[bug#56797] [PATCH] gnu: services: fprintd: Add PAM configuration.

[Maya via Guix-patches via <guix-patches@gnu.org>]

>This can be simplified to
>
>    (let ((fprintd-module (file-append (fprintd-configuration-fprintd
>config) "/lib/security/pam_fprintd.so")))

Yes, thank you, I am not yet that great with my guix-fu.

> > +                               #:login-uid? #t))

> What's this line for?  I'm not finding 'login-uid?' anywhere in the
> manual, a comment would be in order.

I've got this from the unix-pam-service and from gdm-service-type. The code this refers to in gnu/system/pam.scm:

,@(if login-uid?
     (list (pam-entry       ;to fill in /proc/self/loginuid
                (control "required")
                (module "pam_loginuid.so")))
     '())

gdm-service-type uses it in all 3 of it's pam modules. So I figured it ought to be there. I can investigate further, but it seems like I should not touch it.

> Documentation is missing (in the manual), so as-is, this new feature is
> hard to find.

Oh? I didn't know that. Doesn't define-configuration generate documentation automatically? If it does not, I will hapilly add it, but I have never written any, so it will be a learning process.

> Also, the manual required giving every top-level procedure a docstring
> IIRC,

There is that requirement, yes. But there weren't any around this method so I thought the configuration sufficed, but if it is a requirement, I will do that.

> >   gnu/services/authentication.scm | 49 +++++++++++++++++++++++++++++++--
> >   1 file changed, 46 insertions(+), 3 deletions(-)
> >
> > diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
> > index f7becdfafb..5737c15f4c 100644
> > --- a/gnu/services/authentication.scm
> > +++ b/gnu/services/authentication.scm
> > @@ -44,9 +44,50 @@ (define-module (gnu services authentication)
> >               nslcd-configuration?
> >               nslcd-service-type))
> >
> > -(define-configuration fprintd-configuration
> > +(define-configuration/no-serialization fprintd-configuration
> >     (fprintd      (file-like fprintd)
> > -                "The fprintd package"))
> > +                "The fprintd package")
> > +  (unlock-gdm?
> > +   (boolean #t)
> > +   "Generate PAM configuration that unlocks gdm with fprintd.")
> > +  (unlock-other
> > +   (list '("polkit-1" "sddm")) ;; polkit-1 is the name of a PAM module for GNOME polkit
> > +   "List of other PAM modules that can be unlocked with fprintd.
> > +
> > +This depends on your desktop configuration. If you for example want GNOME prompts to be unlocked by fingerprint, you add @code{polkit-1} to this list. (This is enabled by default.)
> +"))

> This documentation is unclear -- does this field need to be set to the
> _name_ of the module, or to the _file name_ of the _shared library_ (as
> a file-like, not a direct file name, because of staging), or ...?  Also,
> the 'list' check can be more precise, IIRC there was some method for not
> just using list? but doing things like list-of-strings?.

The name of the pam module, not a shared library. So the file in /etc/pam.d. It is a direct name, since it is not inside the store, pam modules have static path.

As for the configuration options, it's my first time using them and I didn't really understand the define-syntax definition, so I really just skimmed through the guix repository for some uses.

> Anyway, I don't really know PAM, but I've written some comments on the
> patch, hopefully they are useful.

They are a lot! Thank you very much. I hope those comments will be less needed in the future, as I become better as a contributor.

With all the best for tomorrow and all the days to come,
Maya.