[RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.

  • Done
  • quality assurance status badge
Details
4 participants
  • Andrew Tropin
  • Leo Famulari
  • Ludovic Courtès
  • wolf
Owner
unassigned
Submitted by
Andrew Tropin
Severity
normal
A
A
Andrew Tropin wrote on 13 Jan 2022 19:41
(address . guix-patches@gnu.org)
87tudu38yz.fsf@trop.in
* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
The quote from unix_chkpwd.c:
Toggle quote (5 lines)
> * This program is designed to run setuid(root) or with sufficient
> * privilege to read all of the unix password databases. It is designed
> * to provide a mechanism for the current user (defined by this
> * process's uid) to verify their own password.

Without suid bit it will fail in various use cases: for example utilities like
xlock or swaylock compiled with pam support won't be able to unlock the
screen. To fix it I added unix_chkpwd binary to list of Guix System's setuid
programs and added a patch, which hardcodes /run/setuid-programs/unix_chkpwd
path in pam_unix module source code of linux-pam package. However, I'm not
sure if it's a proper solution, please share your thoughts and conserns.

gnu/packages/linux.scm | 3 +-
.../patches/change-path-to-unix_chkpwd.patch | 54 +++++++++++++++++++
gnu/system/pam.scm | 8 ++-
3 files changed, 62 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

Toggle diff (95 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@ (define-public linux-pam
(sha256
(base32
"1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
- (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+ (patches (search-patches "change-path-to-unix_chkpwd.patch"
+ "linux-pam-no-setfsuid.patch"))))
(build-system gnu-build-system)
(native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ args[2] = "chkexpiry";
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
+ args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ }
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ /* should not get here: exit with error */
+--
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..48cd2ebf2c 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -375,8 +375,12 @@ (define (extend-configuration initial extensions)
(define pam-root-service-type
(service-type (name 'pam)
- (extensions (list (service-extension etc-service-type
- /etc-entry)))
+ (extensions
+ (list (service-extension etc-service-type /etc-entry)
+ (service-extension
+ setuid-program-service-type
+ (list (file-like->setuid-program
+ (file-append linux-pam "/sbin/unix_chkpwd"))))))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
--
2.34.0
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmHtUNQPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6w44gP/Rsgp6txUKnq2IE4hGGjXSYKf0aS8yPr5013
2AT5SSw3cjqadR4Df0+YyNuRr0EPATrqmcYKU6xyggoiRDMR0Ydw21euEmgloziQ
NFB5gdiOFqCYexW2TuFFKCAWnAy3FDbhjrTl5ziU2BeNRoK1rNj+ZbQG8uek+g3g
upXm1++feBAiE/kFFWE4EFaju4HWU7u0nrYtyotqsK/+TYmY5dJIphOUMUlyqHbQ
N2zW/+Utj7tCKtmkStHz2xYF0PrXicp2femV099ViKUV1/3Kjbeo0ejT7701xlZV
EwuLAGrmtLCtZjfy0OZRzqvR15NUl1DwP+Cj12CEWB1IO7KXWLlOKfz313MH53aY
TMil58GupD8t58zCq3o+e48//felGv2NwAgP5NZAToGg4Ww8YbHoSY8Ly1QCfAZ7
qc1iRi+cKtVrXfdDS2hgxAmK0Nd+tnjqoUp1v6pvcwygba9eO2/NLBDriYwoCpwZ
AnauiBOqvUzarOB/lNEVseW9RDbEUuem2sgk+IhdCH7gbndlgJtDBOQnks0+gJqJ
DmQT1Ky/+3+WeEVIr/n8CUJ50HEafQ9sgMmKj73kmMjq6PXnlpd1NJZ1HlFZU7DJ
xuAGu2+SmOqUtcprqFIzKUsd7OMC7jU3OYt6zfys74LOoNmI/xD5QezjGH15jcnO
SyqxgLVA
=SQKf
-----END PGP SIGNATURE-----

A
A
Andrew Tropin wrote on 23 Jan 2022 15:08
(address . 53468@debbugs.gnu.org)
87sftetuhg.fsf@trop.in
Attaching a second version of the patch, added missing import and
lambda.
From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Thu, 13 Jan 2022 21:41:58 +0300
Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.

* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
gnu/packages/linux.scm | 3 +-
.../patches/change-path-to-unix_chkpwd.patch | 54 +++++++++++++++++++
gnu/system/pam.scm | 10 +++-
3 files changed, 64 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

Toggle diff (104 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@ (define-public linux-pam
(sha256
(base32
"1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
- (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+ (patches (search-patches "change-path-to-unix_chkpwd.patch"
+ "linux-pam-no-setfsuid.patch"))))
(build-system gnu-build-system)
(native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ args[2] = "chkexpiry";
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
+ args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ }
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ /* should not get here: exit with error */
+--
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
#:use-module (guix derivations)
#:use-module (guix gexp)
#:use-module (gnu services)
+ #:use-module (gnu system setuid)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
(define pam-root-service-type
(service-type (name 'pam)
- (extensions (list (service-extension etc-service-type
- /etc-entry)))
+ (extensions
+ (list (service-extension
+ setuid-program-service-type
+ (lambda (_)
+ (list (file-like->setuid-program
+ (file-append linux-pam "/sbin/unix_chkpwd")))))
+ (service-extension etc-service-type /etc-entry)))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
--
2.34.0
Reconfigured my system with the patch above.

I tested it with the swaylock built with pam support:

Toggle snippet (24 lines)
(define-public swaylock
(package
(name "swaylock")
(version "1.6")
(source
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/swaywm/swaylock")
(commit "5150d3869cd801cb2badb3c645fa41c01bbfbbbf")))
(file-name (git-file-name name version))
(sha256
(base32 "16n389w5hx8f8dqnhzjgimxmaw648cnnmifazx6zwx2v5vhxa38r"))))
(build-system meson-build-system)
(inputs (list cairo gdk-pixbuf libxkbcommon
linux-pam
wayland))
(native-inputs (list pango pkg-config scdoc wayland-protocols))
(home-page "https://github.com/swaywm/sway")
(synopsis "Screen locking utility for Wayland compositors")
(description "Swaylock is a screen locking utility for Wayland compositors.")
(license license:expat)))

and following system service:
Toggle snippet (7 lines)
(simple-service
'sway-add-swaylock-pam
pam-root-service-type
(list
(unix-pam-service "swaylock")))

I'll make a patch for swaylock separately, when this ticket will be
resolved.

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmHtYWwPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wFuQP/iHU8//zTDyOGY9XOy6vMhsYfonZD3R4ZzIR
jSu2GM5LFlduzXMarNzMufYjyPyT8ht1xp4HVR6fX8QYtS4x9/I8nmqQjZhN1vFo
HTnyRRu8nDjRUKqjFIsJmT3VnMsck+zQLqCuk98yfMNFjAuYsVuuN9DKuD07TkQ4
W/9ynqb5FuErTaLtfWDWdIygnBcjUR61FpmqgsFKKlpxSwZlPP72fEBW7tGx3pWR
BmzMolDYTF4fCkforyMYtXSy2YS0INooW/4CJCGXCHi4CevRepz0pFmR+Ws1UBAS
+lagCjDynM367THQ6zmfoP5zWwBAe0RTtDiPE3AqwenFiL8FmEum2fnMb4JwGEHb
PsjzRqvtaBZuebAPcvdq1rjHH+Ergu+hVZ4WlwOScfLUwhx0wvdYI1g2VYd1R4XC
faq8oo8cRb0FRiKMNb7W56pyZcD1T0+VzAc6eEx7zF76aAQOH+aaf19B4phGTnGS
aBDaxMGP47BmNA96rGEFcgzN5QBmYTZQnwMF+jBWyeF15xQ23t57QDjD3e6jKGD/
xiP4HGY3dZJPLPuRe5PIKmF0gOv18jg62QqNkoFmW+u6BId/F4huEKC6KB0VO6BP
FWbImLJcUOGcJbMq1OLnOC4cepASVtxySNFYikXkpYZI4OXgecynuZ9nwFEBzYE5
XrNr+TzX
=A/5x
-----END PGP SIGNATURE-----

A
A
Andrew Tropin wrote on 4 Feb 2022 12:07
(address . 53468@debbugs.gnu.org)
877daayjob.fsf@trop.in
Yesterday I also discovered this thread on NixOS bug tracker:

They apply the same technique and remove dirtier workaround they had

Also, they patch the makefile template instead of source code, which
maybe a little cleaner solution than the one I proposed above.

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmH9COQPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wS1YP/3+g5N5uhzr5eKQ4c8Uc11vFYZJOZHvSxFKz
oAwoxwIqfHPYBfhr9Mi61hrhi5+gxDJzt9BBfxtGdVpfrOYREWwD3l/e7HrkdsMO
L1E+74EAkZ2lqae+tfrwh3+V0n4z58YR8Bk/efNgMe4ZH1NxcbWBUHVbnxNMfokC
Y0OgHpOH7bGvCJyNxF0vZSEbrox16HCQg8P53x9yHXZHTD2SaK2TgcvnVm3lnt6c
NtaGUEB3BsE0Njfiwwlzwg25uIu8bIBBWiNvb6Gjb4XmnodhXSd21/SJhmOSjOhb
QVh+RCbqmMHI7Jnj0DEToBBwqhLVle4uYwVZEeZaZ++6ufTO9odQIQRywgLmxCzD
iJ28QfOI09QP/6W8CS8rmWy3NJIAkYMHey+HkfKV+lQFzT1FOP8Mb8TTdYoMx/5F
nwWDp7EQ+uUQOqaxoadJcg9/4fXua7aVZLoX2WJlqt4AAyWdlZefswZp+h+SIMO4
IV+5q03Blfl6cc8y347BwKYDdOylemSl1T/yCAOBeQSL2ompP9yugnbsHoXIICdU
bwbvU1IoxfaCc+iQ5pZ0Z3zz6Jjbf9LlxUd50tZMdlpkbyGWrePHhVjI/8DIiAQo
/s736nSj3B7mCSGiHyTC4od61bRVsd2TE9A4oqdtPb2x8RXmq2pOabYT1ArVdxTy
uRAf31p0
=QXVK
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 4 Feb 2022 23:10
Re: bug#53468: [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
(name . Andrew Tropin)(address . andrew@trop.in)(address . 53468@debbugs.gnu.org)
877daamgf2.fsf_-_@gnu.org
Hi!

Andrew Tropin <andrew@trop.in> skribis:

Toggle quote (10 lines)
> From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
> From: Andrew Tropin <andrew@trop.in>
> Date: Thu, 13 Jan 2022 21:41:58 +0300
> Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.
>
> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
> * gnu/packages/linux.scm (linux-pam): Add patch.
> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
> binaries.

[...]

Toggle quote (5 lines)
> + DIAG_PUSH_IGNORE_CAST_QUAL;
> +- execve(CHKPWD_HELPER, (char *const *) args, envp);
> ++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
> + DIAG_POP_IGNORE_CAST_QUAL;

Looks reasonable to me. However, could you change the CHKPWD_HELPER
macro definition in the Makefile template, as you suggested, instead of
patching the file?

Thanks!

Ludo’.
A
A
Andrew Tropin wrote on 6 Feb 2022 06:16
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53468@debbugs.gnu.org)
878ruo60c9.fsf@trop.in
On 2022-02-04 23:10, Ludovic Courtès wrote:

Toggle quote (25 lines)
> Hi!
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
>> From: Andrew Tropin <andrew@trop.in>
>> Date: Thu, 13 Jan 2022 21:41:58 +0300
>> Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.
>>
>> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
>> * gnu/packages/linux.scm (linux-pam): Add patch.
>> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
>> binaries.
>
> [...]
>
>> + DIAG_PUSH_IGNORE_CAST_QUAL;
>> +- execve(CHKPWD_HELPER, (char *const *) args, envp);
>> ++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
>> + DIAG_POP_IGNORE_CAST_QUAL;
>
> Looks reasonable to me. However, could you change the CHKPWD_HELPER
> macro definition in the Makefile template, as you suggested, instead of
> patching the file?

Sure, done in v3.
From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Sun, 6 Feb 2022 08:13:49 +0300
Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.

* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.
---
gnu/packages/linux.scm | 3 ++-
.../patches/change-path-to-unix_chkpwd.patch | 13 +++++++++++++
gnu/system/pam.scm | 10 ++++++++--
3 files changed, 23 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

Toggle diff (63 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2e2d01c656..bc2927d0b4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1625,7 +1625,8 @@ (define-public linux-pam
(sha256
(base32
"1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
- (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+ (patches (search-patches "change-path-to-unix_chkpwd.patch"
+ "linux-pam-no-setfsuid.patch"))))
(build-system gnu-build-system)
(native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..e5c6d2649c
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,13 @@
+From: Andrew Tropin <andrew@trop.in>
+Date: Sat, 5 Feb 2022 21:06:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+unix_chkpwd is designed to have a suid bit, but it's not possible to set it
+for files in /gnu/store, and this patch tells unix_pam.so to lookup up for
+unix_chkpwd in directory generated by setuid-program system service.
+
+--- a/modules/pam_unix/Makefile.in
++++ b/modules/pam_unix/Makefile.in
+@@ -651,1 +651,1 @@
+- -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
++ -DCHKPWD_HELPER=\"/run/setuid-programs/unix_chkpwd\" \
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
#:use-module (guix derivations)
#:use-module (guix gexp)
#:use-module (gnu services)
+ #:use-module (gnu system setuid)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
(define pam-root-service-type
(service-type (name 'pam)
- (extensions (list (service-extension etc-service-type
- /etc-entry)))
+ (extensions
+ (list (service-extension
+ setuid-program-service-type
+ (lambda (_)
+ (list (file-like->setuid-program
+ (file-append linux-pam "/sbin/unix_chkpwd")))))
+ (service-extension etc-service-type /etc-entry)))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
--
2.34.0
--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmH/WccPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wRmwQAIfjH18DlBQfHarDxPLXNBBAnRBB6D/HV2v0
0DZ7pZi6kI6EwHSCm3fIXooEzFdBVQWWw77nLu6VSgdY00lFYIr31xUtqX/vfI/b
YnpDPZ3MYBeW2Y1GOo0Zjqdco1J3u7oJdBlpt7U92Zh3KV6jBwQg7i5u8407PMYj
R810YoKU7mO8Cgf8oSSkK4JuN+3btyrXQ947cOSYPhY0gqAf9CPi3hKPTnjbUi83
tGH4UsI8E+bJpZUfhutbsK++faviByjFphz1XgHrzXttBmNp591LvUghVIIt5du4
tyVuWLRA99dQu+8PX1DJMGqFOG/fS2jJrpj5UiYKGNVleAnjV8K7DkjPadMxh4II
cHBDAaFnN7kR+SoJXct7c4wbScibzRqclTCuRe2EXMy3MNOxSSoXQHtnuhbyqUkf
spJSraVEdUF6VfxmeR9SeY4gJpKcd2WsJz3qe0NXE6lFmuZoxpzRLAhl2TcmVZaq
7/iCr+cMSc5Am7mgH6Q0q/PSEkvbfWuryKpCxH0+Tc/yJBibAuyhc/ClM6aWYVdJ
6DqNSMLKpywyeCAFF85DLkcdtEYhGjMXGt3J4yCmi0eDm4HdXj64/ZlTX7X8z5D0
a6wpc3JfT3bHJ81VbbuIEpekDUUZsaJIaLYvymZW+cLKeItGp+KLta29OovPoykI
ewmScXMb
=O9fk
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 10 Feb 2022 23:42
(name . Andrew Tropin)(address . andrew@trop.in)(address . 53468-done@debbugs.gnu.org)
8735kq2vje.fsf_-_@gnu.org
Hi,

Andrew Tropin <andrew@trop.in> skribis:

Toggle quote (9 lines)
> From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
> From: Andrew Tropin <andrew@trop.in>
> Date: Sun, 6 Feb 2022 08:13:49 +0300
> Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.
>
> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
> * gnu/packages/linux.scm (linux-pam): Add patch.
> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.

LGTM, minor the patch file name as reported by ‘guix lint’ and missing
‘gnu/local.mk’.

However, it looks like my brain wasn’t fully operational when I
previously replied, because:

Toggle snippet (5 lines)
$ guix refresh -l linux-pam
Building the following 2418 packages would ensure 6038 dependent
packages are rebuilt: […]

So I went ahead, fixed up the issues above, and pushed to
‘core-updates’.

Thanks!

Ludo’.
Closed
A
A
Andrew Tropin wrote on 26 Feb 2022 08:11
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53468-done@debbugs.gnu.org)
87o82udruv.fsf@trop.in
On 2022-02-10 23:42, Ludovic Courtès wrote:

Toggle quote (28 lines)
> Hi,
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> From e96d3f6d82b134829fcb31777e81928c73847dcc Mon Sep 17 00:00:00 2001
>> From: Andrew Tropin <andrew@trop.in>
>> Date: Sun, 6 Feb 2022 08:13:49 +0300
>> Subject: [PATCH v3] gnu: linux-pam: Change path to unix_chkpwd helper.
>>
>> * gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file.
>> * gnu/packages/linux.scm (linux-pam): Add patch.
>> * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.
>
> LGTM, minor the patch file name as reported by ‘guix lint’ and missing
> ‘gnu/local.mk’.
>
> However, it looks like my brain wasn’t fully operational when I
> previously replied, because:
>
> --8<---------------cut here---------------start------------->8---
> $ guix refresh -l linux-pam
> Building the following 2418 packages would ensure 6038 dependent
> packages are rebuilt: […]
> --8<---------------cut here---------------end--------------->8---
>
> So I went ahead, fixed up the issues above, and pushed to
> ‘core-updates’.

Thank you very much!)

When is the next core-update to master merge scheduled?

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmIZ0rgPHGFuZHJld0B0
cm9wLmluAAoJECII0glYwd6wg0MP/Rx+powCeCNaHQ0XnakliIkI9NHztDx8qC+N
eEoTO6uTfreZWs0EqKoTawGKAlNQk4GQUfO9MmoUFbzScT5t3bMYln7geYJbmD+k
bwkmxypvPb9pOLeLsbrJ7MROqljiSU4tldH9s9QuWk/BKNWJvdDpPwFz7aX5I+ec
iPxiUiHmz71cJCTrKJQNVuPgi+GS6qKIAkvJs1/M6Awk2nJzNMwJgTCP8GCsKvRr
kd6egCsHVhgfrqkcBqnKQofGJ3h+90ax34oPm/Imhg7hYkxznXivWZBQgIPzBcVd
ZkDNC0EGIneQGpJ25Qxhv9Olgb+NeMf2x+wheQJJ4aM1Vr5MJgxUgDycU9rJiUEa
nMC/fhN27BiqwsFJEZEXi4kicd0nvhJ6jMLYH8axuEzFUwLtistzccNNROlHI4zp
OyW/Byanyc8J6N9694tdbwVb3HWAUyLPPb59pwF7m9wVT+9f410ySBdOBrFzI8K/
YY22Rb3+G0kOOzYicqWHC9csLrAQ6no5srjxF04tfp/IgbrFBoASDgccRtHbxSn6
5q5EPUanLFg4+Yhp9oXBKTizuYgGO17db4oqFF0Szpkq+ySBe/UolbfsQ7oc3nm/
ANEhclKPWRi9RmGsYjasbSj/a/SDnqTE262JG3aZriNz+nGtcL4QRx/KQCHg2ZSe
dAZhzs/P
=Jx+Y
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 27 Feb 2022 23:03
(name . Andrew Tropin)(address . andrew@trop.in)(address . 53468-done@debbugs.gnu.org)
87bkyst1at.fsf@gnu.org
Hi,

Andrew Tropin <andrew@trop.in> skribis:

Toggle quote (2 lines)
> When is the next core-update to master merge scheduled?

It’s not scheduled, but it’s likely several months from now… maybe less
if motivated people help drive the effort. :-)

Ludo’.
Closed
W
W
wolf wrote on 4 Mar 2023 00:46
Unarchive
(address . control@debbugs.gnu.org)
ZAKG5Uc8MCprXC8H@ws
unarchive 53468

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmQChuUACgkQL7/ufbZ/
wanglBAAqOKhJa7VRQdI+6wMdONasqfNBjEOxYmJLjocQD3zoB6Cri+loy0EdAPh
BeeuYt+5iD3dIz3TcWzNCf49q9of0sPB7mcUtWvl2EEWy5ZA9rvvhyupl7FQpMQJ
qqtxaSrRyOXpgla9ltSdOItMpJnYYEhtIV09pE7Eea97qJlVM1s6KprxP66ZqCii
GdlrQPUUetFZeQY4Sm4fs1P3ANcoZkJB1kepwEfYm0Dur8bLM8PlcQkVB+G1B2lq
Zhw14kgPWntAP3OjaJb8qww26V21jpQnK9CTfw970AGQs0LY8whuODjD0gqyDGgw
j+8G74IeEb5S8iWIgecERUXnhtFXVlOFcdMZYCrJvGNOrqDnYEe/74zbhwIE1bVb
1OeLGIDR6RdEmh8R1W0KOYngxglX8KmoxLwS5eUHfS05V2lmi/+inC5Y4WVP6gAU
TliWXy3CCZdMX5CIo33QOpUVYkiN3TLcLv5yHMow8KiRYFhxda18QLYFIs8Aj6gO
zwBg8AmS7No+M0c2Ncubi4MZWja6ETq0MEJdZh8EdlDe5y0Mo1/PbuNF0IsV4uVQ
yQMM1Ae5ylARwDURg/FrpFkOKc0Cut6/dryrmBLReq7IPhSsj8zFF32f8vSY8NG2
jOnEBs7aMAFjc2OSDxVJ3c5/Hjaje2O+Q4R5Xj+LUJvefGcLBvk=
=DLp9
-----END PGP SIGNATURE-----


W
W
wolf wrote on 4 Mar 2023 00:33
Re: [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
(address . 53468@debbugs.gnu.org)
ZAKD5PIWBQ6TUpCD@ws
Hello,

I would like to ask when this could be available on master? It seems it was
added into core-updates more then a year ago. As far as I understand this is the
only blocker preventing me from using xscreensaver. Last update under the bug
is:

Toggle quote (2 lines)
> It’s not scheduled, but it’s likely several months from now…

So I would like to ask if there is any update on this. No pressure, just asking.

Thanks and have a nice day,

W.

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmQCg94ACgkQL7/ufbZ/
wakvCw//eckQXoHo9fG150iZRl+o/+iQj+vFO871eYlGaWtXwi7T8n9iJNgs1ypJ
abvM5iH/DLQzqKsAEDoC0V8Wwp4OqF0vIKJ59AcGRIOx2cGRtOdUWthmjJ/SNT8K
pemkkuj9iPeyWuB6h8g3WMhk3foRzVILq3DdNXEm6Qme+ik8pwcsLeuT2VepxTV6
8O+6gH8uudB1H0cy/snL5Szdw2/4rNLeeWkcbpEBFWSlxxJwxtsmUvTFaEIoWXLO
Xr5O3xlV0f9fzXu9IuDiDRmna9ZNVTLGg6584rekSkYr7seJkBXFcmGKROKvVd+P
rtX4ApeJV10AGGt+mZiSpPijF/IqIUhYnjHWmWedu1rZh3M0ZVZ1SobWXEyrtQYv
AbHVeCsUtR2N8yMUGvtPs3LcGh8CDKpbVFBO7Fq+5/WF+iOrUVP4WTjl3Pg6vO1U
KZ5cjqdZGLF9OxJyw46WkShB4XtvOeEd2wYdpqZKCKkHXgR4xAQSejtLKSjGqwLo
/gvkXaqiwdP8dbxs9m4SoCyVmUpXGo8gW0BOyFtVaLGvm1sRZmndDMcy60OebBw9
W/G5miGVkNPnStr0utjEnxJT98eMNKm1RCzZCkXRY7sNsENznCGF+52eRavtdOP0
qkb/JNZd9+lj1qs+/sONN47+8XcnyOoCcOXsRzRj9kbHneBzJTY=
=G6QJ
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 7 Mar 2023 18:57
Re: [bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper.
(name . wolf)(address . wolf@wolfsden.cz)(address . 53468@debbugs.gnu.org)
ZAd7Cc3wk1GsI4Eq@jasmine.lan
On Sat, Mar 04, 2023 at 12:33:56AM +0100, wolf wrote:
Toggle quote (2 lines)
> So I would like to ask if there is any update on this. No pressure, just asking.

The core-updates branch is now actively being prepared for the merge
into master. It's probably still at least one month away, if not several
months. Unfortunately we can't predict the timeframe.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmQHewkACgkQJkb6MLrK
fwg01xAA6GiTyxFz9WXN2KIjj/XdHTrkiFNHn5WAxBG+C/2iZS6Ae+QjHVDhSW6N
vJRkGO+JUCjGrO2XQr1M882bh8lkiTMYtg9kpp2jls70vewBMO7BjOFHkjHws0Q6
hdJl1h2Z8zi9IiFf2OF5KTkoPoCeXVOyXfBqUjlqwM+iNuDXdvseeTmCIaH5I0YZ
zXAnmQ4nSJ6RM8p6HBXas10hAa8JT17coe5pXuaOZEfdayvTu1HIpR3dD8ec/A9b
gBfmie0hJRuOwkRa4MjcQYjfXWOiNObLI93R8nMVxBxbQD8ver+DSZOmfYv3Eqpo
qCEYfZrMyUmEUoGo2/PDKPDp8pVnk/6ZboBA+nm5oAr7B8ir8Q6YNPSLpgJfbWKV
eDqEIJYDXvHti3l2YjczJhu0EbgortPG52aXdVrrUA6zlYMJX4nzwjtKkUChWn4V
za1ESJSAlvMN4JVC5JY1brKy0RN9ncOoDtWA5E2XSVL1JCoodkqnh1J12RTWgsfO
o1CEHb2mBG8wUUM6ztM/u1dfU9HQBET1Dl6ZXJTXENuqrasClmg0W8qWFBqNcU0M
AhPyVTxJq93ZEmSkGD3Gzw59ojYj/DIgFsMewgbOjxbJsgUA8IrMYaQaI4cJsSBV
E/PG0GpCmzl70CFrHFB6CbaBxZp1mArgFKW5j80AFMmFt950MOI=
=Ex7r
-----END PGP SIGNATURE-----


?
Your comment

This issue is archived.

To comment on this conversation send an email to 53468@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 53468
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch