From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id +Lv2DiiLXmTTlQAASxT56A
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 12 May 2023 20:53:28 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id cGfsDiiLXmQiGgAAauVa8A
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 12 May 2023 20:53:28 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id AD2B37FA9
	for <larch@yhetil.org>; Fri, 12 May 2023 20:53:27 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1pxXtB-0006yb-ED; Fri, 12 May 2023 14:53:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pxXt2-0006vW-F6
 for guix-patches@gnu.org; Fri, 12 May 2023 14:53:04 -0400
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pxXt2-0007n8-6d
 for guix-patches@gnu.org; Fri, 12 May 2023 14:53:04 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1pxXt2-0003b0-2f
 for guix-patches@gnu.org; Fri, 12 May 2023 14:53:04 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by
 their absolute paths.
Resent-From: Felix Lechner <felix.lechner@lease-up.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 12 May 2023 18:53:04 +0000
Resent-Message-ID: <handler.63383.B63383.168391758313808@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 63383
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 63383@debbugs.gnu.org
Cc: Felix Lechner <felix.lechner@lease-up.com>
Received: via spool by 63383-submit@debbugs.gnu.org id=B63383.168391758313808
 (code B ref 63383); Fri, 12 May 2023 18:53:04 +0000
Received: (at 63383) by debbugs.gnu.org; 12 May 2023 18:53:03 +0000
Received: from localhost ([127.0.0.1]:32984 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pxXsz-0003aK-TF
 for submit@debbugs.gnu.org; Fri, 12 May 2023 14:53:03 -0400
Received: from sail-ipv4.us-core.com ([208.82.101.137]:38686)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1pxXsu-0003ZR-VH
 for 63383@debbugs.gnu.org; Fri, 12 May 2023 14:53:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=0WTw1l4kXkjVOxY
 X+wAXnubS1bIk3/lWcQ5m7mjE/M4=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=gNOlpSbL4jrBHD6yuvxDZ3zw10JpZ7VtbNX/aHAA
 4ZPJS9psfzxeTV4YvvZqlu3kaueEfsltl6g0s1GPxn6OoncCC9HxmP1XNVmyE4dbh9bwox
 zzJgnFPl8VmrjKF2P3EuwnlIz1YdjcMD+dIOCwXKPDnQKavz2huXUn0pIO7H0=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 7339be32
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Fri, 12 May 2023 18:52:55 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 74e49375;
 Fri, 12 May 2023 18:52:54 +0000 (UTC)
Date: Fri, 12 May 2023 11:52:49 -0700
Message-Id: <f3be0c6f9f71c103772fe6f24d83fbf1f7593283.1683917556.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
References: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Reply-to:  Felix Lechner <felix.lechner@lease-up.com>
X-ACL-Warn: ,  Felix Lechner via Guix-patches <guix-patches@gnu.org>
From:  Felix Lechner via Guix-patches via <guix-patches@gnu.org>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1683917607; a=rsa-sha256; cv=none;
	b=Y3n6EtjmZa7ETbJOJxPYvNfRBxKIteg9ApQf0aQPgWUgYJEN9RJiAE4cUnmHlq7fCG2I2U
	LBP7V9A0swsSAvSIZB8yTbiAkzNrZbmiDtfHJCd7g3cR5SYA6X4qEpGMZTO047z/Gyqyr1
	RaWUmFtQ5CDdUhPKr3FGYW0bxuy7qQF8iOoY/tg2gbgvH1D6+gL+b1iD70USeCU2UXtwa1
	0R1Y6IgcFp3txV23IHQrO/hE79cnkfKM/sN2fxQwL659cxMZccSamulHwX9kZeKqN+VtoO
	8/8zUWnP3mMnjxmYX/OmDuPVVgyHPza5SkI4tQAtOLbVmhNLqEYNS34Vrheq+Q==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=gNOlpSbL;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1683917607;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=zX4JwxQeC+GSaUDjZ8UntSy67Q43l4RGaZt0BUCOHCI=;
	b=fmYnNXUfoZxjSP9/gC743OEabirTqcKUEZN2GNKsVQNOtBzTV5QVr+a5w9EA58sNL2g9aT
	T6/92KES9VBvaa8UjK0CB0l0EA/02ASiQC4cq09pzoQ2SmCNwez39xyN1HcQiVdFXp1gWN
	EYhbgF2Ztt0OSSCvuzLago//1e5wrUcA9BX1ryE8/OcLbwkJ+WtAfS7tl60VVSos1rIy+9
	t2nuoQnUrRn53JW3hfz1P8MjmFuxYNJUEGD3wXlR9KNDKqIC1+qz1IwFZIij+T15gB4Peh
	rdbch1+/p7suqQKdO2vJf2fVAkM6cktdW+32iPUu6uI3aR6q0STVfmIm6vo8/A==
X-Migadu-Scanner: scn1.migadu.com
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=gNOlpSbL;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -3.18
X-Spam-Score: -3.18
X-Migadu-Queue-Id: AD2B37FA9
X-TUID: YqB1wX0tQBb2

In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.

An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.

[1] https://issues.guix.gnu.org/61744#6

This commit was tested and is already being deployed in production.

* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
 gnu/services/base.scm    |  6 ++--
 gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
 gnu/services/sddm.scm    | 33 +++++++++++-----------
 gnu/services/xorg.scm    |  5 ++--
 gnu/system/pam.scm       | 20 +++++++-------
 5 files changed, 77 insertions(+), 47 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4bef781977..5d0542b39d 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
   #:use-module (gnu packages admin)
   #:use-module ((gnu packages linux)
                 #:select (alsa-utils btrfs-progs crda eudev
-                          e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
-                          util-linux xfsprogs))
+                          e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+                          rng-tools util-linux xfsprogs))
   #:use-module (gnu packages bash)
   #:use-module ((gnu packages base)
                 #:select (coreutils glibc glibc-utf8-locales tar
@@ -1609,7 +1609,7 @@ (define pam-limits-service-type
              (lambda (pam)
                (let ((pam-limits (pam-entry
                                   (control "required")
-                                  (module "pam_limits.so")
+                                  (module (file-append linux-pam "/lib/security/pam_limits.so"))
                                   (arguments
                                    (list #~(string-append "conf=" #$limits-file))))))
                  (if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index b966f402d6..9927e8769b 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
   #:use-module (gnu packages display-managers)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages gnome)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages vnc)
   #:use-module (gnu packages xorg)
   #:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
    (name "lightdm-greeter")
    (auth (list
           ;; Load environment from /etc/environment and ~/.pam_environment.
-          (pam-entry (control "required") (module "pam_env.so"))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_env.so")))
           ;; Always let the greeter start without authentication.
-          (pam-entry (control "required") (module "pam_permit.so"))))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; No action required for account management
-   (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+   (account (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; Prohibit changing password.
-   (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+   (password (list
+              (pam-entry
+               (control "required")
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    ;; Setup session.
-   (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+   (session (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (lightdm-autologin-pam-service)
   "Return a PAM service for @command{lightdm-autologin}}."
   (pam-service
    (name "lightdm-autologin")
-   (auth
-    (list
-     ;; Block login if user is globally disabled.
-     (pam-entry (control "required") (module "pam_nologin.so"))
-     (pam-entry (control "required") (module "pam_succeed_if.so")
-                (arguments (list "uid >= 1000")))
-     ;; Allow access without authentication.
-     (pam-entry (control "required") (module "pam_permit.so"))))
+   (auth (list
+          ;; Block login if user is globally disabled.
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+           (arguments (list "uid >= 1000")))
+          ;; Allow access without authentication.
+          (pam-entry
+           (control "required")
+           (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    ;; Stop autologin if account requires action.
-   (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+   (account (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    ;; Prohibit changing password.
-   (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+   (password (list
+              (pam-entry
+               (control "required")
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    ;; Setup session.
-   (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+   (session (list
+             (pam-entry
+              (control "required")
+              (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (lightdm-pam-services config)
   (list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index c9a7ba96f4..9cd4d23bdb 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages display-managers)
   #:use-module (gnu packages freedesktop)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages xorg)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
     (list
      (pam-entry
       (control "requisite")
-      (module "pam_nologin.so"))
+      (module (file-append linux-pam "/lib/security/pam_nologin.so")))
      (pam-entry
       (control "required")
-      (module "pam_env.so"))
+      (module (file-append linux-pam "/lib/security/pam_env.so")))
      (pam-entry
       (control "required")
-      (module "pam_succeed_if.so")
+      (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
       (arguments (list (string-append "uid >= "
                                       (number->string (sddm-configuration-minimum-uid config)))
                        "quiet")))
      ;; should be factored out into system-auth
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    (account
     (list
      ;; should be factored out into system-account
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))
    (password
     (list
      ;; should be factored out into system-password
      (pam-entry
       (control "required")
-      (module "pam_unix.so")
+      (module (file-append linux-pam "/lib/security/pam_unix.so"))
       (arguments (list "sha512" "shadow" "try_first_pass")))))
    (session
     (list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
      ;; should be factored out into system-session
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (sddm-greeter-pam-service)
   "Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
      ;; Load environment from /etc/environment and ~/.pam_environment
      (pam-entry
       (control "required")
-      (module "pam_env.so"))
+      (module (file-append linux-pam "/lib/security/pam_env.so")))
      ;; Always let the greeter start without authentication
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (account
     (list
      ;; No action required for account management
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (password
     (list
      ;; Can't change password
      (pam-entry
       (control "required")
-      (module "pam_deny.so"))))
+      (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    (session
     (list
      ;; Setup session
      (pam-entry
       (control "required")
-      (module "pam_unix.so"))))))
+      (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
 
 (define (sddm-autologin-pam-service config)
   "Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
     (list
      (pam-entry
       (control "requisite")
-      (module "pam_nologin.so"))
+      (module (file-append linux-pam "/lib/security/pam_nologin.so")))
      (pam-entry
       (control "required")
-      (module "pam_succeed_if.so")
+      (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
       (arguments (list (string-append "uid >= "
                                       (number->string (sddm-configuration-minimum-uid config)))
                        "quiet")))
      (pam-entry
       (control "required")
-      (module "pam_permit.so"))))
+      (module (file-append linux-pam "/lib/security/pam_permit.so")))))
    (account
     (list
      (pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
     (list
      (pam-entry
       (control "required")
-      (module "pam_deny.so"))))
+      (module (file-append linux-pam "/lib/security/pam_deny.so")))))
    (session
     (list
      (pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 8b6080fd26..97fbde3511 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages gnustep)
   #:use-module (gnu packages gnome)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages bash)
   #:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
                                       "/lib/security/pam_gdm.so")))
                 (pam-entry
                  (control "sufficient")
-                 (module "pam_permit.so")))))
+                 (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
    (pam-service
     (inherit (unix-pam-service "gdm-launch-environment"))
     (auth (list (pam-entry
                  (control "required")
-                 (module "pam_permit.so")))))
+                 (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
    (unix-pam-service "gdm-password"
                      #:login-uid? #t
                      #:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index adc40c975f..e3711e2b1e 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -202,7 +202,7 @@ (define %pam-other-services
   ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
   (let ((deny (pam-entry
                (control "required")
-               (module "pam_deny.so"))))
+               (module (file-append linux-pam "/lib/security/pam_deny.so")))))
     (pam-service
      (name "other")
      (account (list deny))
@@ -213,10 +213,10 @@ (module "pam_deny.so"))))
 (define unix-pam-service
   (let ((unix (pam-entry
                (control "required")
-               (module "pam_unix.so")))
+               (module (file-append linux-pam "/lib/security/pam_unix.so"))))
         (env  (pam-entry ; to honor /etc/environment.
                (control "required")
-               (module "pam_env.so"))))
+               (module (file-append linux-pam "/lib/security/pam_env.so")))))
     (lambda* (name #:key allow-empty-passwords? allow-root? motd
               login-uid? gnupg?)
       "Return a standard Unix-style PAM service for NAME.  When
@@ -234,12 +234,12 @@ (module "pam_env.so"))))
        (auth (append (if allow-root?
                          (list (pam-entry
                                 (control "sufficient")
-                                (module "pam_rootok.so")))
+                                (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
                          '())
                      (list (if allow-empty-passwords?
                                (pam-entry
                                 (control "required")
-                                (module "pam_unix.so")
+                                (module (file-append linux-pam "/lib/security/pam_unix.so"))
                                 (arguments '("nullok")))
                                unix))
                      (if gnupg?
@@ -249,20 +249,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
                          '())))
        (password (list (pam-entry
                         (control "required")
-                        (module "pam_unix.so")
+                        (module (file-append linux-pam "/lib/security/pam_unix.so"))
                         ;; Store SHA-512 encrypted passwords in /etc/shadow.
                         (arguments '("sha512" "shadow")))))
        (session `(,@(if motd
                         (list (pam-entry
                                (control "optional")
-                               (module "pam_motd.so")
+                               (module (file-append linux-pam "/lib/security/pam_motd.so"))
                                (arguments
                                 (list #~(string-append "motd=" #$motd)))))
                         '())
                   ,@(if login-uid?
                         (list (pam-entry       ;to fill in /proc/self/loginuid
                                (control "required")
-                               (module "pam_loginuid.so")))
+                               (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
                         '())
                   ,@(if gnupg?
                         (list (pam-entry
@@ -276,13 +276,13 @@ (define (rootok-pam-service command)
 authenticate to run COMMAND."
   (let ((unix (pam-entry
                (control "required")
-               (module "pam_unix.so"))))
+               (module (file-append linux-pam "/lib/security/pam_unix.so")))))
     (pam-service
      (name command)
      (account (list unix))
      (auth (list (pam-entry
                   (control "sufficient")
-                  (module "pam_rootok.so"))))
+                  (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
      (password (list unix))
      (session (list unix)))))
 
-- 
2.40.1