From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Wingo Subject: [PATCH 3/7] gnu: Allow OS configurations to add PAM session modules Date: Tue, 18 Aug 2015 10:22:16 +0200 Message-ID: <1439894045.491759.5255@rusty> Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47969) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZReDa-0008Ie-SU for guix-devel@gnu.org; Tue, 18 Aug 2015 06:34:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZReDW-00089j-3a for guix-devel@gnu.org; Tue, 18 Aug 2015 06:34:10 -0400 Received: from pb-sasl0.int.icgroup.com ([208.72.237.25]:63915 helo=sasl.smtp.pobox.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZReDV-00089b-W0 for guix-devel@gnu.org; Tue, 18 Aug 2015 06:34:06 -0400 Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-sasl0.pobox.com (Postfix) with ESMTP id C98171184B for ; Tue, 18 Aug 2015 06:34:05 -0400 (EDT) Received: from pb-sasl0. (unknown [127.0.0.1]) by pb-sasl0.pobox.com (Postfix) with ESMTP id C39671184A for ; Tue, 18 Aug 2015 06:34:05 -0400 (EDT) Received: from rusty (unknown [88.160.190.192]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-sasl0.pobox.com (Postfix) with ESMTPSA id 23CC711849 for ; Tue, 18 Aug 2015 06:34:05 -0400 (EDT) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org * gnu/services/base.scm (mingetty-service): * gnu/system/linux.scm (unix-pam-service, base-pam-services): Add #:additional-session-modules keyword argument. --- gnu/services/base.scm | 6 ++++-- gnu/system/linux.scm | 27 ++++++++++++++++----------- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 888e446..60dc93b 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -364,7 +364,8 @@ stopped before 'kill' is called." ;; Allow empty passwords by default so that ;; first-time users can log in when the 'root' ;; account has just been created. - (allow-empty-passwords? #t)) + (allow-empty-passwords? #t) + (additional-session-modules '())) "Return a service to run mingetty on @var{tty}. When @var{allow-empty-passwords?} is true, allow empty log-in password. When @@ -416,7 +417,8 @@ the ``message of the day''." ;; duplicates are removed. (list (unix-pam-service "login" #:allow-empty-passwords? allow-empty-passwords? - #:motd motd))))))) + #:motd motd + #:additional-session-modules additional-session-modules))))))) (define-record-type* nscd-configuration make-nscd-configuration diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm index aaaa8c6..d6a9959 100644 --- a/gnu/system/linux.scm +++ b/gnu/system/linux.scm @@ -133,7 +133,8 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE." (let ((unix (pam-entry (control "required") (module "pam_unix.so")))) - (lambda* (name #:key allow-empty-passwords? motd) + (lambda* (name #:key allow-empty-passwords? motd + (additional-session-modules '())) "Return a standard Unix-style PAM service for NAME. When ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When MOTD is true, it should be the name of a file used as the message-of-the-day." @@ -149,14 +150,16 @@ should be the name of a file used as the message-of-the-day." (arguments '("nullok"))) unix))) (password (list unix)) - (session (if motd - (list unix - (pam-entry - (control "optional") - (module "pam_motd.so") - (arguments - (list #~(string-append "motd=" #$motd))))) - (list unix)))))))) + (session (append + (if motd + (list unix + (pam-entry + (control "optional") + (module "pam_motd.so") + (arguments + (list #~(string-append "motd=" #$motd))))) + (list unix)) + additional-session-modules))))))) (define (rootok-pam-service command) "Return a PAM service for COMMAND such that 'root' does not need to @@ -173,14 +176,16 @@ authenticate to run COMMAND." (password (list unix)) (session (list unix))))) -(define* (base-pam-services #:key allow-empty-passwords?) +(define* (base-pam-services #:key allow-empty-passwords? + (additional-session-modules '())) "Return the list of basic PAM services everyone would want." ;; TODO: Add other Shadow programs? (append (list %pam-other-services) ;; These programs are setuid-root. (map (cut unix-pam-service <> - #:allow-empty-passwords? allow-empty-passwords?) + #:allow-empty-passwords? allow-empty-passwords? + #:additional-session-modules additional-session-modules) '("su" "passwd" "sudo" "xlock" "xscreensaver")) -- 2.4.3