From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id UMymLa9cfGRUnwAASxT56A (envelope-from ) for ; Sun, 04 Jun 2023 11:43:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id MC/OLK9cfGQQAgEAG6o9tA (envelope-from ) for ; Sun, 04 Jun 2023 11:43:11 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5AC0139536 for ; Sun, 4 Jun 2023 11:43:11 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q5kGN-0004TY-S2; Sun, 04 Jun 2023 05:43:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q5kGM-0004TH-RA for guix-patches@gnu.org; Sun, 04 Jun 2023 05:43:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1q5kGM-0004Pt-Io for guix-patches@gnu.org; Sun, 04 Jun 2023 05:43:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1q5kGM-0004D8-Ea for guix-patches@gnu.org; Sun, 04 Jun 2023 05:43:02 -0400 Subject: bug#63652: [PATCH] services: screen-locker-service-type: Configurable PAM and setuid. Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-To: guix-patches@gnu.org Resent-Date: Sun, 04 Jun 2023 09:43:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 63652 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: muradm , 63652-done@debbugs.gnu.org Mail-Followup-To: 63652@debbugs.gnu.org, dev@jpoiret.xyz, mail@muradm.net Received: via spool by 63652-done@debbugs.gnu.org id=D63652.168587174316131 (code D ref 63652); Sun, 04 Jun 2023 09:43:02 +0000 Received: (at 63652-done) by debbugs.gnu.org; 4 Jun 2023 09:42:23 +0000 Received: from localhost ([127.0.0.1]:45062 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q5kFj-0004C5-6I for submit@debbugs.gnu.org; Sun, 04 Jun 2023 05:42:23 -0400 Received: from jpoiret.xyz ([206.189.101.64]:55644) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q5kFh-0004Bx-2F for 63652-done@debbugs.gnu.org; Sun, 04 Jun 2023 05:42:21 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 156CE184F27; Sun, 4 Jun 2023 09:42:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1685871740; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=W36dmsVKacdlW6AO7P+mcEnJl6C4gJulaTpZnob5wkE=; b=n2jnzIQsJkxskaKVSij766VRkS0gDYCgzv6kidpEbFrVbw1KvTtt8Gj8M1cj8VQj1wlPQX VJn6U2CBMepzZsEwxj6uwwK0fQlipmT0pSx6eXfJvdfQFqVlHQ3PMcdl2tlmiYzETbVwL+ rEtTXWDy0Z19Zp59tkWREhHHI1cDCX+uy6Gl22PnLcQ+Y82YXDneAtZEC4CxWPfoH6G1+1 OI90FcS45i29Z2OUQTaAMpRgh1VMAX2uDjI9KGX5nvD8OMsFOn5f/1GcHLlx99bYZ3n8To 5teFH+KXqfI+oqwOgLz2TIwhsbcO9RtE3Km9vgMA8Ggjp7ksDqJ/qTCsWL13OQ== In-Reply-To: <84127ca20c41459b18200f39356f7964fa75f943.1684782409.git.mail@muradm.net> References: <84127ca20c41459b18200f39356f7964fa75f943.1684782409.git.mail@muradm.net> Date: Sun, 04 Jun 2023 11:42:18 +0200 Message-ID: <87a5xfef7p.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spamd-Bar: / X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Josselin Poiret X-ACL-Warn: , Josselin Poiret via Guix-patches From: Josselin Poiret via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1685871791; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-to:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=W36dmsVKacdlW6AO7P+mcEnJl6C4gJulaTpZnob5wkE=; b=TnPpG0nnXSZxB4aSVOtCeOQcqg8jVGaC5Td7JEd24DCiwVFn3z6U7LPVcifzYzdVr4XkeP MwvIt9aMTT299AZTyJsbEsDNYYnEuyOSzvanVaeqv82TF7+/g/58YjW4x3UK5h4dV8yK1s iL8xv9ah0E7eFU3V7oIUErWAjUYBIUFmKoxAwaPaIu3WVXb/M0j1Qdh/y+TT/BaVz6VpCJ lw/iwbyYg6gvzAQqSGGg9MfHA2pkwTIkCkFh5vTM9ihB4EHCxW6wOiFmJapqPTaXlYX5gO GjYL2NjNHBW+KuxHpQZmdOR9NhPDWWnstrWureWpbwza2mVNR/foIwa2TNqx6w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=n2jnzIQs; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1685871791; a=rsa-sha256; cv=none; b=rhbwnkcEH2vRnEVavZQqd9QdcP+SpFvMcefxGeoREjvZCO3xSPJ9BpQLSBOF0tJ104s+PN oEX0hvumOWE9Acw0Q85nTN5kFvGcOf8aFIIdCFcedyJQ7FN2DeVtp/bagh+DESM8nPxoim toJ0I7SOUlcuUciAq1iYKidJz3oJYHJIoSgKzbH5f68+kFstt7QR4Sf5sU+JtCmGznrNsw daJp/8RDuKNkmuPh7LtkFuXcMDEgJd6uD9fhr5r/TdMDOZpzI34lC+jITjOnTz2xCnDDoj N1yT/3W+I0Ipt/bMLT6S19/4pqFM/+ON2aFRnsxe33DvVNgJBuEsVqMUIKF/bA== X-Migadu-Scanner: scn1.migadu.com X-Migadu-Spam-Score: -5.28 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=n2jnzIQs; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 5AC0139536 X-Spam-Score: -5.28 X-TUID: 5BDi+12BJuTt --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi muradm, muradm writes: > screen-locker-service-type by default does both define PAM entry > and make program setuid binary. Normally both methods are > mutually exclusive, if binary has setuid set it does not really > needs PAM, otherway around also similar, if PAM is enabled > binary should not relay on setuid. > > Recent swaylock package now compiled with PAM support. When PAM > support is compiled in, swaylock rejects executing if binary is > also setuid program. > > This change turns screen-locker-configuration from strict > PAM AND setuid to more flexible PAM AND/OR setuid. Allowing > swaylock to be configured properly while supporting other > screen locker preferences. > > * gnu/services/xorg.scm (screen-locker-configuration): Switch from > define-record-type to define-configuration. > [using-pam?]: New field to control PAM entry existence. > [using-setuid?]: New field to control setuid binary existence. > (screen-locker-pam-services): Should not make unix-pam-service if > using-pam? is set to #f. > (screen-locker-setuid-programs): Should not make program setuid > program if using-setuid? is set to #f. > (screen-locker-generate-doc): Internal function to generate > configuration documentation. > (screen-locker-service): Adapt to new screen-locker-configuration. > * gnu/services/desktop.scm (desktop-services-for-system): Adapt to > new screen-locker-configuration. > * doc/guix.texi: Reflect new changes to screen-locker-configuration. Thanks! Tested and pushed as f4f5ee6ad6e2432f52e37c549211df8f1cdbb571 with the following changes: diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index b1ffa72c0e..b9f5f6b6a9 100644 =2D-- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -2147,7 +2147,10 @@ Xorg can be achieved by adding the following service to your @file{config.scm}: =20 @lisp =2D(screen-locker-service slock) +(service screen-locker-services-type + (screen-locker-configuration + (name "slock") + (program (file-append slock "/bin/slock")))) @end lisp =20 If you manually lock your screen, e.g. by directly calling slock when you = want to lock diff --git a/doc/guix.texi b/doc/guix.texi index 704bbd39d2..db37676e12 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -97,7 +97,7 @@ Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright{} 2021 Alice Brenon@* Copyright @copyright{} 2021, 2022 Josselin Poiret@* =2DCopyright @copyright{} 2021 muradm@* +Copyright @copyright{} 2021, 2023 muradm@* Copyright @copyright{} 2021, 2022 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* Copyright @copyright{} 2022 Remco van 't Veer@* @@ -22533,28 +22533,32 @@ X Window saver to the set of setuid programs and/or add a PAM entry for it. The value for this service is a @code{} object. =20 =2DWhile default behavior is to setup both setuid program and PAM entry, =2Dthey are effectively mutually exclusive. Screen locker programs may =2Dprevent executing when PAM is configured, and @code{setuid} is set on =2Dexecutable. Then @code{using-setuid?} can be set to @code{#f}. +While the default behavior is to setup both a setuid program and PAM +entry, these two methods are redundant. Screen locker programs may not +execute when PAM is configured and @code{setuid} is set on their +executable. In this case, @code{using-setuid?} can be set to @code{#f}. =20 For example, to make XlockMore usable: =20 @lisp (service screen-locker-service-type (screen-locker-configuration =2D "xlock" (file-append xlockmore "/bin/xlock") #f)) + (name "xlock") + (program (file-append xlockmore "/bin/xlock")))) @end lisp =20 makes the good ol' XlockMore usable. =20 For example, swaylock fails to execute when compiled with PAM support =2Dand setuid enabled, then one can disable setuid: +and setuid enabled. One can thus disable setuid: =20 @lisp (service screen-locker-service-type (screen-locker-configuration =2D "swaylock" (file-append xlockmore "/bin/xlock") #f #t #f)) + (name "swaylock") + (program (file-append xlockmore "/bin/xlock")) + (using-pam? #t) + (using-setuid? #f))) @end lisp =20 @end defvar diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 639e99ff79..a63748b652 100644 =2D-- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1840,13 +1840,11 @@ (define* (desktop-services-for-system #:optional (service screen-locker-service-type (screen-locker-configuration (name "slock") =2D (program (file-append slock "/bin/slock")) =2D (allow-empty-password? #f))) + (program (file-append slock "/bin/slock")))) (service screen-locker-service-type (screen-locker-configuration (name "xlock") =2D (program (file-append xlock "/bin/xlock")) =2D (allow-empty-password? #f))) + (program (file-append xlockmore "/bin/xlock")))) =20 ;; Add udev rules for MTP devices so that non-root users can acce= ss ;; them. diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index b6c1636660..f8cf9f25b6 100644 =2D-- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -723,14 +723,6 @@ (define-configuration/no-serialization screen-locker-c= onfiguration (boolean #t) "Whether to setup program as setuid binary.")) =20 =2D(define-deprecated/public-alias =2D screen-locker =2D screen-locker-configuration) =2D =2D(define-deprecated/public-alias =2D screen-locker? =2D screen-locker-configuration?) =2D (define (screen-locker-pam-services config) (match-record config (name allow-empty-password? using-pam?) =2D-=20 Josselin Poiret --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQHEBAEBCgAuFiEEOSSM2EHGPMM23K8vUF5AuRYXGooFAmR8XHoQHGRldkBqcG9p cmV0Lnh5egAKCRBQXkC5FhcainULDACbeWwVE9CIFVzUXGBxSdnwNW/hkJtlY2Fa Km1D3SZr7J8Q/FsPbpqc3DU9OTsE+0ZAEtk3b7fEJ08TWVi+p4U6CyfelhF7ZmYm Z1BAQpnl7enVSYTVnzaqwUpXfWmco91DfUaJ32UTNDWJRP8YQLoRmJBk5/mjeXip chlYSRuyW8zizjoM3KmxdEi7JrHbAmD+RkMLawUp2+YfnNONpie9p4/SWGM+Gaq7 mR+g4HkxZHDkTuTZWhBqg5z8e47qEDymUdMUlknznMMMLLro3VH+uFyHoPBg/hEc FX390ft43m+5qJUF+m7QUuxLDLevlTnQSZZfAydnMEXUgnGUIbsCABLU+HNkNmTA Hp2wIdanipJIVOICautBgmytPaD+3cAxnONZGyM4Xtni7MKBVPWQ+LnUzbfu9wPR 2sTJNUAgypG/os91zgbi7x6LRU8ofJqR1bKiGnH77x0xqt+TN9ND5Diukr5nqHpw 2qxYcD1y5e49Q4WPAlvxGFt0KgAsYjs= =UcFR -----END PGP SIGNATURE----- --=-=-=--