From: Andrew Tropin <andrew@trop.in>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 53468@debbugs.gnu.org
Subject: [bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
Date: Sun, 06 Feb 2022 08:16:54 +0300 [thread overview]
Message-ID: <878ruo60c9.fsf@trop.in> (raw)
In-Reply-To: <877daamgf2.fsf_-_@gnu.org>
[-- Attachment #1.1: Type: text/plain, Size: 986 bytes --]
On 2022-02-04 23:10, Ludovic Courtès wrote:
> Hi!
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
>> From: Andrew Tropin <andrew@trop.in>
>> Date: Thu, 13 Jan 2022 21:41:58 +0300
>> Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.
>>
>> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
>> * gnu/packages/linux.scm (linux-pam): Add patch.
>> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
>> binaries.
>
> [...]
>
>> + DIAG_PUSH_IGNORE_CAST_QUAL;
>> +- execve(CHKPWD_HELPER, (char *const *) args, envp);
>> ++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
>> + DIAG_POP_IGNORE_CAST_QUAL;
>
> Looks reasonable to me. However, could you change the CHKPWD_HELPER
> macro definition in the Makefile template, as you suggested, instead of
> patching the file?
Sure, done in v3.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: v3-0001-gnu-linux-pam-Change-path-to-unix_chkpwd-helper.patch --]
[-- Type: text/x-patch, Size: 3380 bytes --]
From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Sun, 6 Feb 2022 08:13:49 +0300
Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.
* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.
---
gnu/packages/linux.scm | 3 ++-
.../patches/change-path-to-unix_chkpwd.patch | 13 +++++++++++++
gnu/system/pam.scm | 10 ++++++++--
3 files changed, 23 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2e2d01c656..bc2927d0b4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1625,7 +1625,8 @@ (define-public linux-pam
(sha256
(base32
"1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
- (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+ (patches (search-patches "change-path-to-unix_chkpwd.patch"
+ "linux-pam-no-setfsuid.patch"))))
(build-system gnu-build-system)
(native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..e5c6d2649c
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,13 @@
+From: Andrew Tropin <andrew@trop.in>
+Date: Sat, 5 Feb 2022 21:06:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+unix_chkpwd is designed to have a suid bit, but it's not possible to set it
+for files in /gnu/store, and this patch tells unix_pam.so to lookup up for
+unix_chkpwd in directory generated by setuid-program system service.
+
+--- a/modules/pam_unix/Makefile.in
++++ b/modules/pam_unix/Makefile.in
+@@ -651,1 +651,1 @@
+- -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
++ -DCHKPWD_HELPER=\"/run/setuid-programs/unix_chkpwd\" \
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
#:use-module (guix derivations)
#:use-module (guix gexp)
#:use-module (gnu services)
+ #:use-module (gnu system setuid)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
(define pam-root-service-type
(service-type (name 'pam)
- (extensions (list (service-extension etc-service-type
- /etc-entry)))
+ (extensions
+ (list (service-extension
+ setuid-program-service-type
+ (lambda (_)
+ (list (file-like->setuid-program
+ (file-append linux-pam "/sbin/unix_chkpwd")))))
+ (service-extension etc-service-type /etc-entry)))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
--
2.34.0
[-- Attachment #1.3: Type: text/plain, Size: 37 bytes --]
--
Best regards,
Andrew Tropin
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 853 bytes --]
next prev parent reply other threads:[~2022-02-06 5:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-13 18:41 [bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper Andrew Tropin
2022-01-23 14:08 ` Andrew Tropin
2022-02-04 11:07 ` Andrew Tropin
2022-02-04 22:10 ` Ludovic Courtès
2022-02-06 5:16 ` Andrew Tropin [this message]
2022-02-10 22:42 ` bug#53468: " Ludovic Courtès
2022-02-26 7:11 ` [bug#53468] " Andrew Tropin
2022-02-27 22:03 ` Ludovic Courtès
2023-03-03 23:33 ` wolf
2023-03-07 17:57 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878ruo60c9.fsf@trop.in \
--to=andrew@trop.in \
--cc=53468@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.