From: Andrew Tropin <andrew@trop.in>
To: 53468@debbugs.gnu.org
Subject: [bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
Date: Sun, 23 Jan 2022 17:08:43 +0300 [thread overview]
Message-ID: <87sftetuhg.fsf@trop.in> (raw)
In-Reply-To: <87tudu38yz.fsf@trop.in>
[-- Attachment #1.1: Type: text/plain, Size: 75 bytes --]
Attaching a second version of the patch, added missing import and
lambda.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: v2-0001-gnu-linux-pam-Change-path-to-unix_chkpwd-helper.patch --]
[-- Type: text/x-patch, Size: 4801 bytes --]
From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Thu, 13 Jan 2022 21:41:58 +0300
Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.
* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
gnu/packages/linux.scm | 3 +-
.../patches/change-path-to-unix_chkpwd.patch | 54 +++++++++++++++++++
gnu/system/pam.scm | 10 +++-
3 files changed, 64 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@ (define-public linux-pam
(sha256
(base32
"1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
- (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+ (patches (search-patches "change-path-to-unix_chkpwd.patch"
+ "linux-pam-no-setfsuid.patch"))))
(build-system gnu-build-system)
(native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ args[2] = "chkexpiry";
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
+ args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ }
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ /* should not get here: exit with error */
+--
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
#:use-module (guix derivations)
#:use-module (guix gexp)
#:use-module (gnu services)
+ #:use-module (gnu system setuid)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
(define pam-root-service-type
(service-type (name 'pam)
- (extensions (list (service-extension etc-service-type
- /etc-entry)))
+ (extensions
+ (list (service-extension
+ setuid-program-service-type
+ (lambda (_)
+ (list (file-like->setuid-program
+ (file-append linux-pam "/sbin/unix_chkpwd")))))
+ (service-extension etc-service-type /etc-entry)))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
--
2.34.0
[-- Attachment #1.3: Type: text/plain, Size: 1511 bytes --]
Reconfigured my system with the patch above.
I tested it with the swaylock built with pam support:
--8<---------------cut here---------------start------------->8---
(define-public swaylock
(package
(name "swaylock")
(version "1.6")
(source
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/swaywm/swaylock")
(commit "5150d3869cd801cb2badb3c645fa41c01bbfbbbf")))
(file-name (git-file-name name version))
(sha256
(base32 "16n389w5hx8f8dqnhzjgimxmaw648cnnmifazx6zwx2v5vhxa38r"))))
(build-system meson-build-system)
(inputs (list cairo gdk-pixbuf libxkbcommon
linux-pam
wayland))
(native-inputs (list pango pkg-config scdoc wayland-protocols))
(home-page "https://github.com/swaywm/sway")
(synopsis "Screen locking utility for Wayland compositors")
(description "Swaylock is a screen locking utility for Wayland compositors.")
(license license:expat)))
--8<---------------cut here---------------end--------------->8---
and following system service:
--8<---------------cut here---------------start------------->8---
(simple-service
'sway-add-swaylock-pam
pam-root-service-type
(list
(unix-pam-service "swaylock")))
--8<---------------cut here---------------end--------------->8---
I'll make a patch for swaylock separately, when this ticket will be
resolved.
--
Best regards,
Andrew Tropin
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 853 bytes --]
next prev parent reply other threads:[~2022-01-23 14:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-13 18:41 [bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper Andrew Tropin
2022-01-23 14:08 ` Andrew Tropin [this message]
2022-02-04 11:07 ` Andrew Tropin
2022-02-04 22:10 ` Ludovic Courtès
2022-02-06 5:16 ` Andrew Tropin
2022-02-10 22:42 ` bug#53468: " Ludovic Courtès
2022-02-26 7:11 ` [bug#53468] " Andrew Tropin
2022-02-27 22:03 ` Ludovic Courtès
2023-03-03 23:33 ` wolf
2023-03-07 17:57 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sftetuhg.fsf@trop.in \
--to=andrew@trop.in \
--cc=53468@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.