* [bug#63383] [PATCH 0/4] Various PAM improvements
@ 2023-05-09 0:56 Felix Lechner via Guix-patches via
0 siblings, 0 replies; 4+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-05-09 0:56 UTC (permalink / raw)
To: 63383; +Cc: Felix Lechner
This commit series makes several improvements to the way Linux-PAM is used in
Guix. Most notably, it employs absolute paths into the store where
possible. The series also improves significantly on the system test for
pam_limits.
These commits have been tested and already being deployed in production.
Additional details are in the commit messages.
Felix Lechner (4):
In PAM test, confirm ulimits actually imposed instead of comparing
config files.
Drop limits.conf from /etc/security; use directly in
pam-limits-service-type.
Refer to the built-in Linux-PAM modules by their absolute paths.
Use more file-append.
gnu/services/authentication.scm | 2 +-
gnu/services/base.scm | 65 +++++++++++++++---------------
gnu/services/kerberos.scm | 2 +-
gnu/services/lightdm.scm | 60 ++++++++++++++++++++--------
gnu/services/pam-mount.scm | 2 +-
gnu/services/sddm.scm | 33 ++++++++--------
gnu/services/xorg.scm | 5 ++-
gnu/system/pam.scm | 20 +++++-----
gnu/tests/pam.scm | 70 ++++++++++++++++++---------------
9 files changed, 146 insertions(+), 113 deletions(-)
base-commit: d1aba42ad4e1909faa21d484975c5954c778e002
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#63383] Fwd: PAM may cause issues on system updates
[not found] <CAFHYt567hXKWgA6hFKF6aFoXtdi2vtwoLYAmaf2jAqD1+OwBcg@mail.gmail.com>
@ 2023-06-28 18:44 ` Felix Lechner via Guix-patches via
2023-08-15 20:19 ` bug#63383: [PATCH 0/4] Various PAM improvements Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-06-28 18:44 UTC (permalink / raw)
To: 63383; +Cc: Ludovic Courtès, Maxim Cournoyer
[an earlier version was sent to the wrong bug]
Hi,
There is another bug that was probably a reason why some folks
hesitated to accept this patch:
https://issues.guix.gnu.org/32182
In that bug, Ludo' proposed to refer from Shepherd services to PAM
services by absolute paths. I believe it is a viable and worthy
solution.
(By contrast, this bug makes PAM services refer to PAM modules by
absolute paths.)
Another solution could be to make all PAM modules and services Guile
scripts. While admittedly a more comprehensive effort, I believe such
an upgrade might be popular in the broader community, which is
generally tired of PAM. The only prerequisite to execute those scripts
would be a working copy of GNU Guile (i.e. no libpam or libc).
Kind regards
Felix
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#63383: [PATCH 0/4] Various PAM improvements
2023-06-28 18:44 ` [bug#63383] Fwd: PAM may cause issues on system updates Felix Lechner via Guix-patches via
@ 2023-08-15 20:19 ` Ludovic Courtès
2023-08-16 18:21 ` [bug#63383] " Felix Lechner via Guix-patches via
0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2023-08-15 20:19 UTC (permalink / raw)
To: Felix Lechner; +Cc: 63383-done, Maxim Cournoyer
Hi,
Sorry for the long delay!
Felix Lechner <felix.lechner@lease-up.com> skribis:
> There is another bug that was probably a reason why some folks
> hesitated to accept this patch:
>
> https://issues.guix.gnu.org/32182
>
> In that bug, Ludo' proposed to refer from Shepherd services to PAM
> services by absolute paths. I believe it is a viable and worthy
> solution.
>
> (By contrast, this bug makes PAM services refer to PAM modules by
> absolute paths.)
Right. For this reason, I’m dropping the patch that adds more absolute
file names for all modules shipped with ‘linux-pam’ but keeping the rest.
> Another solution could be to make all PAM modules and services Guile
> scripts. While admittedly a more comprehensive effort, I believe such
> an upgrade might be popular in the broader community, which is
> generally tired of PAM. The only prerequisite to execute those scripts
> would be a working copy of GNU Guile (i.e. no libpam or libc).
Hmm are you suggesting a PAM rewrite in Guile?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#63383] [PATCH 0/4] Various PAM improvements
2023-08-15 20:19 ` bug#63383: [PATCH 0/4] Various PAM improvements Ludovic Courtès
@ 2023-08-16 18:21 ` Felix Lechner via Guix-patches via
0 siblings, 0 replies; 4+ messages in thread
From: Felix Lechner via Guix-patches via @ 2023-08-16 18:21 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 63383-done, Maxim Cournoyer
Hi Ludo'
On Tue, Aug 15, 2023 at 1:19 PM Ludovic Courtès <ludo@gnu.org> wrote:
>
> I’m dropping the patch that adds more absolute
> file names for all modules shipped with ‘linux-pam’ but keeping the rest.
Thanks for doing that. It was the right thing to do.
> Hmm are you suggesting a PAM rewrite in Guile?
Thanks for asking! I rewrote PAM in Guile some time ago [1] but it
still uses a shared library to start Guile via the good old "tortoise"
interface. [2] Upon reflection, I am not sure it would shelter us from
all potential compatibility issues on upgrades, including upgrades of
Guile.
Perhaps it would be best for Guix to adopt a fully script-driven
approach similar to OpenBSD. [3] Maxim may have alluded to it in a
correspondence on this topic elsewhere.
Kind regards
Felix
[1] https://codeberg.org/lechner/guile-pam
[2] https://www.gnu.org/software/guile/docs/guile-tut/tutorial.html#Tortoise
[3] https://blog.lambda.cx/posts/how-bsd-authentication-works/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-16 18:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAFHYt567hXKWgA6hFKF6aFoXtdi2vtwoLYAmaf2jAqD1+OwBcg@mail.gmail.com>
2023-06-28 18:44 ` [bug#63383] Fwd: PAM may cause issues on system updates Felix Lechner via Guix-patches via
2023-08-15 20:19 ` bug#63383: [PATCH 0/4] Various PAM improvements Ludovic Courtès
2023-08-16 18:21 ` [bug#63383] " Felix Lechner via Guix-patches via
2023-05-09 0:56 Felix Lechner via Guix-patches via
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.