(address . guix-patches@gnu.org)
87tudu38yz.fsf@trop.in
* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
The quote from unix_chkpwd.c:
Toggle quote (5 lines)
> * This program is designed to run setuid(root) or with sufficient
> * privilege to read all of the unix password databases. It is designed
> * to provide a mechanism for the current user (defined by this
> * process's uid) to verify their own password.
Without suid bit it will fail in various use cases: for example utilities like
xlock or swaylock compiled with pam support won't be able to unlock the
screen. To fix it I added unix_chkpwd binary to list of Guix System's setuid
programs and added a patch, which hardcodes /run/setuid-programs/unix_chkpwd
path in pam_unix module source code of linux-pam package. However, I'm not
sure if it's a proper solution, please share your thoughts and conserns.
gnu/packages/linux.scm | 3 +-
.../patches/change-path-to-unix_chkpwd.patch | 54 +++++++++++++++++++
gnu/system/pam.scm | 8 ++-
3 files changed, 62 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch
Toggle diff (95 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@ (define-public linux-pam
(sha256
(base32
"1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
- (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+ (patches (search-patches "change-path-to-unix_chkpwd.patch"
+ "linux-pam-no-setfsuid.patch"))))
(build-system gnu-build-system)
(native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ args[2] = "chkexpiry";
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
+ args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ }
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ /* should not get here: exit with error */
+--
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..48cd2ebf2c 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -375,8 +375,12 @@ (define (extend-configuration initial extensions)
(define pam-root-service-type
(service-type (name 'pam)
- (extensions (list (service-extension etc-service-type
- /etc-entry)))
+ (extensions
+ (list (service-extension etc-service-type /etc-entry)
+ (service-extension
+ setuid-program-service-type
+ (list (file-like->setuid-program
+ (file-append linux-pam "/sbin/unix_chkpwd"))))))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
--
2.34.0
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmHtUNQPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6w44gP/Rsgp6txUKnq2IE4hGGjXSYKf0aS8yPr5013
2AT5SSw3cjqadR4Df0+YyNuRr0EPATrqmcYKU6xyggoiRDMR0Ydw21euEmgloziQ
NFB5gdiOFqCYexW2TuFFKCAWnAy3FDbhjrTl5ziU2BeNRoK1rNj+ZbQG8uek+g3g
upXm1++feBAiE/kFFWE4EFaju4HWU7u0nrYtyotqsK/+TYmY5dJIphOUMUlyqHbQ
N2zW/+Utj7tCKtmkStHz2xYF0PrXicp2femV099ViKUV1/3Kjbeo0ejT7701xlZV
EwuLAGrmtLCtZjfy0OZRzqvR15NUl1DwP+Cj12CEWB1IO7KXWLlOKfz313MH53aY
TMil58GupD8t58zCq3o+e48//felGv2NwAgP5NZAToGg4Ww8YbHoSY8Ly1QCfAZ7
qc1iRi+cKtVrXfdDS2hgxAmK0Nd+tnjqoUp1v6pvcwygba9eO2/NLBDriYwoCpwZ
AnauiBOqvUzarOB/lNEVseW9RDbEUuem2sgk+IhdCH7gbndlgJtDBOQnks0+gJqJ
DmQT1Ky/+3+WeEVIr/n8CUJ50HEafQ9sgMmKj73kmMjq6PXnlpd1NJZ1HlFZU7DJ
xuAGu2+SmOqUtcprqFIzKUsd7OMC7jU3OYt6zfys74LOoNmI/xD5QezjGH15jcnO
SyqxgLVA
=SQKf
-----END PGP SIGNATURE-----