[RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.

DoneSubmitted by Andrew Tropin.
Details
2 participants
  • Andrew Tropin
  • Ludovic Courtès
Owner
unassigned
Severity
normal
A
A
Andrew Tropin wrote on 13 Jan 19:41 +0100
(address . guix-patches@gnu.org)
87tudu38yz.fsf@trop.in
* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
The quote from unix_chkpwd.c:
Toggle quote (5 lines)
> * This program is designed to run setuid(root) or with sufficient
> * privilege to read all of the unix password databases. It is designed
> * to provide a mechanism for the current user (defined by this
> * process's uid) to verify their own password.

Without suid bit it will fail in various use cases: for example utilities like
xlock or swaylock compiled with pam support won't be able to unlock the
screen. To fix it I added unix_chkpwd binary to list of Guix System's setuid
programs and added a patch, which hardcodes /run/setuid-programs/unix_chkpwd
path in pam_unix module source code of linux-pam package. However, I'm not
sure if it's a proper solution, please share your thoughts and conserns.

gnu/packages/linux.scm | 3 +-
.../patches/change-path-to-unix_chkpwd.patch | 54 +++++++++++++++++++
gnu/system/pam.scm | 8 ++-
3 files changed, 62 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

Toggle diff (95 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@ (define-public linux-pam
        (sha256
         (base32
          "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
-       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (patches (search-patches "change-path-to-unix_chkpwd.patch"
+                                "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c       | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+     }
+ 
+     /* exec binary helper */
+-    args[0] = CHKPWD_HELPER;
++    args[0] = "/run/setuid-programs/unix_chkpwd";
+     args[1] = user;
+     args[2] = "chkexpiry";
+ 
+     DIAG_PUSH_IGNORE_CAST_QUAL;
+-    execve(CHKPWD_HELPER, (char *const *) args, envp);
++    execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+     DIAG_POP_IGNORE_CAST_QUAL;
+ 
+     pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	}
+ 
+ 	/* exec binary helper */
+-	args[0] = CHKPWD_HELPER;
++	args[0] = "/run/setuid-programs/unix_chkpwd";
+ 	args[1] = user;
+ 	if (off(UNIX__NONULL, ctrl)) {	/* this means we've succeeded */
+ 	  args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	}
+ 
+ 	DIAG_PUSH_IGNORE_CAST_QUAL;
+-	execve(CHKPWD_HELPER, (char *const *) args, envp);
++	execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ 	DIAG_POP_IGNORE_CAST_QUAL;
+ 
+ 	/* should not get here: exit with error */
+-- 
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..48cd2ebf2c 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -375,8 +375,12 @@ (define (extend-configuration initial extensions)
 
 (define pam-root-service-type
   (service-type (name 'pam)
-                (extensions (list (service-extension etc-service-type
-                                                     /etc-entry)))
+                (extensions
+                 (list (service-extension etc-service-type /etc-entry)
+                       (service-extension
+                        setuid-program-service-type
+                        (list (file-like->setuid-program
+                               (file-append linux-pam "/sbin/unix_chkpwd"))))))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)
-- 
2.34.0
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmHtUNQPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6w44gP/Rsgp6txUKnq2IE4hGGjXSYKf0aS8yPr5013
2AT5SSw3cjqadR4Df0+YyNuRr0EPATrqmcYKU6xyggoiRDMR0Ydw21euEmgloziQ
NFB5gdiOFqCYexW2TuFFKCAWnAy3FDbhjrTl5ziU2BeNRoK1rNj+ZbQG8uek+g3g
upXm1++feBAiE/kFFWE4EFaju4HWU7u0nrYtyotqsK/+TYmY5dJIphOUMUlyqHbQ
N2zW/+Utj7tCKtmkStHz2xYF0PrXicp2femV099ViKUV1/3Kjbeo0ejT7701xlZV
EwuLAGrmtLCtZjfy0OZRzqvR15NUl1DwP+Cj12CEWB1IO7KXWLlOKfz313MH53aY
TMil58GupD8t58zCq3o+e48//felGv2NwAgP5NZAToGg4Ww8YbHoSY8Ly1QCfAZ7
qc1iRi+cKtVrXfdDS2hgxAmK0Nd+tnjqoUp1v6pvcwygba9eO2/NLBDriYwoCpwZ
AnauiBOqvUzarOB/lNEVseW9RDbEUuem2sgk+IhdCH7gbndlgJtDBOQnks0+gJqJ
DmQT1Ky/+3+WeEVIr/n8CUJ50HEafQ9sgMmKj73kmMjq6PXnlpd1NJZ1HlFZU7DJ
xuAGu2+SmOqUtcprqFIzKUsd7OMC7jU3OYt6zfys74LOoNmI/xD5QezjGH15jcnO
SyqxgLVA
=SQKf
-----END PGP SIGNATURE-----

A
A
Andrew Tropin wrote on 23 Jan 15:08 +0100
(address . 53468@debbugs.gnu.org)
87sftetuhg.fsf@trop.in
Attaching a second version of the patch, added missing import and
lambda.
From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Thu, 13 Jan 2022 21:41:58 +0300
Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.

* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
gnu/packages/linux.scm | 3 +-
.../patches/change-path-to-unix_chkpwd.patch | 54 +++++++++++++++++++
gnu/system/pam.scm | 10 +++-
3 files changed, 64 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

Toggle diff (104 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@ (define-public linux-pam
        (sha256
         (base32
          "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
-       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (patches (search-patches "change-path-to-unix_chkpwd.patch"
+                                "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c       | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+     }
+ 
+     /* exec binary helper */
+-    args[0] = CHKPWD_HELPER;
++    args[0] = "/run/setuid-programs/unix_chkpwd";
+     args[1] = user;
+     args[2] = "chkexpiry";
+ 
+     DIAG_PUSH_IGNORE_CAST_QUAL;
+-    execve(CHKPWD_HELPER, (char *const *) args, envp);
++    execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+     DIAG_POP_IGNORE_CAST_QUAL;
+ 
+     pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	}
+ 
+ 	/* exec binary helper */
+-	args[0] = CHKPWD_HELPER;
++	args[0] = "/run/setuid-programs/unix_chkpwd";
+ 	args[1] = user;
+ 	if (off(UNIX__NONULL, ctrl)) {	/* this means we've succeeded */
+ 	  args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	}
+ 
+ 	DIAG_PUSH_IGNORE_CAST_QUAL;
+-	execve(CHKPWD_HELPER, (char *const *) args, envp);
++	execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ 	DIAG_POP_IGNORE_CAST_QUAL;
+ 
+ 	/* should not get here: exit with error */
+-- 
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
   #:use-module (guix derivations)
   #:use-module (guix gexp)
   #:use-module (gnu services)
+  #:use-module (gnu system setuid)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
 
 (define pam-root-service-type
   (service-type (name 'pam)
-                (extensions (list (service-extension etc-service-type
-                                                     /etc-entry)))
+                (extensions
+                 (list (service-extension
+                        setuid-program-service-type
+                        (lambda (_)
+                          (list (file-like->setuid-program
+                                 (file-append linux-pam "/sbin/unix_chkpwd")))))
+                       (service-extension etc-service-type /etc-entry)))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)
-- 
2.34.0
Reconfigured my system with the patch above.

I tested it with the swaylock built with pam support:

Toggle snippet (24 lines)
(define-public swaylock
(package
(name "swaylock")
(version "1.6")
(source
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/swaywm/swaylock")
(commit "5150d3869cd801cb2badb3c645fa41c01bbfbbbf")))
(file-name (git-file-name name version))
(sha256
(base32 "16n389w5hx8f8dqnhzjgimxmaw648cnnmifazx6zwx2v5vhxa38r"))))
(build-system meson-build-system)
(inputs (list cairo gdk-pixbuf libxkbcommon
linux-pam
wayland))
(native-inputs (list pango pkg-config scdoc wayland-protocols))
(home-page "https://github.com/swaywm/sway")
(synopsis "Screen locking utility for Wayland compositors")
(description "Swaylock is a screen locking utility for Wayland compositors.")
(license license:expat)))

and following system service:
Toggle snippet (7 lines)
(simple-service
'sway-add-swaylock-pam
pam-root-service-type
(list
(unix-pam-service "swaylock")))

I'll make a patch for swaylock separately, when this ticket will be
resolved.

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmHtYWwPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wFuQP/iHU8//zTDyOGY9XOy6vMhsYfonZD3R4ZzIR
jSu2GM5LFlduzXMarNzMufYjyPyT8ht1xp4HVR6fX8QYtS4x9/I8nmqQjZhN1vFo
HTnyRRu8nDjRUKqjFIsJmT3VnMsck+zQLqCuk98yfMNFjAuYsVuuN9DKuD07TkQ4
W/9ynqb5FuErTaLtfWDWdIygnBcjUR61FpmqgsFKKlpxSwZlPP72fEBW7tGx3pWR
BmzMolDYTF4fCkforyMYtXSy2YS0INooW/4CJCGXCHi4CevRepz0pFmR+Ws1UBAS
+lagCjDynM367THQ6zmfoP5zWwBAe0RTtDiPE3AqwenFiL8FmEum2fnMb4JwGEHb
PsjzRqvtaBZuebAPcvdq1rjHH+Ergu+hVZ4WlwOScfLUwhx0wvdYI1g2VYd1R4XC
faq8oo8cRb0FRiKMNb7W56pyZcD1T0+VzAc6eEx7zF76aAQOH+aaf19B4phGTnGS
aBDaxMGP47BmNA96rGEFcgzN5QBmYTZQnwMF+jBWyeF15xQ23t57QDjD3e6jKGD/
xiP4HGY3dZJPLPuRe5PIKmF0gOv18jg62QqNkoFmW+u6BId/F4huEKC6KB0VO6BP
FWbImLJcUOGcJbMq1OLnOC4cepASVtxySNFYikXkpYZI4OXgecynuZ9nwFEBzYE5
XrNr+TzX
=A/5x
-----END PGP SIGNATURE-----

A
A
Andrew Tropin wrote on 4 Feb 12:07 +0100
(address . 53468@debbugs.gnu.org)
877daayjob.fsf@trop.in
Yesterday I also discovered this thread on NixOS bug tracker:

They apply the same technique and remove dirtier workaround they had

Also, they patch the makefile template instead of source code, which
maybe a little cleaner solution than the one I proposed above.

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmH9COQPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wS1YP/3+g5N5uhzr5eKQ4c8Uc11vFYZJOZHvSxFKz
oAwoxwIqfHPYBfhr9Mi61hrhi5+gxDJzt9BBfxtGdVpfrOYREWwD3l/e7HrkdsMO
L1E+74EAkZ2lqae+tfrwh3+V0n4z58YR8Bk/efNgMe4ZH1NxcbWBUHVbnxNMfokC
Y0OgHpOH7bGvCJyNxF0vZSEbrox16HCQg8P53x9yHXZHTD2SaK2TgcvnVm3lnt6c
NtaGUEB3BsE0Njfiwwlzwg25uIu8bIBBWiNvb6Gjb4XmnodhXSd21/SJhmOSjOhb
QVh+RCbqmMHI7Jnj0DEToBBwqhLVle4uYwVZEeZaZ++6ufTO9odQIQRywgLmxCzD
iJ28QfOI09QP/6W8CS8rmWy3NJIAkYMHey+HkfKV+lQFzT1FOP8Mb8TTdYoMx/5F
nwWDp7EQ+uUQOqaxoadJcg9/4fXua7aVZLoX2WJlqt4AAyWdlZefswZp+h+SIMO4
IV+5q03Blfl6cc8y347BwKYDdOylemSl1T/yCAOBeQSL2ompP9yugnbsHoXIICdU
bwbvU1IoxfaCc+iQ5pZ0Z3zz6Jjbf9LlxUd50tZMdlpkbyGWrePHhVjI/8DIiAQo
/s736nSj3B7mCSGiHyTC4od61bRVsd2TE9A4oqdtPb2x8RXmq2pOabYT1ArVdxTy
uRAf31p0
=QXVK
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 4 Feb 23:10 +0100
Re: bug#53468: [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
(name . Andrew Tropin)(address . andrew@trop.in)(address . 53468@debbugs.gnu.org)
877daamgf2.fsf_-_@gnu.org
Hi!

Andrew Tropin <andrew@trop.in> skribis:

Toggle quote (10 lines)
> From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
> From: Andrew Tropin <andrew@trop.in>
> Date: Thu, 13 Jan 2022 21:41:58 +0300
> Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.
>
> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
> * gnu/packages/linux.scm (linux-pam): Add patch.
> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
> binaries.

[...]

Toggle quote (5 lines)
> + DIAG_PUSH_IGNORE_CAST_QUAL;
> +- execve(CHKPWD_HELPER, (char *const *) args, envp);
> ++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
> + DIAG_POP_IGNORE_CAST_QUAL;

Looks reasonable to me. However, could you change the CHKPWD_HELPER
macro definition in the Makefile template, as you suggested, instead of
patching the file?

Thanks!

Ludo’.
A
A
Andrew Tropin wrote on 6 Feb 06:16 +0100
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53468@debbugs.gnu.org)
878ruo60c9.fsf@trop.in
On 2022-02-04 23:10, Ludovic Courtès wrote:

Toggle quote (25 lines)
> Hi!
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
>> From: Andrew Tropin <andrew@trop.in>
>> Date: Thu, 13 Jan 2022 21:41:58 +0300
>> Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.
>>
>> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
>> * gnu/packages/linux.scm (linux-pam): Add patch.
>> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
>> binaries.
>
> [...]
>
>> + DIAG_PUSH_IGNORE_CAST_QUAL;
>> +- execve(CHKPWD_HELPER, (char *const *) args, envp);
>> ++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
>> + DIAG_POP_IGNORE_CAST_QUAL;
>
> Looks reasonable to me. However, could you change the CHKPWD_HELPER
> macro definition in the Makefile template, as you suggested, instead of
> patching the file?

Sure, done in v3.
From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Sun, 6 Feb 2022 08:13:49 +0300
Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.

* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.
---
gnu/packages/linux.scm | 3 ++-
.../patches/change-path-to-unix_chkpwd.patch | 13 +++++++++++++
gnu/system/pam.scm | 10 ++++++++--
3 files changed, 23 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

Toggle diff (63 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2e2d01c656..bc2927d0b4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1625,7 +1625,8 @@ (define-public linux-pam
        (sha256
         (base32
          "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
-       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (patches (search-patches "change-path-to-unix_chkpwd.patch"
+                                "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..e5c6d2649c
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,13 @@
+From: Andrew Tropin <andrew@trop.in>
+Date: Sat, 5 Feb 2022 21:06:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+unix_chkpwd is designed to have a suid bit, but it's not possible to set it
+for files in /gnu/store, and this patch tells unix_pam.so to lookup up for
+unix_chkpwd in directory generated by setuid-program system service.
+
+--- a/modules/pam_unix/Makefile.in
++++ b/modules/pam_unix/Makefile.in
+@@ -651,1 +651,1 @@
+-	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
++	-DCHKPWD_HELPER=\"/run/setuid-programs/unix_chkpwd\" \
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
   #:use-module (guix derivations)
   #:use-module (guix gexp)
   #:use-module (gnu services)
+  #:use-module (gnu system setuid)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
 
 (define pam-root-service-type
   (service-type (name 'pam)
-                (extensions (list (service-extension etc-service-type
-                                                     /etc-entry)))
+                (extensions
+                 (list (service-extension
+                        setuid-program-service-type
+                        (lambda (_)
+                          (list (file-like->setuid-program
+                                 (file-append linux-pam "/sbin/unix_chkpwd")))))
+                       (service-extension etc-service-type /etc-entry)))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)
-- 
2.34.0
--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmH/WccPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wRmwQAIfjH18DlBQfHarDxPLXNBBAnRBB6D/HV2v0
0DZ7pZi6kI6EwHSCm3fIXooEzFdBVQWWw77nLu6VSgdY00lFYIr31xUtqX/vfI/b
YnpDPZ3MYBeW2Y1GOo0Zjqdco1J3u7oJdBlpt7U92Zh3KV6jBwQg7i5u8407PMYj
R810YoKU7mO8Cgf8oSSkK4JuN+3btyrXQ947cOSYPhY0gqAf9CPi3hKPTnjbUi83
tGH4UsI8E+bJpZUfhutbsK++faviByjFphz1XgHrzXttBmNp591LvUghVIIt5du4
tyVuWLRA99dQu+8PX1DJMGqFOG/fS2jJrpj5UiYKGNVleAnjV8K7DkjPadMxh4II
cHBDAaFnN7kR+SoJXct7c4wbScibzRqclTCuRe2EXMy3MNOxSSoXQHtnuhbyqUkf
spJSraVEdUF6VfxmeR9SeY4gJpKcd2WsJz3qe0NXE6lFmuZoxpzRLAhl2TcmVZaq
7/iCr+cMSc5Am7mgH6Q0q/PSEkvbfWuryKpCxH0+Tc/yJBibAuyhc/ClM6aWYVdJ
6DqNSMLKpywyeCAFF85DLkcdtEYhGjMXGt3J4yCmi0eDm4HdXj64/ZlTX7X8z5D0
a6wpc3JfT3bHJ81VbbuIEpekDUUZsaJIaLYvymZW+cLKeItGp+KLta29OovPoykI
ewmScXMb
=O9fk
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 10 Feb 23:42 +0100
(name . Andrew Tropin)(address . andrew@trop.in)(address . 53468-done@debbugs.gnu.org)
8735kq2vje.fsf_-_@gnu.org
Hi,

Andrew Tropin <andrew@trop.in> skribis:

Toggle quote (9 lines)
> From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
> From: Andrew Tropin <andrew@trop.in>
> Date: Sun, 6 Feb 2022 08:13:49 +0300
> Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.
>
> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
> * gnu/packages/linux.scm (linux-pam): Add patch.
> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.

LGTM, minor the patch file name as reported by ‘guix lint’ and missing
‘gnu/local.mk’.

However, it looks like my brain wasn’t fully operational when I
previously replied, because:

Toggle snippet (5 lines)
$ guix refresh -l linux-pam
Building the following 2418 packages would ensure 6038 dependent
packages are rebuilt: […]

So I went ahead, fixed up the issues above, and pushed to
‘core-updates’.

Thanks!

Ludo’.
Closed
A
A
Andrew Tropin wrote on 26 Feb 08:11 +0100
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53468-done@debbugs.gnu.org)
87o82udruv.fsf@trop.in
On 2022-02-10 23:42, Ludovic Courtès wrote:

Toggle quote (28 lines)
> Hi,
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
>> From: Andrew Tropin <andrew@trop.in>
>> Date: Sun, 6 Feb 2022 08:13:49 +0300
>> Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.
>>
>> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
>> * gnu/packages/linux.scm (linux-pam): Add patch.
>> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.
>
> LGTM, minor the patch file name as reported by ‘guix lint’ and missing
> ‘gnu/local.mk’.
>
> However, it looks like my brain wasn’t fully operational when I
> previously replied, because:
>
> --8<---------------cut here---------------start------------->8---
> $ guix refresh -l linux-pam
> Building the following 2418 packages would ensure 6038 dependent
> packages are rebuilt: […]
> --8<---------------cut here---------------end--------------->8---
>
> So I went ahead, fixed up the issues above, and pushed to
> ‘core-updates’.

Thank you very much!)

When is the next core-update to master merge scheduled?

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmIZ0rgPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wg0MP/Rx+powCeCNaHQ0XnakliIkI9NHztDx8qC+N
eEoTO6uTfreZWs0EqKoTawGKAlNQk4GQUfO9MmoUFbzScT5t3bMYln7geYJbmD+k
bwkmxypvPb9pOLeLsbrJ7MROqljiSU4tldH9s9QuWk/BKNWJvdDpPwFz7aX5I+ec
iPxiUiHmz71cJCTrKJQNVuPgi+GS6qKIAkvJs1/M6Awk2nJzNMwJgTCP8GCsKvRr
kd6egCsHVhgfrqkcBqnKQofGJ3h+90ax34oPm/Imhg7hYkxznXivWZBQgIPzBcVd
ZkDNC0EGIneQGpJ25Qxhv9Olgb+NeMf2x+wheQJJ4aM1Vr5MJgxUgDycU9rJiUEa
nMC/fhN27BiqwsFJEZEXi4kicd0nvhJ6jMLYH8axuEzFUwLtistzccNNROlHI4zp
OyW/Byanyc8J6N9694tdbwVb3HWAUyLPPb59pwF7m9wVT+9f410ySBdOBrFzI8K/
YY22Rb3+G0kOOzYicqWHC9csLrAQ6no5srjxF04tfp/IgbrFBoASDgccRtHbxSn6
5q5EPUanLFg4+Yhp9oXBKTizuYgGO17db4oqFF0Szpkq+ySBe/UolbfsQ7oc3nm/
ANEhclKPWRi9RmGsYjasbSj/a/SDnqTE262JG3aZriNz+nGtcL4QRx/KQCHg2ZSe
dAZhzs/P
=Jx+Y
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 27 Feb 23:03 +0100
(name . Andrew Tropin)(address . andrew@trop.in)(address . 53468-done@debbugs.gnu.org)
87bkyst1at.fsf@gnu.org
Hi,

Andrew Tropin <andrew@trop.in> skribis:

Toggle quote (2 lines)
> When is the next core-update to master merge scheduled?

It’s not scheduled, but it’s likely several months from now… maybe less
if motivated people help drive the effort. :-)

Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 53468@debbugs.gnu.org