[bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.

[Andrew Tropin <andrew@trop.in>]

[-- Attachment #1.1: Type: text/plain, Size: 986 bytes --]

On 2022-02-04 23:10, Ludovic Courtès wrote:

> Hi!
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
>> From: Andrew Tropin <andrew@trop.in>
>> Date: Thu, 13 Jan 2022 21:41:58 +0300
>> Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.
>>
>> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
>> * gnu/packages/linux.scm (linux-pam): Add patch.
>> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
>> binaries.
>
> [...]
>
>> +     DIAG_PUSH_IGNORE_CAST_QUAL;
>> +-    execve(CHKPWD_HELPER, (char *const *) args, envp);
>> ++    execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
>> +     DIAG_POP_IGNORE_CAST_QUAL;
>
> Looks reasonable to me.  However, could you change the CHKPWD_HELPER
> macro definition in the Makefile template, as you suggested, instead of
> patching the file?

Sure, done in v3.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: v3-0001-gnu-linux-pam-Change-path-to-unix_chkpwd-helper.patch --]
[-- Type: text/x-patch, Size: 3380 bytes --]

From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Sun, 6 Feb 2022 08:13:49 +0300
Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.

* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.
---
 gnu/packages/linux.scm                              |  3 ++-
 .../patches/change-path-to-unix_chkpwd.patch        | 13 +++++++++++++
 gnu/system/pam.scm                                  | 10 ++++++++--
 3 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2e2d01c656..bc2927d0b4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1625,7 +1625,8 @@ (define-public linux-pam
        (sha256
         (base32
          "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
-       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (patches (search-patches "change-path-to-unix_chkpwd.patch"
+                                "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..e5c6d2649c
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,13 @@
+From: Andrew Tropin <andrew@trop.in>
+Date: Sat, 5 Feb 2022 21:06:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+unix_chkpwd is designed to have a suid bit, but it's not possible to set it
+for files in /gnu/store, and this patch tells unix_pam.so to lookup up for
+unix_chkpwd in directory generated by setuid-program system service.
+
+--- a/modules/pam_unix/Makefile.in
++++ b/modules/pam_unix/Makefile.in
+@@ -651,1 +651,1 @@
+-	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
++	-DCHKPWD_HELPER=\"/run/setuid-programs/unix_chkpwd\" \
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
   #:use-module (guix derivations)
   #:use-module (guix gexp)
   #:use-module (gnu services)
+  #:use-module (gnu system setuid)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
 
 (define pam-root-service-type
   (service-type (name 'pam)
-                (extensions (list (service-extension etc-service-type
-                                                     /etc-entry)))
+                (extensions
+                 (list (service-extension
+                        setuid-program-service-type
+                        (lambda (_)
+                          (list (file-like->setuid-program
+                                 (file-append linux-pam "/sbin/unix_chkpwd")))))
+                       (service-extension etc-service-type /etc-entry)))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)
-- 
2.34.0


[-- Attachment #1.3: Type: text/plain, Size: 37 bytes --]


-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 853 bytes --]