From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id 4D9qG88lpGbxDQAAqHPOHw:P1 (envelope-from ) for ; Fri, 26 Jul 2024 22:40:15 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id 4D9qG88lpGbxDQAAqHPOHw (envelope-from ) for ; Sat, 27 Jul 2024 00:40:15 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b="WX/KfPa3"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1722033615; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=jwa9iAu/J75buRNLTaIo4/YbxW6TSIRc8KCsTg6dY7U=; b=pYdjpliRjwWVq8Zh9JMqR/d7K8T9gA+j+AFv6Ow6tD77FmGDAgWTuqzxfrmqiRXdu9myXX XoAP9VSnQLJ8dyYIH8Sd1ZyF4Y3L1zZ59sGnYsrcBdnYIxAGriG0biXvOqKVXNqr1LNR55 /jS5BHhNkFpUyMynokSftHeOYE195RIXitI6CmLMOyKqGKVM5p7MCzTHGty/fSF9YkX+uN iBfSijuT0Gh4HYhWg7MG5VEZ9aWth1dT9STmvebzLhZSVx8Hc6IUsuNxiRxoyFPg5nILiB iJTNgRsX4+Y5lYVGe78AJ5eejY8VJRL9FTFHcN+aJrx+MDlXPhN1W3iUpVyWbQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1722033615; a=rsa-sha256; cv=none; b=FxgwareV6ANmcRn7K/O0dHAR6wzH+miFJp/v5Sp194katWtGndMBPGcIX4/JpJrQ/4MeE6 vFeTaMMskHBrEAmhN7Y4OpDZ835+WMw2F+Nkm/vfwlQyA3+sy0CAt3K31gsEfBmHyMs9XU Fa+nmCz7va9sdq+VDMUdP5jtDJomkRI/ClNDtbV9Rek13T7PVMcuHz2nv/Bvitx41W97zp OHCSrGK1lzCkAkyD2uevlq/nXqHUvWVRJjZXsuq1HMVLvkXHlmOxvJjHQY5euKDNTVAWwX MbHX7OqJHaP2D87cod7KWlkR3h5qvgJc//Lk2Ascqae9Zn6WDtpUYn7iizCL+w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b="WX/KfPa3"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 310736092E for ; Sat, 27 Jul 2024 00:40:15 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sXTbU-00039B-JG; Fri, 26 Jul 2024 18:40:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sXTbP-0002oo-MJ for guix-patches@gnu.org; Fri, 26 Jul 2024 18:39:55 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sXTbO-0002TE-KR; Fri, 26 Jul 2024 18:39:54 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sXTbW-0002wj-Uj; Fri, 26 Jul 2024 18:40:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#72316] [PATCH 3/3] Add a guile-pam-module service. Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: pelzflorian@pelzflorian.de, ludo@gnu.org, matt@excalamus.com, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Fri, 26 Jul 2024 22:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72316 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 72316@debbugs.gnu.org Cc: Felix Lechner , Florian Pelz , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Matthew Trzcinski , Maxim Cournoyer X-Debbugs-Original-Xcc: Florian Pelz , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Matthew Trzcinski , Maxim Cournoyer Received: via spool by 72316-submit@debbugs.gnu.org id=B72316.172203358911283 (code B ref 72316); Fri, 26 Jul 2024 22:40:02 +0000 Received: (at 72316) by debbugs.gnu.org; 26 Jul 2024 22:39:49 +0000 Received: from localhost ([127.0.0.1]:40241 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXTbJ-0002vr-2M for submit@debbugs.gnu.org; Fri, 26 Jul 2024 18:39:49 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:53130) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXTbG-0002vE-0W for 72316@debbugs.gnu.org; Fri, 26 Jul 2024 18:39:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=P914VhzHZge/Ys2 gSMkQvQFm7g/qfla3XtteUdQ0szs=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=WX/KfPa3em81GVHtY5pPPqQ8nKNiI/n9AFM5Syer W6bHbgwOSYSt3hmwH5jHP+Nta9MEyEiMLgyQbhSrwf+lLtF6rAzee8fQcw+Vrx4QlhH7bx aN5NWkNT6y09EESoCzEHM275MCxxXxSqMSYWZDdJucygCrhG+ud8Y2CZ8jVgE= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 386c1e8c (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Fri, 26 Jul 2024 22:39:35 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 52ef2285; Fri, 26 Jul 2024 22:39:35 +0000 (UTC) Date: Fri, 26 Jul 2024 15:39:13 -0700 Message-ID: X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner X-ACL-Warn: , Felix Lechner via Guix-patches From: Felix Lechner via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 310736092E X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -5.42 X-Spam-Score: -5.42 X-TUID: /EOp53wZmmwu Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6 --- doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 195 insertions(+) create mode 100644 gnu/services/pam.scm diff --git a/doc/guix.texi b/doc/guix.texi index 41814042f5..a9bf00f0bb 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -403,6 +403,7 @@ Top * Telephony Services:: Telephony services. * File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. +* Guile-PAM Services:: Guile-PAM services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. * Web Services:: Web servers. @@ -18991,6 +18992,7 @@ Services * Telephony Services:: Telephony services. * File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. +* Guile-PAM Services:: Guile-PAM services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. * Web Services:: Web servers. @@ -30932,6 +30934,93 @@ Monitoring Services @end deftp +@c %end of fragment + +@node Guile-PAM Services +@subsection Guile-PAM Services +@cindex Guile-PAM + +The @code{(gnu services pam)} module provides services related to the +authentication mechanism @dfn{Guile-PAM}. + +Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM +authentication system. For details, please have a look at the Texinfo +manual in the @code{guile-pam} package. + +@defvar guile-pam-module-service-type +A service type for Guile-PAM modules. +@end defvar + +@noindent +Here is an example of its use: +@lisp +(define welcome-pamda-file + (scheme-file + "welcome-pamda-file" + #~(begin + (use-modules (ice-9 format)) + + (lambda (action handle flags options) + (case action + ;; authentication management + ((pam_sm_authenticate) + (format #t "In a working module, we would now identify you.~%")) + ((pam_sm_setcred) + (format #t "In a working module, we would now help you manage additional credentials.~%")) + ;; account management + ((pam_sm_acct_mgmt) + (format #t "In a working module, we would now confirm your access rights.~%")) + ;; password management + ((pam_sm_chauthtok) + (format #t "In a working module, we would now change your password.~%")) + ;; session management + ((pam_sm_open_session) + (format #t "In a working module, we would now open a session for you.~%")) + ((pam_sm_close_session) + (format #t "In a working module, we would now close your session.~%")) + (else + (format #t "In a working module, we would not know what to do about action '~s'.~%" + action))) + 'PAM_SUCCESS)))) + +(service guile-pam-module-service-type + (guile-pam-module-configuration + (rules "optional") + (module welcome-pamda-file) + (services '("login" + "greetd" + "su" + "slim" + "gdm-password" + "sddm")))) +@end lisp + +@c %start of fragment + +@deftp {Data Type} guile-pam-module-configuration +Available @code{guile-pam-module-configuration} fields are: + +@table @asis +@item @code{rules} (type: maybe-string) +Determines how the module's return value is evaluated. + +@item @code{module} (type: maybe-file-like) +A Guile-PAM pamda file or a classical PAM module. + +@item @code{services} (type: maybe-list-of-strings) +List of PAM service names for which to install the module. + +@item @code{guile-inputs} (type: maybe-list-of-packages) +Guile inputs available in the PAM module + +@item @code{foreign-library-path} (type: maybe-list-of-packages) +Search path for shared objects and libraries. + +@end table + +@end deftp + + @c %end of fragment @node Kerberos Services diff --git a/gnu/local.mk b/gnu/local.mk index fac7b5973b..30551971ac 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -733,6 +733,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/networking.scm \ %D%/services/nix.scm \ %D%/services/nfs.scm \ + %D%/services/pam.scm \ %D%/services/pam-mount.scm \ %D%/services/science.scm \ %D%/services/security.scm \ diff --git a/gnu/services/pam.scm b/gnu/services/pam.scm new file mode 100644 index 0000000000..a242067e38 --- /dev/null +++ b/gnu/services/pam.scm @@ -0,0 +1,105 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Felix Lechner +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services pam) + #:use-module (gnu packages guile) + #:use-module (gnu packages guile-xyz) + #:use-module (gnu packages linux) + #:use-module (gnu packages mes) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (guix utils) + #:use-module (srfi srfi-1) + #:export (guile-pam-module-configuration)) + +(define-maybe string) +(define-maybe list-of-strings) +(define-maybe file-like) + +(define-maybe string-or-file-like) +(define (string-or-file-like? val) + (or (string? val) (file-like? val))) + +(define-maybe list-of-packages) +(define (list-of-packages? val) + (and (list? val) (map package? val))) + +(define-configuration/no-serialization guile-pam-module-configuration + (rules + maybe-string + "Determines how the module's return value is evaluated.") + (module + maybe-file-like + "A Guile-PAM pamda file or a classical PAM module.") + (services + maybe-list-of-strings + "List of PAM service names for which to install the module.") + (guile-inputs + maybe-list-of-packages + "Guile inputs available in the PAM module") + (foreign-library-path + maybe-list-of-packages + "Search path for shared objects and libraries.") ) + +(define (guile-pam-module-service config) + "Return a list of for guile-pam-module for CONFIG." + (match-record + config (foreign-library-path + guile-inputs + module + rules + services) + (list + (pam-extension + (transformer + (lambda (pam) + (if (member (pam-service-name pam) services) + (let* ((new-entry + (pam-entry + (control rules) + (module module) + (guile-inputs (if (eq? %unset-value guile-inputs) + '() + guile-inputs)) + (foreign-library-path (if (eq? %unset-value foreign-library-path) + '() + foreign-library-path))))) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list new-entry))) + (account (append (pam-service-account pam) + (list new-entry))) + (session (append (pam-service-session pam) + (list new-entry))) + (password (append (pam-service-password pam) + (list new-entry))))) + pam))))))) + +(define-public guile-pam-module-service-type + (service-type + (name 'guile-pam-module) + (extensions (list (service-extension pam-root-service-type + guile-pam-module-service))) + (compose concatenate) + (default-value (guile-pam-module-configuration)) + (description "Load Guile code as part of Linux-PAM."))) -- 2.45.2