From: Felix Lechner via Guix-patches via <guix-patches@gnu.org>
To: 63383@debbugs.gnu.org
Cc: Felix Lechner <felix.lechner@lease-up.com>
Subject: [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths.
Date: Fri, 12 May 2023 11:52:49 -0700 [thread overview]
Message-ID: <f3be0c6f9f71c103772fe6f24d83fbf1f7593283.1683917556.git.felix.lechner@lease-up.com> (raw)
In-Reply-To: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.
An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.
[1] https://issues.guix.gnu.org/61744#6
This commit was tested and is already being deployed in production.
* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
gnu/services/base.scm | 6 ++--
gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
gnu/services/sddm.scm | 33 +++++++++++-----------
gnu/services/xorg.scm | 5 ++--
gnu/system/pam.scm | 20 +++++++-------
5 files changed, 77 insertions(+), 47 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4bef781977..5d0542b39d 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils btrfs-progs crda eudev
- e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
- util-linux xfsprogs))
+ e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+ rng-tools util-linux xfsprogs))
#:use-module (gnu packages bash)
#:use-module ((gnu packages base)
#:select (coreutils glibc glibc-utf8-locales tar
@@ -1609,7 +1609,7 @@ (define pam-limits-service-type
(lambda (pam)
(let ((pam-limits (pam-entry
(control "required")
- (module "pam_limits.so")
+ (module (file-append linux-pam "/lib/security/pam_limits.so"))
(arguments
(list #~(string-append "conf=" #$limits-file))))))
(if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index b966f402d6..9927e8769b 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages vnc)
#:use-module (gnu packages xorg)
#:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
(name "lightdm-greeter")
(auth (list
;; Load environment from /etc/environment and ~/.pam_environment.
- (pam-entry (control "required") (module "pam_env.so"))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; No action required for account management
- (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-autologin-pam-service)
"Return a PAM service for @command{lightdm-autologin}}."
(pam-service
(name "lightdm-autologin")
- (auth
- (list
- ;; Block login if user is globally disabled.
- (pam-entry (control "required") (module "pam_nologin.so"))
- (pam-entry (control "required") (module "pam_succeed_if.so")
- (arguments (list "uid >= 1000")))
- ;; Allow access without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (auth (list
+ ;; Block login if user is globally disabled.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+ (arguments (list "uid >= 1000")))
+ ;; Allow access without authentication.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Stop autologin if account requires action.
- (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-pam-services config)
(list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index c9a7ba96f4..9cd4d23bdb 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
#:use-module (gnu packages admin)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages xorg)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
;; should be factored out into system-auth
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(account
(list
;; should be factored out into system-account
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(password
(list
;; should be factored out into system-password
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments (list "sha512" "shadow" "try_first_pass")))))
(session
(list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
;; should be factored out into system-session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-greeter-pam-service)
"Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
;; Load environment from /etc/environment and ~/.pam_environment
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
;; No action required for account management
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(password
(list
;; Can't change password
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
;; Setup session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-autologin-pam-service config)
"Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
(pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
(list
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
(pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 8b6080fd26..97fbde3511 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnustep)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
#:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
"/lib/security/pam_gdm.so")))
(pam-entry
(control "sufficient")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(pam-service
(inherit (unix-pam-service "gdm-launch-environment"))
(auth (list (pam-entry
(control "required")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index adc40c975f..e3711e2b1e 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -202,7 +202,7 @@ (define %pam-other-services
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
(let ((deny (pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(pam-service
(name "other")
(account (list deny))
@@ -213,10 +213,10 @@ (module "pam_deny.so"))))
(define unix-pam-service
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so")))
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))))
(env (pam-entry ; to honor /etc/environment.
(control "required")
- (module "pam_env.so"))))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))))
(lambda* (name #:key allow-empty-passwords? allow-root? motd
login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
@@ -234,12 +234,12 @@ (module "pam_env.so"))))
(auth (append (if allow-root?
(list (pam-entry
(control "sufficient")
- (module "pam_rootok.so")))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
'())
(list (if allow-empty-passwords?
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments '("nullok")))
unix))
(if gnupg?
@@ -249,20 +249,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())))
(password (list (pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
(session `(,@(if motd
(list (pam-entry
(control "optional")
- (module "pam_motd.so")
+ (module (file-append linux-pam "/lib/security/pam_motd.so"))
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
,@(if login-uid?
(list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
- (module "pam_loginuid.so")))
+ (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
'())
,@(if gnupg?
(list (pam-entry
@@ -276,13 +276,13 @@ (define (rootok-pam-service command)
authenticate to run COMMAND."
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(pam-service
(name command)
(account (list unix))
(auth (list (pam-entry
(control "sufficient")
- (module "pam_rootok.so"))))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
(password (list unix))
(session (list unix)))))
--
2.40.1
next prev parent reply other threads:[~2023-05-12 18:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-09 0:56 [bug#63383] [PATCH 0/4] Various PAM improvements Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths Felix Lechner via Guix-patches via
2023-05-09 0:58 ` [bug#63383] [PATCH 4/4] Use more file-append Felix Lechner via Guix-patches via
2023-05-12 18:51 ` [bug#63383] rebased Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files Felix Lechner via Guix-patches via
2023-05-12 18:52 ` [bug#63383] [PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type Felix Lechner via Guix-patches via
2023-05-12 18:52 ` Felix Lechner via Guix-patches via [this message]
2023-05-12 18:52 ` [bug#63383] [PATCH v2 4/4] Use more file-append Felix Lechner via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f3be0c6f9f71c103772fe6f24d83fbf1f7593283.1683917556.git.felix.lechner@lease-up.com \
--to=guix-patches@gnu.org \
--cc=63383@debbugs.gnu.org \
--cc=felix.lechner@lease-up.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).