
- (pam-service-session pam)))
- (account (cons* pam-krb5-sufficient
- (pam-service-account pam)))))))
+ (pam-extender
+ (transformer
+ (lambda (pam)
+ (define pam-krb5-module
+ #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
+ "/lib/security/pam_krb5.so"))
+
+ (let ((pam-krb5-sufficient
+ (pam-entry
+ (control "sufficient")
+ (module pam-krb5-module)
+ (arguments
+ (list
+ (format #f "minimum_uid=~a"
+ (pam-krb5-configuration-minimum-uid config)))))))
+ (pam-service
+ (inherit pam)
+ (auth (cons* pam-krb5-sufficient
+ (pam-service-auth pam)))
+ (session (cons* pam-krb5-sufficient
+ (pam-service-session pam)))
+ (account (cons* pam-krb5-sufficient
+ (pam-service-account pam)))))))))
(define (pam-krb5-pam-services config)
(list (pam-krb5-pam-service config)))
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index 0b9094cda1..b966f402d6 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -616,7 +616,7 @@ (define (lightdm-shepherd-service config)
(list
(shepherd-service
(documentation "LightDM display manager")
- (requirement '(dbus-system user-processes host-name))
+ (requirement '(pam dbus-system user-processes host-name))
(provision '(lightdm display-manager xorg-server))
(respawn? #f)
(start
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index bf4948dcfb..12dcc8e71d 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1578,7 +1578,7 @@ (define (dovecot-shepherd-service config)
(list (shepherd-service
(documentation "Run the Dovecot POP3/IMAP mail server.")
(provision '(dovecot))
- (requirement '(networking))
+ (requirement '(pam networking))
(start #~(make-forkexec-constructor
(list (string-append #$dovecot "/sbin/dovecot")
"-F")))
@@ -1676,7 +1676,7 @@ (define (opensmtpd-shepherd-service config)
(package config-file shepherd-requirement)
(list (shepherd-service
(provision '(smtpd))
- (requirement `(loopback ,@shepherd-requirement))
+ (requirement `(pam loopback ,@shepherd-requirement))
(documentation "Run the OpenSMTPD daemon.")
(start (let ((smtpd (file-append package "/sbin/smtpd")))
#~(make-forkexec-constructor
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index e60781d05b..3e6667af9c 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -88,16 +88,19 @@ (define (pam-mount-pam-service config)
(pam-entry
(control "optional")
(module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
- (list (lambda (pam)
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
- (pam-service
- (inherit pam)
- (auth (append (pam-service-auth pam)
- (list optional-pam-mount)))
- (session (append (pam-service-session pam)
- (list optional-pam-mount))))
- pam))))
+ (list
+ (pam-extender
+ (transformer
+ (lambda (pam)
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
+ (pam-service
+ (inherit pam)
+ (auth (append (pam-service-auth pam)
+ (list optional-pam-mount)))
+ (session (append (pam-service-session pam)
+ (list optional-pam-mount))))
+ pam))))))
(define pam-mount-service-type
(service-type
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 9e02f1cc81..c9a7ba96f4 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -169,7 +169,7 @@ (define (sddm-shepherd-service config)
(list (shepherd-service
(documentation "SDDM display manager.")
- (requirement '(user-processes elogind))
+ (requirement '(user-processes elogind pam))
(provision '(xorg-server display-manager))
(start #~(make-forkexec-constructor #$sddm-command))
(stop #~(make-kill-destructor)))))
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index b76544c1a8..de5afdaa1a 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -197,9 +197,11 @@ (define (lsh-shepherd-service config)
interfaces)))))
(define requires
- (if (and daemonic? (lsh-configuration-syslog-output? config))
- '(networking syslogd)
- '(networking)))
+ `(networking
+ pam
+ ,@(if (and daemonic? (lsh-configuration-syslog-output? config))
+ '(syslogd)
+ '())))
(list (shepherd-service
(documentation "GNU lsh SSH server")
@@ -566,7 +568,7 @@ (define (openssh-shepherd-service config)
(list (shepherd-service
(documentation "OpenSSH server.")
- (requirement '(syslogd loopback))
+ (requirement '(pam syslogd loopback))
(provision '(ssh-daemon ssh sshd))
(start #~(if #$inetd-style?
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..8b6080fd26 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -667,7 +667,7 @@ (define (slim-shepherd-service config)
(list (symbol-append 'xorg-server-
(string->symbol vt)))))
- (requirement '(user-processes host-name udev))
+ (requirement '(pam user-processes host-name udev))
(start
#~(lambda ()
;; A stale lock file can prevent SLiM from starting, so remove it to
@@ -1119,7 +1119,7 @@ (define (gdm-shepherd-service config)
(list (shepherd-service
(documentation "Xorg display server (GDM)")
(provision '(xorg-server))
- (requirement '(dbus-system user-processes host-name udev elogind))
+ (requirement '(dbus-system pam user-processes host-name udev elogind))
(start #~(lambda ()
(fork+exec-command
(list #$(file-append (gdm-configuration-gdm config)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index b635681642..6d9a7484c3 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
#:use-module (guix derivations)
#:use-module (guix gexp)
#:use-module (gnu services)
+ #:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
@@ -55,6 +56,10 @@ (define-module (gnu system pam)
session-environment-service
session-environment-service-type
+ pam-extender
+ pam-extender-transformer
+ pam-extender-shepherd-requirements
+
pam-root-service-type
pam-root-service))
@@ -347,32 +352,58 @@ (define (session-environment-service vars)
;;; PAM root service.
;;;
+;; A PAM transformer consists of a procedure acting on each PAM entry, with an
+;; additional list of shepherd-requirements that the meta PAM sheherd service
+;; will rely on.
+(define-record-type* <pam-extender>
+ pam-extender make-pam-extender pam-extender?
+ (transformer pam-extender-transformer)
+ (shepherd-requirements pam-extender-shepherd-requirements
+ (default '())))
+
;; Overall PAM configuration: a list of services, plus a procedure that takes
;; one <pam-service> and returns a <pam-service>. The procedure is used to
;; implement cross-cutting concerns such as the use of the 'elogind.so'
;; session module that keeps track of logged-in users.
(define-record-type* <pam-configuration>
- pam-configuration make-pam-configuration? pam-configuration?
+ pam-configuration make-pam-configuration pam-configuration?
(services pam-configuration-services) ;list of <pam-service>
- (transform pam-configuration-transform)) ;procedure
+ (extenders pam-configuration-extenders)) ;list of <pam-extender>
(define (/etc-entry config)
"Return the /etc/pam.d entry corresponding to CONFIG."
(match config
- (($ <pam-configuration> services transform)
- (let ((services (map transform services)))
+ (($ <pam-configuration> services extenders)
+ (let ((services
+ (map
+ ;; XXX We need to add identity because compose expects at least
+ ;; one argument for some reason.
+ (apply compose (cons identity (map pam-extender-transformer extenders)))
+ services)))
`(("pam.d" ,(pam-services->directory services)))))))
+(define (pam-shepherd-service config)
+ (define requirements
+ (match config
+ (($ <pam-configuration> services extenders)
+ (concatenate (map pam-extender-shepherd-requirements extenders)))))
+ (list (shepherd-service
+ (documentation "Synchronization point for services that need to be
+started for PAM to work.")
+ (provision '(pam))
+ (requirement requirements)
+ (start #~(const #t))
+ (stop #~(const #t)))))
+
(define (extend-configuration initial extensions)
"Extend INITIAL with NEW."
- (let-values (((services procs)
+ (let-values (((services extenders)
(partition pam-service? extensions)))
(pam-configuration
(services (append (pam-configuration-services initial)
services))
- (transform (apply compose
- (pam-configuration-transform initial)
- procs)))))
+ (extenders (append (pam-configuration-extenders initial)
+ extenders)))))
(define pam-root-service-type
(service-type (name 'pam)
@@ -382,7 +413,9 @@ (define pam-root-service-type
(lambda (_)
(list (file-like->setuid-program
(file-append linux-pam "/sbin/unix_chkpwd")))))
- (service-extension etc-service-type /etc-entry)))
+ (service-extension etc-service-type /etc-entry)
+ (service-extension shepherd-root-service-type
+ pam-shepherd-service)))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
@@ -394,7 +427,7 @@ (define pam-root-service-type
program may authenticate users or what it should do when opening a new
session.")))
-(define* (pam-root-service base #:key (transform identity))
+(define* (pam-root-service base #:key (extenders '()))
"The \"root\" PAM service, which collects <pam-service> instance and turns
them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
TRANSFORM is a procedure that takes a <pam-service> and returns a
@@ -402,6 +435,6 @@ (define* (pam-root-service base #:key (transform identity))
all the PAM services."
(service pam-root-service-type
(pam-configuration (services base)
- (transform transform))))
+ (extenders extenders))))
--
2.39.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63314] [PATCH 2/2] services: elogind: Add elogind as a shepherd PAM requirement.
2023-05-05 17:50 [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Josselin Poiret via Guix-patches via
2023-05-05 17:51 ` [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add " Josselin Poiret via Guix-patches via
@ 2023-05-05 17:51 ` Josselin Poiret via Guix-patches via
2023-05-08 9:46 ` [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Ludovic Courtès
1 sibling, 1 reply; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-05 17:51 UTC (permalink / raw)
To: 63314; +Cc: Josselin Poiret
From: Josselin Poiret <dev@jpoiret.xyz>
* gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd
requirement to the PAM extender.
---
gnu/services/desktop.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 3adcfe8e5d..d62536a27e 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config)
(lambda (pam)
(pam-service
(inherit pam)
- (session (cons pam-elogind (pam-service-session pam)))))))))
+ (session (cons pam-elogind (pam-service-session pam))))))
+ (shepherd-requirements '(elogind)))))
(define (elogind-shepherd-service config)
"Return a Shepherd service to start elogind according to @var{config}."
--
2.39.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63314] [PATCH 0/2] Add PAM shepherd requirements
2023-05-05 17:51 ` [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add " Josselin Poiret via Guix-patches via
@ 2023-05-08 9:45 ` Ludovic Courtès
2023-05-09 16:45 ` [bug#63314] [PATCH v2 " Josselin Poiret via Guix-patches via
0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2023-05-08 9:45 UTC (permalink / raw)
To: Josselin Poiret; +Cc: 63314
Hello!
Josselin Poiret <dev@jpoiret.xyz> skribis:
> From: Josselin Poiret <dev@jpoiret.xyz>
>
> * gnu/system/pam.scm (<pam-extender>): New record type.
> (pam-shepherd-service): Add Shepherd synchronization point.
>
> * gnu/services/mail.scm (dovecot-shepherd-service)
> * gnu/services/lightdm.scm (lightdm-shepherd-service)
> * gnu/services/mail.scm (opensmtpd-shepherd-service)
> * gnu/services/sddm.scm (sddm-shepherd-service)
> * gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service)
> * gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service)
> * gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement.
>
> * gnu/system/pam.scm (/etc-entry, extend-configuration,
> pam-root-service-type, pam-root-service)
> * gnu/services/authentication.scm (pam-ldap-pam-service)
> * gnu/services/base.scm (pam-limits-service-type)
> (greetd-pam-service)
> * gnu/services/desktop.scm (pam-gnome-keyring)
> * gnu/services/kerberos.scm (pam-krb5-pam-service)
> * gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to pam-extenders.
The approach looks reasonable to me, well done!
> +;; A PAM transformer consists of a procedure acting on each PAM entry, with an
> +;; additional list of shepherd-requirements that the meta PAM sheherd service
> +;; will rely on.
> +(define-record-type* <pam-extender>
> + pam-extender make-pam-extender pam-extender?
> + (transformer pam-extender-transformer)
> + (shepherd-requirements pam-extender-shepherd-requirements
> + (default '())))
I would call it <pam-extension> (similar to <home-bash-extension>).
There’s a typo in the comment (“sheherd”); s/rely on/depend on/.
> ;; Overall PAM configuration: a list of services, plus a procedure that takes
> ;; one <pam-service> and returns a <pam-service>. The procedure is used to
> ;; implement cross-cutting concerns such as the use of the 'elogind.so'
> ;; session module that keeps track of logged-in users.
> (define-record-type* <pam-configuration>
> - pam-configuration make-pam-configuration? pam-configuration?
> + pam-configuration make-pam-configuration pam-configuration?
> (services pam-configuration-services) ;list of <pam-service>
> - (transform pam-configuration-transform)) ;procedure
> + (extenders pam-configuration-extenders)) ;list of <pam-extender>
Instead of storing extensions, we should keep the full configuration
here (similar to <home-bash-configuration>). That is, remove
‘extenders’ and instead add ‘shepherd-requirements’.
> +(define (pam-shepherd-service config)
> + (define requirements
> + (match config
> + (($ <pam-configuration> services extenders)
> + (concatenate (map pam-extender-shepherd-requirements extenders)))))
Rather: (append-map …)
Also please add a docstring.
> (define (extend-configuration initial extensions)
> "Extend INITIAL with NEW."
> - (let-values (((services procs)
> + (let-values (((services extenders)
> (partition pam-service? extensions)))
> (pam-configuration
> (services (append (pam-configuration-services initial)
> services))
> - (transform (apply compose
> - (pam-configuration-transform initial)
> - procs)))))
> + (extenders (append (pam-configuration-extenders initial)
> + extenders)))))
This would need to be adjusted accordingly.
Also, we need to preserve backward compatibility, so we should first do
something like:
(let ((extensions (map (lambda (extension)
(if (pam-extension? extension)
extension
(begin
(warn-about-deprecation …)
(pam-extension (transformer extension)))))
extensions)))
…)
Ludo’.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#63314] [PATCH 0/2] Add PAM shepherd requirements
2023-05-05 17:51 ` [bug#63314] [PATCH " Josselin Poiret via Guix-patches via
@ 2023-05-08 9:46 ` Ludovic Courtès
0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2023-05-08 9:46 UTC (permalink / raw)
To: Josselin Poiret; +Cc: 63314
Josselin Poiret <dev@jpoiret.xyz> skribis:
> From: Josselin Poiret <dev@jpoiret.xyz>
>
> * gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd
> requirement to the PAM extender.
> ---
> gnu/services/desktop.scm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
> index 3adcfe8e5d..d62536a27e 100644
> --- a/gnu/services/desktop.scm
> +++ b/gnu/services/desktop.scm
> @@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config)
> (lambda (pam)
> (pam-service
> (inherit pam)
> - (session (cons pam-elogind (pam-service-session pam)))))))))
> + (session (cons pam-elogind (pam-service-session pam))))))
> + (shepherd-requirements '(elogind)))))
LGTM.
Should we add a greetd system test that catches the bug?
Ludo’.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#63314] [PATCH v2 0/2] Add PAM shepherd requirements
2023-05-08 9:45 ` [bug#63314] [PATCH 0/2] Add PAM " Ludovic Courtès
@ 2023-05-09 16:45 ` Josselin Poiret via Guix-patches via
2023-05-09 16:45 ` [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add " Josselin Poiret via Guix-patches via
2023-05-09 16:45 ` [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement Josselin Poiret via Guix-patches via
0 siblings, 2 replies; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-09 16:45 UTC (permalink / raw)
To: Ludovic Courtès, Josselin Poiret; +Cc: 63314
Hi Ludo,
Thanks for the review. Here is an updated patchset with the changes you
requested. I don't think it's possible to have a reliable system test to
check for the greetd issue, since it is a race problem in the end.
Best,
Josselin Poiret (2):
system: pam: Let PAM extensions add shepherd requirements.
services: elogind: Add elogind as a shepherd PAM requirement.
gnu/services/authentication.scm | 28 ++++++------
gnu/services/base.scm | 54 +++++++++++-----------
gnu/services/desktop.scm | 45 ++++++++++---------
gnu/services/kerberos.scm | 44 +++++++++---------
gnu/services/lightdm.scm | 2 +-
gnu/services/mail.scm | 4 +-
gnu/services/pam-mount.scm | 23 +++++-----
gnu/services/sddm.scm | 2 +-
gnu/services/ssh.scm | 10 +++--
gnu/services/xorg.scm | 4 +-
gnu/system/pam.scm | 80 +++++++++++++++++++++++++++------
11 files changed, 184 insertions(+), 112 deletions(-)
base-commit: a759cbffafbf67b3a03c80b5bdbe3f3478affc50
--
2.39.2
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add shepherd requirements.
2023-05-09 16:45 ` [bug#63314] [PATCH v2 " Josselin Poiret via Guix-patches via
@ 2023-05-09 16:45 ` Josselin Poiret via Guix-patches via
2023-05-11 11:15 ` Ludovic Courtès
2023-05-09 16:45 ` [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement Josselin Poiret via Guix-patches via
1 sibling, 1 reply; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-09 16:45 UTC (permalink / raw)
To: Ludovic Courtès, Josselin Poiret; +Cc: 63314
From: Josselin Poiret <dev@jpoiret.xyz>
* gnu/system/pam.scm (<pam-extension>): New record type.
(pam-shepherd-service): Add Shepherd synchronization point.
* gnu/services/mail.scm (dovecot-shepherd-service)
* gnu/services/lightdm.scm (lightdm-shepherd-service)
* gnu/services/mail.scm (opensmtpd-shepherd-service)
* gnu/services/sddm.scm (sddm-shepherd-service)
* gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service)
* gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service)
* gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement.
* gnu/system/pam.scm (/etc-entry, extend-configuration,
pam-root-service-type, pam-root-service)
* gnu/services/authentication.scm (pam-ldap-pam-service)
* gnu/services/base.scm (pam-limits-service-type)
(greetd-pam-service)
* gnu/services/desktop.scm (pam-gnome-keyring)
* gnu/services/kerberos.scm (pam-krb5-pam-service)
* gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to use
pam-extension.
---
gnu/services/authentication.scm | 28 ++++++------
gnu/services/base.scm | 54 +++++++++++-----------
gnu/services/desktop.scm | 44 +++++++++---------
gnu/services/kerberos.scm | 44 +++++++++---------
gnu/services/lightdm.scm | 2 +-
gnu/services/mail.scm | 4 +-
gnu/services/pam-mount.scm | 23 +++++-----
gnu/services/sddm.scm | 2 +-
gnu/services/ssh.scm | 10 +++--
gnu/services/xorg.scm | 4 +-
gnu/system/pam.scm | 80 +++++++++++++++++++++++++++------
11 files changed, 183 insertions(+), 112 deletions(-)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f7becdfafb..f1ad1b1afe 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -506,19 +506,21 @@ (define (pam-ldap-pam-service config)
(define pam-ldap-module
#~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
"/lib/security/pam_ldap.so"))
- (lambda (pam)
- (if (member (pam-service-name pam)
- (nslcd-configuration-pam-services config))
- (let ((sufficient
- (pam-entry
- (control "sufficient")
- (module pam-ldap-module))))
- (pam-service
- (inherit pam)
- (auth (cons sufficient (pam-service-auth pam)))
- (session (cons sufficient (pam-service-session pam)))
- (account (cons sufficient (pam-service-account pam)))))
- pam)))
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (if (member (pam-service-name pam)
+ (nslcd-configuration-pam-services config))
+ (let ((sufficient
+ (pam-entry
+ (control "sufficient")
+ (module pam-ldap-module))))
+ (pam-service
+ (inherit pam)
+ (auth (cons sufficient (pam-service-auth pam)))
+ (session (cons sufficient (pam-service-session pam)))
+ (account (cons sufficient (pam-service-account pam)))))
+ pam)))))
(define (pam-ldap-pam-services config)
(list (pam-ldap-pam-service config)))
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4adb551796..a69e99343b 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1608,20 +1608,22 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
(define pam-limits-service-type
(let ((pam-extension
- (lambda (pam)
- (let ((pam-limits (pam-entry
- (control "required")
- (module "pam_limits.so")
- (arguments
- '("conf=/etc/security/limits.conf")))))
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password" "sddm"
- "sudo" "sshd"))
- (pam-service
- (inherit pam)
- (session (cons pam-limits
- (pam-service-session pam))))
- pam))))
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (let ((pam-limits (pam-entry
+ (control "required")
+ (module "pam_limits.so")
+ (arguments
+ '("conf=/etc/security/limits.conf")))))
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password"
+ "sddm" "sudo" "sshd"))
+ (pam-service
+ (inherit pam)
+ (session (cons pam-limits
+ (pam-service-session pam))))
+ pam))))))
;; XXX: Using file-like objects is deprecated, use lists instead.
;; This is to be reduced into the list? case when the deprecated
@@ -3269,16 +3271,18 @@ (define (greetd-pam-service config)
(greetd-allow-empty-passwords? config)
#:motd
(greetd-motd config))
- (lambda (pam)
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password"))
- (pam-service
- (inherit pam)
- (auth (append (pam-service-auth pam)
- (list optional-pam-mount)))
- (session (append (pam-service-session pam)
- (list optional-pam-mount))))
- pam))))
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password"))
+ (pam-service
+ (inherit pam)
+ (auth (append (pam-service-auth pam)
+ (list optional-pam-mount)))
+ (session (append (pam-service-session pam)
+ (list optional-pam-mount))))
+ pam))))))
(define (greetd-shepherd-services config)
(map
@@ -3290,7 +3294,7 @@ (define (greetd-shepherd-services config)
(greetd-vt (greetd-terminal-vt tc)))
(shepherd-service
(documentation "Minimal and flexible login manager daemon")
- (requirement '(user-processes host-name udev virtual-terminal))
+ (requirement '(pam user-processes host-name udev virtual-terminal))
(provision (list (symbol-append
'term-tty
(string->symbol (greetd-terminal-vt tc)))))
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index adea5b38dd..6b1b21cf80 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1187,10 +1187,12 @@ (define (pam-extension-procedure config)
(module (file-append (elogind-package config)
"/lib/security/pam_elogind.so"))))
- (list (lambda (pam)
- (pam-service
- (inherit pam)
- (session (cons pam-elogind (pam-service-session pam)))))))
+ (list (pam-extension
+ (transformer
+ (lambda (pam)
+ (pam-service
+ (inherit pam)
+ (session (cons pam-elogind (pam-service-session pam)))))))))
(define (elogind-shepherd-service config)
"Return a Shepherd service to start elogind according to @var{config}."
@@ -1703,22 +1705,24 @@ (define (pam-gnome-keyring config)
(arguments arguments)))
(list
- (lambda (service)
- (case (assoc-ref (gnome-keyring-pam-services config)
- (pam-service-name service))
- ((login)
- (pam-service
- (inherit service)
- (auth (append (pam-service-auth service)
- (list (%pam-keyring-entry))))
- (session (append (pam-service-session service)
- (list (%pam-keyring-entry "auto_start"))))))
- ((passwd)
- (pam-service
- (inherit service)
- (password (append (pam-service-password service)
- (list (%pam-keyring-entry))))))
- (else service)))))
+ (pam-extension
+ (transformer
+ (lambda (service)
+ (case (assoc-ref (gnome-keyring-pam-services config)
+ (pam-service-name service))
+ ((login)
+ (pam-service
+ (inherit service)
+ (auth (append (pam-service-auth service)
+ (list (%pam-keyring-entry))))
+ (session (append (pam-service-session service)
+ (list (%pam-keyring-entry "auto_start"))))))
+ ((passwd)
+ (pam-service
+ (inherit service)
+ (password (append (pam-service-password service)
+ (list (%pam-keyring-entry))))))
+ (else service)))))))
(define gnome-keyring-service-type
(service-type
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index c3c7872734..1a1b37f890 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -428,27 +428,29 @@ (define-record-type* <pam-krb5-configuration>
(define (pam-krb5-pam-service config)
"Return a PAM service for Kerberos authentication."
- (lambda (pam)
- (define pam-krb5-module
- #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
- "/lib/security/pam_krb5.so"))
-
- (let ((pam-krb5-sufficient
- (pam-entry
- (control "sufficient")
- (module pam-krb5-module)
- (arguments
- (list
- (format #f "minimum_uid=~a"
- (pam-krb5-configuration-minimum-uid config)))))))
- (pam-service
- (inherit pam)
- (auth (cons* pam-krb5-sufficient
- (pam-service-auth pam)))
- (session (cons* pam-krb5-sufficient
- (pam-service-session pam)))
- (account (cons* pam-krb5-sufficient
- (pam-service-account pam)))))))
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (define pam-krb5-module
+ #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
+ "/lib/security/pam_krb5.so"))
+
+ (let ((pam-krb5-sufficient
+ (pam-entry
+ (control "sufficient")
+ (module pam-krb5-module)
+ (arguments
+ (list
+ (format #f "minimum_uid=~a"
+ (pam-krb5-configuration-minimum-uid config)))))))
+ (pam-service
+ (inherit pam)
+ (auth (cons* pam-krb5-sufficient
+ (pam-service-auth pam)))
+ (session (cons* pam-krb5-sufficient
+ (pam-service-session pam)))
+ (account (cons* pam-krb5-sufficient
+ (pam-service-account pam)))))))))
(define (pam-krb5-pam-services config)
(list (pam-krb5-pam-service config)))
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index 0b9094cda1..b966f402d6 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -616,7 +616,7 @@ (define (lightdm-shepherd-service config)
(list
(shepherd-service
(documentation "LightDM display manager")
- (requirement '(dbus-system user-processes host-name))
+ (requirement '(pam dbus-system user-processes host-name))
(provision '(lightdm display-manager xorg-server))
(respawn? #f)
(start
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index bf4948dcfb..12dcc8e71d 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1578,7 +1578,7 @@ (define (dovecot-shepherd-service config)
(list (shepherd-service
(documentation "Run the Dovecot POP3/IMAP mail server.")
(provision '(dovecot))
- (requirement '(networking))
+ (requirement '(pam networking))
(start #~(make-forkexec-constructor
(list (string-append #$dovecot "/sbin/dovecot")
"-F")))
@@ -1676,7 +1676,7 @@ (define (opensmtpd-shepherd-service config)
(package config-file shepherd-requirement)
(list (shepherd-service
(provision '(smtpd))
- (requirement `(loopback ,@shepherd-requirement))
+ (requirement `(pam loopback ,@shepherd-requirement))
(documentation "Run the OpenSMTPD daemon.")
(start (let ((smtpd (file-append package "/sbin/smtpd")))
#~(make-forkexec-constructor
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index e60781d05b..21c34ddd61 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -88,16 +88,19 @@ (define (pam-mount-pam-service config)
(pam-entry
(control "optional")
(module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
- (list (lambda (pam)
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
- (pam-service
- (inherit pam)
- (auth (append (pam-service-auth pam)
- (list optional-pam-mount)))
- (session (append (pam-service-session pam)
- (list optional-pam-mount))))
- pam))))
+ (list
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password" "sddm"))
+ (pam-service
+ (inherit pam)
+ (auth (append (pam-service-auth pam)
+ (list optional-pam-mount)))
+ (session (append (pam-service-session pam)
+ (list optional-pam-mount))))
+ pam))))))
(define pam-mount-service-type
(service-type
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 9e02f1cc81..c9a7ba96f4 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -169,7 +169,7 @@ (define (sddm-shepherd-service config)
(list (shepherd-service
(documentation "SDDM display manager.")
- (requirement '(user-processes elogind))
+ (requirement '(user-processes elogind pam))
(provision '(xorg-server display-manager))
(start #~(make-forkexec-constructor #$sddm-command))
(stop #~(make-kill-destructor)))))
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index b76544c1a8..de5afdaa1a 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -197,9 +197,11 @@ (define (lsh-shepherd-service config)
interfaces)))))
(define requires
- (if (and daemonic? (lsh-configuration-syslog-output? config))
- '(networking syslogd)
- '(networking)))
+ `(networking
+ pam
+ ,@(if (and daemonic? (lsh-configuration-syslog-output? config))
+ '(syslogd)
+ '())))
(list (shepherd-service
(documentation "GNU lsh SSH server")
@@ -566,7 +568,7 @@ (define (openssh-shepherd-service config)
(list (shepherd-service
(documentation "OpenSSH server.")
- (requirement '(syslogd loopback))
+ (requirement '(pam syslogd loopback))
(provision '(ssh-daemon ssh sshd))
(start #~(if #$inetd-style?
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..8b6080fd26 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -667,7 +667,7 @@ (define (slim-shepherd-service config)
(list (symbol-append 'xorg-server-
(string->symbol vt)))))
- (requirement '(user-processes host-name udev))
+ (requirement '(pam user-processes host-name udev))
(start
#~(lambda ()
;; A stale lock file can prevent SLiM from starting, so remove it to
@@ -1119,7 +1119,7 @@ (define (gdm-shepherd-service config)
(list (shepherd-service
(documentation "Xorg display server (GDM)")
(provision '(xorg-server))
- (requirement '(dbus-system user-processes host-name udev elogind))
+ (requirement '(dbus-system pam user-processes host-name udev elogind))
(start #~(lambda ()
(fork+exec-command
(list #$(file-append (gdm-configuration-gdm config)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index b635681642..f624064999 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -19,8 +19,11 @@
(define-module (gnu system pam)
#:use-module (guix records)
#:use-module (guix derivations)
+ #:use-module (guix diagnostics)
#:use-module (guix gexp)
+ #:use-module (guix i18n)
#:use-module (gnu services)
+ #:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
@@ -55,6 +58,10 @@ (define-module (gnu system pam)
session-environment-service
session-environment-service-type
+ pam-extension
+ pam-extension-transformer
+ pam-extension-shepherd-requirements
+
pam-root-service-type
pam-root-service))
@@ -347,32 +354,76 @@ (define (session-environment-service vars)
;;; PAM root service.
;;;
+;; A PAM transformer consists of a procedure acting on each PAM entry, with an
+;; additional list of shepherd-requirements that the meta PAM shepherd service
+;; will depend on.
+(define-record-type* <pam-extension>
+ pam-extension make-pam-extension pam-extension?
+ (transformer pam-extension-transformer)
+ (shepherd-requirements pam-extension-shepherd-requirements
+ (default '())))
+
;; Overall PAM configuration: a list of services, plus a procedure that takes
;; one <pam-service> and returns a <pam-service>. The procedure is used to
;; implement cross-cutting concerns such as the use of the 'elogind.so'
;; session module that keeps track of logged-in users.
(define-record-type* <pam-configuration>
- pam-configuration make-pam-configuration? pam-configuration?
- (services pam-configuration-services) ;list of <pam-service>
- (transform pam-configuration-transform)) ;procedure
+ pam-configuration make-pam-configuration pam-configuration?
+ ;list of <pam-service>
+ (services pam-configuration-services)
+ ;list of procedures <pam-entry> -> <pam-entry>
+ (transformers pam-configuration-transformers)
+ ;list of symbols
+ (shepherd-requirements pam-configuration-shepherd-requirements))
(define (/etc-entry config)
"Return the /etc/pam.d entry corresponding to CONFIG."
(match config
- (($ <pam-configuration> services transform)
- (let ((services (map transform services)))
+ (($ <pam-configuration> services transformers shepherd-requirements)
+ (let ((services
+ (map
+ ;; XXX We need to add identity because compose expects at least
+ ;; one argument for some reason.
+ (apply compose (cons identity transformers))
+ services)))
`(("pam.d" ,(pam-services->directory services)))))))
+(define (pam-shepherd-service config)
+ "Return the PAM synchronization shepherd service corresponding to CONFIG."
+ (match config
+ (($ <pam-configuration> services transformers shepherd-requirements)
+ (list (shepherd-service
+ (documentation "Synchronization point for services that need to be
+started for PAM to work.")
+ (provision '(pam))
+ (requirement shepherd-requirements)
+ (start #~(const #t))
+ (stop #~(const #t)))))))
+
(define (extend-configuration initial extensions)
"Extend INITIAL with NEW."
- (let-values (((services procs)
- (partition pam-service? extensions)))
+ ;; TODO: Remove deprecation shim.
+ (define cleaned-extensions
+ (map
+ (lambda (ext)
+ (cond
+ ((procedure? ext)
+ (begin
+ (warning (G_ "pam-root-service-type transformer extensions should\
+now use the <pam-extension> record."))
+ (pam-extension (transformer ext))))
+ (#t ext)))
+ extensions))
+ (let-values (((services pam-extensions)
+ (partition pam-service? cleaned-extensions)))
(pam-configuration
(services (append (pam-configuration-services initial)
services))
- (transform (apply compose
- (pam-configuration-transform initial)
- procs)))))
+ (transformers (append (pam-configuration-transformers initial)
+ (map pam-extension-transformer pam-extensions)))
+ (shepherd-requirements
+ (append (pam-configuration-shepherd-requirements initial)
+ (append-map pam-extension-shepherd-requirements pam-extensions))))))
(define pam-root-service-type
(service-type (name 'pam)
@@ -382,7 +433,9 @@ (define pam-root-service-type
(lambda (_)
(list (file-like->setuid-program
(file-append linux-pam "/sbin/unix_chkpwd")))))
- (service-extension etc-service-type /etc-entry)))
+ (service-extension etc-service-type /etc-entry)
+ (service-extension shepherd-root-service-type
+ pam-shepherd-service)))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
@@ -394,7 +447,7 @@ (define pam-root-service-type
program may authenticate users or what it should do when opening a new
session.")))
-(define* (pam-root-service base #:key (transform identity))
+(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '()))
"The \"root\" PAM service, which collects <pam-service> instance and turns
them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
TRANSFORM is a procedure that takes a <pam-service> and returns a
@@ -402,6 +455,7 @@ (define* (pam-root-service base #:key (transform identity))
all the PAM services."
(service pam-root-service-type
(pam-configuration (services base)
- (transform transform))))
+ (transformers transformers)
+ (shepherd-requirements shepherd-requirements))))
--
2.39.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement.
2023-05-09 16:45 ` [bug#63314] [PATCH v2 " Josselin Poiret via Guix-patches via
2023-05-09 16:45 ` [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add " Josselin Poiret via Guix-patches via
@ 2023-05-09 16:45 ` Josselin Poiret via Guix-patches via
2023-05-11 11:16 ` bug#63314: " Ludovic Courtès
1 sibling, 1 reply; 10+ messages in thread
From: Josselin Poiret via Guix-patches via @ 2023-05-09 16:45 UTC (permalink / raw)
To: Ludovic Courtès, Josselin Poiret; +Cc: 63314
From: Josselin Poiret <dev@jpoiret.xyz>
* gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd
requirement to the PAM extension.
---
gnu/services/desktop.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 6b1b21cf80..64eac1117d 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1192,7 +1192,8 @@ (define (pam-extension-procedure config)
(lambda (pam)
(pam-service
(inherit pam)
- (session (cons pam-elogind (pam-service-session pam)))))))))
+ (session (cons pam-elogind (pam-service-session pam))))))
+ (shepherd-requirements '(elogind)))))
(define (elogind-shepherd-service config)
"Return a Shepherd service to start elogind according to @var{config}."
--
2.39.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add shepherd requirements.
2023-05-09 16:45 ` [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add " Josselin Poiret via Guix-patches via
@ 2023-05-11 11:15 ` Ludovic Courtès
0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2023-05-11 11:15 UTC (permalink / raw)
To: Josselin Poiret; +Cc: 63314
[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]
Hi,
Josselin Poiret <dev@jpoiret.xyz> skribis:
> From: Josselin Poiret <dev@jpoiret.xyz>
>
> * gnu/system/pam.scm (<pam-extension>): New record type.
> (pam-shepherd-service): Add Shepherd synchronization point.
>
> * gnu/services/mail.scm (dovecot-shepherd-service)
> * gnu/services/lightdm.scm (lightdm-shepherd-service)
> * gnu/services/mail.scm (opensmtpd-shepherd-service)
> * gnu/services/sddm.scm (sddm-shepherd-service)
> * gnu/services/ssh.scm (lsh-shepherd-service, openssh-shepherd-service)
> * gnu/services/xorg.scm (slim-shepherd-service, gdm-shepherd-service)
> * gnu/services/base.scm (greetd-shepherd-services): Add PAM requirement.
>
> * gnu/system/pam.scm (/etc-entry, extend-configuration,
> pam-root-service-type, pam-root-service)
> * gnu/services/authentication.scm (pam-ldap-pam-service)
> * gnu/services/base.scm (pam-limits-service-type)
> (greetd-pam-service)
> * gnu/services/desktop.scm (pam-gnome-keyring)
> * gnu/services/kerberos.scm (pam-krb5-pam-service)
> * gnu/services/pam-mount.scm (pam-mount-pam-service): Adapt to use
> pam-extension.
Excellent! I committed with the cosmetic changes below:
[-- Attachment #2: Type: text/x-patch, Size: 2608 bytes --]
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index f624064999..adc40c975f 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -354,9 +355,9 @@ (define (session-environment-service vars)
;;; PAM root service.
;;;
-;; A PAM transformer consists of a procedure acting on each PAM entry, with an
-;; additional list of shepherd-requirements that the meta PAM shepherd service
-;; will depend on.
+;; Extension of the PAM configuration. A PAM transformer consists of a
+;; procedure acting on each PAM entry; 'shepherd-requirements' lists services
+;; that the meta 'pam' Shepherd service will depend on.
(define-record-type* <pam-extension>
pam-extension make-pam-extension pam-extension?
(transformer pam-extension-transformer)
@@ -380,12 +381,8 @@ (define (/etc-entry config)
"Return the /etc/pam.d entry corresponding to CONFIG."
(match config
(($ <pam-configuration> services transformers shepherd-requirements)
- (let ((services
- (map
- ;; XXX We need to add identity because compose expects at least
- ;; one argument for some reason.
- (apply compose (cons identity transformers))
- services)))
+ (let ((services (map (apply compose identity transformers)
+ services)))
`(("pam.d" ,(pam-services->directory services)))))))
(define (pam-shepherd-service config)
@@ -404,16 +401,15 @@ (define (extend-configuration initial extensions)
"Extend INITIAL with NEW."
;; TODO: Remove deprecation shim.
(define cleaned-extensions
- (map
- (lambda (ext)
- (cond
- ((procedure? ext)
- (begin
- (warning (G_ "pam-root-service-type transformer extensions should\
-now use the <pam-extension> record."))
- (pam-extension (transformer ext))))
- (#t ext)))
- extensions))
+ (map (lambda (ext)
+ (if (procedure? ext)
+ (begin
+ (warning (G_ "'pam-root-service-type' extensions should \
+now use the <pam-extension> record~%"))
+ (pam-extension (transformer ext)))
+ ext))
+ extensions))
+
(let-values (((services pam-extensions)
(partition pam-service? cleaned-extensions)))
(pam-configuration
[-- Attachment #3: Type: text/plain, Size: 12 bytes --]
Ludo’.
^ permalink raw reply related [flat|nested] 10+ messages in thread
* bug#63314: [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement.
2023-05-09 16:45 ` [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement Josselin Poiret via Guix-patches via
@ 2023-05-11 11:16 ` Ludovic Courtès
0 siblings, 0 replies; 10+ messages in thread
From: Ludovic Courtès @ 2023-05-11 11:16 UTC (permalink / raw)
To: Josselin Poiret; +Cc: 63314-done
Josselin Poiret <dev@jpoiret.xyz> skribis:
> From: Josselin Poiret <dev@jpoiret.xyz>
>
> * gnu/services/desktop.scm (pam-extension-procedure): Add the elogind shepherd
> requirement to the PAM extension.
Applied, thanks!
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-05-11 11:17 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-05 17:50 [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Josselin Poiret via Guix-patches via
2023-05-05 17:51 ` [bug#63314] [PATCH 1/2] system: pam: Let PAM extenders add " Josselin Poiret via Guix-patches via
2023-05-08 9:45 ` [bug#63314] [PATCH 0/2] Add PAM " Ludovic Courtès
2023-05-09 16:45 ` [bug#63314] [PATCH v2 " Josselin Poiret via Guix-patches via
2023-05-09 16:45 ` [bug#63314] [PATCH v2 1/2] system: pam: Let PAM extensions add " Josselin Poiret via Guix-patches via
2023-05-11 11:15 ` Ludovic Courtès
2023-05-09 16:45 ` [bug#63314] [PATCH v2 2/2] services: elogind: Add elogind as a shepherd PAM requirement Josselin Poiret via Guix-patches via
2023-05-11 11:16 ` bug#63314: " Ludovic Courtès
2023-05-05 17:51 ` [bug#63314] [PATCH " Josselin Poiret via Guix-patches via
2023-05-08 9:46 ` [bug#63314] [PATCH 0/2] Add PAM shepherd requirements Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).