From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id MCDHOP7Htl6WEQAA0tVLHw (envelope-from ) for ; Sat, 09 May 2020 15:10:54 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id QHssBAzItl6gWAAA1q6Kng (envelope-from ) for ; Sat, 09 May 2020 15:11:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DA890940FEB for ; Sat, 9 May 2020 15:11:05 +0000 (UTC) Received: from localhost ([::1]:47044 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jXR86-0003u9-I4 for larch@yhetil.org; Sat, 09 May 2020 11:11:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38210) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jXR82-0003tx-93 for guix-patches@gnu.org; Sat, 09 May 2020 11:11:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:36686) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jXR82-0005hB-09 for guix-patches@gnu.org; Sat, 09 May 2020 11:11:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jXR81-0002KS-RW for guix-patches@gnu.org; Sat, 09 May 2020 11:11:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#35305] LightDM service Resent-From: L p R n d n Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 09 May 2020 15:11:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 35305 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Ricardo Wurmus Cc: 35305@debbugs.gnu.org Received: via spool by 35305-submit@debbugs.gnu.org id=B35305.15890370038815 (code B ref 35305); Sat, 09 May 2020 15:11:01 +0000 Received: (at 35305) by debbugs.gnu.org; 9 May 2020 15:10:03 +0000 Received: from localhost ([127.0.0.1]:48232 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jXR74-0002I4-84 for submit@debbugs.gnu.org; Sat, 09 May 2020 11:10:02 -0400 Received: from mout01.posteo.de ([185.67.36.141]:44932) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jXR71-0002Hd-8b for 35305@debbugs.gnu.org; Sat, 09 May 2020 11:10:00 -0400 Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id C8B5016005F for <35305@debbugs.gnu.org>; Sat, 9 May 2020 17:09:52 +0200 (CEST) Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 49K9bg614nz9rxh; Sat, 9 May 2020 17:09:51 +0200 (CEST) From: L p R n d n References: <87zhooso9g.fsf@lprndn.info> <87imh9gnvy.fsf@lprndn.info> <87k11m2hqx.fsf@elephly.net> Date: Sat, 09 May 2020 17:09:50 +0200 In-Reply-To: <87k11m2hqx.fsf@elephly.net> (Ricardo Wurmus's message of "Sat, 09 May 2020 00:18:14 +0200") Message-ID: <87zhahcfgh.fsf@lprndn.info> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -1.6 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -2.6 (--) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 X-Spam-Score: 1.49 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Scan-Result: default: False [1.49 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.54023452365624]; MX_INVALID(1.00)[cached]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.51.188.0/24:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.09), country: US(-0.00), ip: 209.51.188.17(-0.54)]; DWL_DNSWL_BLOCKED(0.00)[209.51.188.17:from]; RCPT_COUNT_TWO(0.00)[2]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_IN_DNSWL_FAIL(0.00)[209.51.188.17:server fail]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:22989, ipnet:209.51.188.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[guix@lprndn.info,guix-patches-bounces@gnu.org]; FROM_HAS_DN(0.00)[]; URIBL_BLOCKED(0.00)[elephly.net:email]; MIME_GOOD(-0.10)[multipart/mixed,text/plain,text/x-patch]; PREVIOUSLY_DELIVERED(0.00)[35305@debbugs.gnu.org]; DMARC_NA(0.00)[lprndn.info]; HAS_LIST_UNSUB(-0.01)[]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.51.188.17:from]; FROM_NAME_EXCESS_SPACE(1.00)[]; RCVD_COUNT_SEVEN(0.00)[9]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: 7j1mcZy2HXuF --=-=-= Content-Type: text/plain Hello, Ricardo Wurmus writes: > I have applied all patches locally, pushed some of them to the master > branch already, and also made these local changes: Thanks for the review! [...] > > @item @code{autologin-user} (default: "") > -If @code{autologin-user} is set, LightDM logs in directly > -as @code{autologin-user} to the session defined in > -@code{default-user-session}. This user should be part of the > +If @code{autologin-user} is set, LightDM logs in directly as > +@code{autologin-user} to the session defined in > +@code{default-user-session}. This user should be part of the > @code{autologin} group. My bad but here, the `autologin group thing is not applicable in Guix at least for now. + adding a user to this group outputs an error So I tried to make a quick fix of the documentation with this patch: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=no-autologin.diff diff --git a/doc/guix.texi b/doc/guix.texi index 54eba225d3..3dd5fe216a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14792,10 +14792,9 @@ The name of the default @code{.desktop} file describing a session. Will be used for @code{user-session} and @code{autologin-session} if necessary. @item @code{autologin-user} (default: "") -If @code{autologin-user} is set, LightDM logs in directly -as @code{autologin-user} to the session defined in -@code{default-user-session}. This user should be part of the -@code{autologin} group. +If @code{autologin-user} is set, LightDM logs in directly as +@code{autologin-user} to the session defined in +@code{default-user-session}. @item @code{extra-config} (default: @code{'()}) A list of strings each describing a custom setting to append to the seat --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable However it might be interesting to set this up in Guix as it seems to be used in other linux distribution and looks like a relatively good security feature. I'm not versed in security but we would at least need to create this group and modify the pam services. Should I open an issue for that? [...] > > What do you think about these changes? I felt that a list of > directories should be expressed as a list and not a colon-separated > string. I realize that this clashes with the lightdm configuration > file, which speaks of =E2=80=9Cdirectory=E2=80=9D even though it accepts a > colon-separated list of directories. Everything is looking fine! And the directories as lists is indeed way bett= er. > If that=E2=80=99s fine I=E2=80=99ll fold them into your patch that adds t= he service. > > I built a VM and noticed that all icons are missing. Should the service > arrange for a certain fallback icon theme to be installed? If you only added (service-type lightdm-service-type) without any greeter, it's expected. LightDM without autologin needs a greeter. So in this case you just get a "fallback" session to avoid unnecesseraly breaking the user's system. I choose not to bring lightdm-gtk-greeter's assets to give the user a little push toward adding a greeter service. It's very arguable so if you think we should bring in assets too, let's do it. I can prepare a patch if you want. The documentation might also be lacking here. So adding a little comment in the lightdm-service description might also be enough. What do you think? > I also haven=E2=80=99t actually been able to log in as root with an empty > password, which is what the VM generates by default. Can this be > supported with lightdm? Didn't succeed either but it should be possible... :/ Looking on the web, on passwordless login, the lightdm-autologin pam is often cited so this line: (pam-entry (control "required") (module "pam_succeed_if.so") (arguments (list "uid >=3D 1000"))) might be related. But I'm really not knowledgeable enough on this matter to give a proper answer. > -- > Ricardo Have a nice day, L p R n d n=20=20=20 --=-=-=--