From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001 From: Andrew Tropin Date: Thu, 13 Jan 2022 21:41:58 +0300 Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper. * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file * gnu/packages/linux.scm (linux-pam): Add patch. * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid binaries. --- gnu/packages/linux.scm | 3 +- .../patches/change-path-to-unix_chkpwd.patch | 54 +++++++++++++++++++ gnu/system/pam.scm | 10 +++- 3 files changed, 64 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 7b12cb8ec1..ee0df3c625 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -1590,7 +1590,8 @@ (define-public linux-pam (sha256 (base32 "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790")) - (patches (search-patches "linux-pam-no-setfsuid.patch")))) + (patches (search-patches "change-path-to-unix_chkpwd.patch" + "linux-pam-no-setfsuid.patch")))) (build-system gnu-build-system) (native-inputs diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch new file mode 100644 index 0000000000..90a8b639f6 --- /dev/null +++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch @@ -0,0 +1,54 @@ +From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001 +From: Andrew Tropin +Date: Wed, 12 Jan 2022 17:17:42 +0300 +Subject: [PATCH] Change path to unix_chkpwd. + +--- + modules/pam_unix/pam_unix_acct.c | 4 ++-- + modules/pam_unix/support.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c +index 8f5ed3e0..2fdec6c7 100644 +--- a/modules/pam_unix/pam_unix_acct.c ++++ b/modules/pam_unix/pam_unix_acct.c +@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl, + } + + /* exec binary helper */ +- args[0] = CHKPWD_HELPER; ++ args[0] = "/run/setuid-programs/unix_chkpwd"; + args[1] = user; + args[2] = "chkexpiry"; + + DIAG_PUSH_IGNORE_CAST_QUAL; +- execve(CHKPWD_HELPER, (char *const *) args, envp); ++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp); + DIAG_POP_IGNORE_CAST_QUAL; + + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m"); +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index 27ca7127..d02f394e 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + } + + /* exec binary helper */ +- args[0] = CHKPWD_HELPER; ++ args[0] = "/run/setuid-programs/unix_chkpwd"; + args[1] = user; + if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ + args[2]="nullok"; +@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + } + + DIAG_PUSH_IGNORE_CAST_QUAL; +- execve(CHKPWD_HELPER, (char *const *) args, envp); ++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp); + DIAG_POP_IGNORE_CAST_QUAL; + + /* should not get here: exit with error */ +-- +2.34.0 + diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index 2574e019f1..b635681642 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -21,6 +21,7 @@ (define-module (gnu system pam) #:use-module (guix derivations) #:use-module (guix gexp) #:use-module (gnu services) + #:use-module (gnu system setuid) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) @@ -375,8 +376,13 @@ (define (extend-configuration initial extensions) (define pam-root-service-type (service-type (name 'pam) - (extensions (list (service-extension etc-service-type - /etc-entry))) + (extensions + (list (service-extension + setuid-program-service-type + (lambda (_) + (list (file-like->setuid-program + (file-append linux-pam "/sbin/unix_chkpwd"))))) + (service-extension etc-service-type /etc-entry))) ;; Arguments include as well as procedures. (compose concatenate) -- 2.34.0