[PATCH 0/4] Various PAM improvements

  • Done
  • quality assurance status badge
Details
2 participants
  • Felix Lechner
  • Ludovic Courtès
Owner
unassigned
Submitted by
Felix Lechner
Severity
normal
F
F
Felix Lechner wrote on 9 May 2023 02:56
(address . guix-patches@gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
cover.1683593547.git.felix.lechner@lease-up.com
This commit series makes several improvements to the way Linux-PAM is used in
Guix. Most notably, it employs absolute paths into the store where
possible. The series also improves significantly on the system test for
pam_limits.

These commits have been tested and already being deployed in production.

Additional details are in the commit messages.

Felix Lechner (4):
In PAM test, confirm ulimits actually imposed instead of comparing
config files.
Drop limits.conf from /etc/security; use directly in
pam-limits-service-type.
Refer to the built-in Linux-PAM modules by their absolute paths.
Use more file-append.

gnu/services/authentication.scm | 2 +-
gnu/services/base.scm | 65 +++++++++++++++---------------
gnu/services/kerberos.scm | 2 +-
gnu/services/lightdm.scm | 60 ++++++++++++++++++++--------
gnu/services/pam-mount.scm | 2 +-
gnu/services/sddm.scm | 33 ++++++++--------
gnu/services/xorg.scm | 5 ++-
gnu/system/pam.scm | 20 +++++-----
gnu/tests/pam.scm | 70 ++++++++++++++++++---------------
9 files changed, 146 insertions(+), 113 deletions(-)


base-commit: d1aba42ad4e1909faa21d484975c5954c778e002
--
2.39.2
F
F
Felix Lechner wrote on 9 May 2023 02:58
[PATCH 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files.
(address . 63383@debbugs.gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
7d190e341e90198108b783f2b2c1b0654c48b049.1683593547.git.felix.lechner@lease-up.com
This revised system test is superior to the one accepted when Bug#61744 was
closed because it confirms whether the configured limits are actually being
enforced upon login.

The previous test merely validated the serialization of one particular config
in the config file.

* gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on
login.
---
gnu/tests/pam.scm | 70 +++++++++++++++++++++++++----------------------
1 file changed, 38 insertions(+), 32 deletions(-)

Toggle diff (123 lines)
diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm
index 1654396e42..fa480e69ff 100644
--- a/gnu/tests/pam.scm
+++ b/gnu/tests/pam.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -25,8 +26,7 @@ (define-module (gnu tests pam)
#:use-module (gnu system vm)
#:use-module (guix gexp)
#:use-module (ice-9 format)
- #:export (%test-pam-limits
- %test-pam-limits-deprecated))
+ #:export (%test-pam-limits))
;;;
@@ -35,26 +35,29 @@ (define-module (gnu tests pam)
(define pam-limit-entries
(list
- (pam-limits-entry "@realtime" 'both 'rtprio 99)
- (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
+ ;; make sure the limits apply to root (uid 0)
+ (pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0
+ (pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes
(define (run-test-pam-limits config)
"Run tests in a os with pam-limits-service-type configured."
(define os
(marionette-operating-system
(simple-operating-system
- (service pam-limits-service-type config))))
+ (service pam-limits-service-type config))
+ #:imported-modules '((gnu services herd))))
(define vm
(virtual-machine os))
- (define name (format #f "pam-limit-service~:[~;-deprecated~]"
- (file-like? config)))
+ (define name "pam-limits-service")
(define test
- (with-imported-modules '((gnu build marionette))
+ (with-imported-modules '((gnu build marionette)
+ (guix build syscalls))
#~(begin
(use-modules (gnu build marionette)
+ (guix build syscalls)
(srfi srfi-64))
(let ((marionette (make-marionette (list #$vm))))
@@ -63,18 +66,32 @@ (define test
(test-begin #$name)
- (test-assert "/etc/security/limits.conf ready"
- (wait-for-file "/etc/security/limits.conf" marionette))
+ (test-equal "log in on tty1 and read limits"
+ '(("99") ;real-time priority
+ ("unlimited")) ;max locked memory
- (test-equal "/etc/security/limits.conf content matches"
- #$(string-join (map pam-limits-entry->string pam-limit-entries)
- "\n" 'suffix)
- (marionette-eval
- '(begin
- (use-modules (rnrs io ports))
- (call-with-input-file "/etc/security/limits.conf"
- get-string-all))
- marionette))
+ (begin
+ ;; Wait for tty1.
+ (marionette-eval '(begin
+ (use-modules (gnu services herd))
+ (start-service 'term-tty1))
+ marionette)
+
+ (marionette-control "sendkey ctrl-alt-f1" marionette)
+
+ ;; Now we can type.
+ (marionette-type "root\n" marionette)
+ (marionette-type "ulimit -r > real-time-priority\n" marionette)
+ (marionette-type "ulimit -l > max-locked-memory\n" marionette)
+
+ ;; Read the two files.
+ (marionette-eval '(use-modules (rnrs io ports)) marionette)
+ (let ((guest-file (lambda (file)
+ (string-tokenize
+ (wait-for-file file marionette
+ #:read 'get-string-all)))))
+ (list (guest-file "/root/real-time-priority")
+ (guest-file "/root/max-locked-memory")))))
(test-end)))))
@@ -83,17 +100,6 @@ (define test
(define %test-pam-limits
(system-test
(name "pam-limits-service")
- (description "Test that pam-limits-service can serialize its config
-(as a list) to @file{limits.conf}.")
+ (description "Test that pam-limits-service actually sets the limits as
+configured.")
(value (run-test-pam-limits pam-limit-entries))))
-
-(define %test-pam-limits-deprecated
- (system-test
- (name "pam-limits-service-deprecated")
- (description "Test that pam-limits-service can serialize its config
-(as a file-like object) to @file{limits.conf}.")
- (value (run-test-pam-limits
- (plain-file "limits.conf"
- (string-join (map pam-limits-entry->string
- pam-limit-entries)
- "\n" 'suffix))))))
--
2.39.2
F
F
Felix Lechner wrote on 9 May 2023 02:58
[PATCH 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type.
(address . 63383@debbugs.gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
02c2307e7a2d256b6d2da12a8c3ac4a9bfa390b0.1683593547.git.felix.lechner@lease-up.com
This commit was tested and is already deployed in production.

* gnu/services/base.scm: Drop config file limits.conf from /etc; use absolute
path in store instead.
---
gnu/services/base.scm | 59 ++++++++++++++++++++-----------------------
1 file changed, 28 insertions(+), 31 deletions(-)

Toggle diff (85 lines)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4adb551796..16dcc55483 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1608,36 +1608,34 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
(define pam-limits-service-type
(let ((pam-extension
- (lambda (pam)
- (let ((pam-limits (pam-entry
- (control "required")
- (module "pam_limits.so")
- (arguments
- '("conf=/etc/security/limits.conf")))))
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password" "sddm"
- "sudo" "sshd"))
- (pam-service
- (inherit pam)
- (session (cons pam-limits
- (pam-service-session pam))))
- pam))))
-
- ;; XXX: Using file-like objects is deprecated, use lists instead.
- ;; This is to be reduced into the list? case when the deprecated
- ;; code gets removed.
- ;; Create /etc/security containing the provided "limits.conf" file.
- (security-limits
+ (lambda (limits-file)
+ (lambda (pam)
+ (let ((pam-limits (pam-entry
+ (control "required")
+ (module "pam_limits.so")
+ (arguments
+ (list #~(string-append "conf=" #$limits-file))))))
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password" "sddm"
+ "sudo" "sshd"))
+ (pam-service
+ (inherit pam)
+ (session (cons pam-limits
+ (pam-service-session pam))))
+ pam)))))
+ (make-limits-file
(match-lambda
+ ;; XXX: Using file-like objects is deprecated, use lists instead.
+ ;; This is to be reduced into the list? case when the deprecated
+ ;; code gets removed.
((? file-like? obj)
(warning (G_ "Using file-like value for \
'pam-limits-service-type' is deprecated~%"))
- `(("security/limits.conf" ,obj)))
+ obj)
((? list? lst)
- `(("security/limits.conf"
- ,(plain-file "limits.conf"
- (string-join (map pam-limits-entry->string lst)
- "\n" 'suffix)))))
+ (plain-file "limits.conf"
+ (string-join (map pam-limits-entry->string lst)
+ "\n" 'suffix)))
(_ (raise
(formatted-message
(G_ "invalid input for 'pam-limits-service-type'~%")))))))
@@ -1645,13 +1643,12 @@ (module "pam_limits.so")
(service-type
(name 'limits)
(extensions
- (list (service-extension etc-service-type security-limits)
- (service-extension pam-root-service-type
- (lambda _ (list pam-extension)))))
+ (list (service-extension pam-root-service-type
+ (lambda (config)
+ (list (pam-extension (make-limits-file config)))))))
(description
- "Install the specified resource usage limits by populating
-@file{/etc/security/limits.conf} and using the @code{pam_limits}
-authentication module.")
+ "Use the @code{pam_limits} authentication module to set the specified
+resource usage limits.")
(default-value '()))))
(define-deprecated (pam-limits-service #:optional (limits '()))
--
2.39.2
F
F
Felix Lechner wrote on 9 May 2023 02:58
[PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths.
(address . 63383@debbugs.gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
1642be1ee49d66939d092d80289518ed6ed578e2.1683593547.git.felix.lechner@lease-up.com
In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.

An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.


This commit was tested and is already being deployed in production.

* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
gnu/services/base.scm | 6 ++--
gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
gnu/services/sddm.scm | 33 +++++++++++-----------
gnu/services/xorg.scm | 5 ++--
gnu/system/pam.scm | 20 +++++++-------
5 files changed, 77 insertions(+), 47 deletions(-)

Toggle diff (348 lines)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 16dcc55483..9f1671e142 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils btrfs-progs crda eudev
- e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
- util-linux xfsprogs))
+ e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+ rng-tools util-linux xfsprogs))
#:use-module (gnu packages bash)
#:use-module ((gnu packages base)
#:select (coreutils glibc glibc-utf8-locales tar
@@ -1612,7 +1612,7 @@ (define pam-limits-service-type
(lambda (pam)
(let ((pam-limits (pam-entry
(control "required")
- (module "pam_limits.so")
+ (module (file-append linux-pam "/lib/security/pam_limits.so"))
(arguments
(list #~(string-append "conf=" #$limits-file))))))
(if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index 0b9094cda1..b820c7dcf3 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages vnc)
#:use-module (gnu packages xorg)
#:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
(name "lightdm-greeter")
(auth (list
;; Load environment from /etc/environment and ~/.pam_environment.
- (pam-entry (control "required") (module "pam_env.so"))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; No action required for account management
- (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-autologin-pam-service)
"Return a PAM service for @command{lightdm-autologin}}."
(pam-service
(name "lightdm-autologin")
- (auth
- (list
- ;; Block login if user is globally disabled.
- (pam-entry (control "required") (module "pam_nologin.so"))
- (pam-entry (control "required") (module "pam_succeed_if.so")
- (arguments (list "uid >= 1000")))
- ;; Allow access without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (auth (list
+ ;; Block login if user is globally disabled.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+ (arguments (list "uid >= 1000")))
+ ;; Allow access without authentication.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Stop autologin if account requires action.
- (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-pam-services config)
(list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index 9e02f1cc81..6138a31f0d 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
#:use-module (gnu packages admin)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages xorg)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
;; should be factored out into system-auth
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(account
(list
;; should be factored out into system-account
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(password
(list
;; should be factored out into system-password
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments (list "sha512" "shadow" "try_first_pass")))))
(session
(list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
;; should be factored out into system-session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-greeter-pam-service)
"Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
;; Load environment from /etc/environment and ~/.pam_environment
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
;; No action required for account management
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(password
(list
;; Can't change password
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
;; Setup session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-autologin-pam-service config)
"Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
(pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
(list
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
(pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..878a336d0d 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnustep)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
#:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
"/lib/security/pam_gdm.so")))
(pam-entry
(control "sufficient")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(pam-service
(inherit (unix-pam-service "gdm-launch-environment"))
(auth (list (pam-entry
(control "required")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index b635681642..5e6a209caf 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -194,7 +194,7 @@ (define %pam-other-services
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
(let ((deny (pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(pam-service
(name "other")
(account (list deny))
@@ -205,10 +205,10 @@ (module "pam_deny.so"))))
(define unix-pam-service
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so")))
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))))
(env (pam-entry ; to honor /etc/environment.
(control "required")
- (module "pam_env.so"))))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))))
(lambda* (name #:key allow-empty-passwords? allow-root? motd
login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
@@ -226,12 +226,12 @@ (module "pam_env.so"))))
(auth (append (if allow-root?
(list (pam-entry
(control "sufficient")
- (module "pam_rootok.so")))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
'())
(list (if allow-empty-passwords?
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments '("nullok")))
unix))
(if gnupg?
@@ -241,20 +241,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())))
(password (list (pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
(session `(,@(if motd
(list (pam-entry
(control "optional")
- (module "pam_motd.so")
+ (module (file-append linux-pam "/lib/security/pam_motd.so"))
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
,@(if login-uid?
(list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
- (module "pam_loginuid.so")))
+ (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
'())
,@(if gnupg?
(list (pam-entry
@@ -268,13 +268,13 @@ (define (rootok-pam-service command)
authenticate to run COMMAND."
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(pam-service
(name command)
(account (list unix))
(auth (list (pam-entry
(control "sufficient")
- (module "pam_rootok.so"))))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
(password (list unix))
(session (list unix)))))
--
2.39.2
F
F
Felix Lechner wrote on 9 May 2023 02:58
[PATCH 4/4] Use more file-append.
(address . 63383@debbugs.gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
da0f14cc9e3e7645873e89d4e439e8da84504ea0.1683593547.git.felix.lechner@lease-up.com
Based on the author's review of the code base as well as past commits, similar
invocations are in the process of being changed over from string-append to
file-append.

* gnu/services/authentication.scm
* gnu/services/base.scm
* gnu/services/kerberos.scm
* gnu/services/pam-mount.scm: Use more file-append instead of string-append.
---
gnu/services/authentication.scm | 2 +-
gnu/services/base.scm | 2 +-
gnu/services/kerberos.scm | 2 +-
gnu/services/pam-mount.scm | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)

Toggle diff (54 lines)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f7becdfafb..7c8900a280 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -504,7 +504,7 @@ (define (nslcd-shepherd-service config)
(define (pam-ldap-pam-service config)
"Return a PAM service for LDAP authentication."
(define pam-ldap-module
- #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
+ (file-append (nslcd-configuration-nss-pam-ldapd config)
"/lib/security/pam_ldap.so"))
(lambda (pam)
(if (member (pam-service-name pam)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 9f1671e142..9555dc3a46 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3256,7 +3256,7 @@ (define (greetd-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module #~(string-append #$greetd-pam-mount "/lib/security/pam_mount.so"))
+ (module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
(arguments '("disable_interactive"))))
(list
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index c3c7872734..38e78a8014 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -430,7 +430,7 @@ (define (pam-krb5-pam-service config)
"Return a PAM service for Kerberos authentication."
(lambda (pam)
(define pam-krb5-module
- #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
+ (file-append (pam-krb5-configuration-pam-krb5 config)
"/lib/security/pam_krb5.so"))
(let ((pam-krb5-sufficient
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index e60781d05b..1be209dff5 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -87,7 +87,7 @@ (define (pam-mount-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
+ (module (file-append pam-mount "/lib/security/pam_mount.so"))))
(list (lambda (pam)
(if (member (pam-service-name pam)
'("login" "greetd" "su" "slim" "gdm-password" "sddm"))
--
2.39.2
F
F
Felix Lechner wrote on 12 May 2023 20:51
rebased
(address . 63383@debbugs.gnu.org)
87a5y9v0vk.fsf@lease-up.com
This patch series was rebased due to changes on the 'master' branch.
F
F
Felix Lechner wrote on 12 May 2023 20:52
[PATCH v2 1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files.
(address . 63383@debbugs.gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com
This revised system test is superior to the one accepted when Bug#61744 was
closed because it confirms whether the configured limits are actually being
enforced upon login.

The previous test merely validated the serialization of one particular config
in the config file.

* gnu/tests/pam.scm (pam-limits-service): Revise test to confirm limits on
login.
---
gnu/tests/pam.scm | 70 +++++++++++++++++++++++++----------------------
1 file changed, 38 insertions(+), 32 deletions(-)

Toggle diff (123 lines)
diff --git a/gnu/tests/pam.scm b/gnu/tests/pam.scm
index 1654396e42..fa480e69ff 100644
--- a/gnu/tests/pam.scm
+++ b/gnu/tests/pam.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -25,8 +26,7 @@ (define-module (gnu tests pam)
#:use-module (gnu system vm)
#:use-module (guix gexp)
#:use-module (ice-9 format)
- #:export (%test-pam-limits
- %test-pam-limits-deprecated))
+ #:export (%test-pam-limits))
;;;
@@ -35,26 +35,29 @@ (define-module (gnu tests pam)
(define pam-limit-entries
(list
- (pam-limits-entry "@realtime" 'both 'rtprio 99)
- (pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))
+ ;; make sure the limits apply to root (uid 0)
+ (pam-limits-entry ":0" 'both 'rtprio 99) ;default is 0
+ (pam-limits-entry ":0" 'both 'memlock 'unlimited))) ;default is 8192 kbytes
(define (run-test-pam-limits config)
"Run tests in a os with pam-limits-service-type configured."
(define os
(marionette-operating-system
(simple-operating-system
- (service pam-limits-service-type config))))
+ (service pam-limits-service-type config))
+ #:imported-modules '((gnu services herd))))
(define vm
(virtual-machine os))
- (define name (format #f "pam-limit-service~:[~;-deprecated~]"
- (file-like? config)))
+ (define name "pam-limits-service")
(define test
- (with-imported-modules '((gnu build marionette))
+ (with-imported-modules '((gnu build marionette)
+ (guix build syscalls))
#~(begin
(use-modules (gnu build marionette)
+ (guix build syscalls)
(srfi srfi-64))
(let ((marionette (make-marionette (list #$vm))))
@@ -63,18 +66,32 @@ (define test
(test-begin #$name)
- (test-assert "/etc/security/limits.conf ready"
- (wait-for-file "/etc/security/limits.conf" marionette))
+ (test-equal "log in on tty1 and read limits"
+ '(("99") ;real-time priority
+ ("unlimited")) ;max locked memory
- (test-equal "/etc/security/limits.conf content matches"
- #$(string-join (map pam-limits-entry->string pam-limit-entries)
- "\n" 'suffix)
- (marionette-eval
- '(begin
- (use-modules (rnrs io ports))
- (call-with-input-file "/etc/security/limits.conf"
- get-string-all))
- marionette))
+ (begin
+ ;; Wait for tty1.
+ (marionette-eval '(begin
+ (use-modules (gnu services herd))
+ (start-service 'term-tty1))
+ marionette)
+
+ (marionette-control "sendkey ctrl-alt-f1" marionette)
+
+ ;; Now we can type.
+ (marionette-type "root\n" marionette)
+ (marionette-type "ulimit -r > real-time-priority\n" marionette)
+ (marionette-type "ulimit -l > max-locked-memory\n" marionette)
+
+ ;; Read the two files.
+ (marionette-eval '(use-modules (rnrs io ports)) marionette)
+ (let ((guest-file (lambda (file)
+ (string-tokenize
+ (wait-for-file file marionette
+ #:read 'get-string-all)))))
+ (list (guest-file "/root/real-time-priority")
+ (guest-file "/root/max-locked-memory")))))
(test-end)))))
@@ -83,17 +100,6 @@ (define test
(define %test-pam-limits
(system-test
(name "pam-limits-service")
- (description "Test that pam-limits-service can serialize its config
-(as a list) to @file{limits.conf}.")
+ (description "Test that pam-limits-service actually sets the limits as
+configured.")
(value (run-test-pam-limits pam-limit-entries))))
-
-(define %test-pam-limits-deprecated
- (system-test
- (name "pam-limits-service-deprecated")
- (description "Test that pam-limits-service can serialize its config
-(as a file-like object) to @file{limits.conf}.")
- (value (run-test-pam-limits
- (plain-file "limits.conf"
- (string-join (map pam-limits-entry->string
- pam-limit-entries)
- "\n" 'suffix))))))
--
2.40.1
F
F
Felix Lechner wrote on 12 May 2023 20:52
[PATCH v2 2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type.
(address . 63383@debbugs.gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
664a326ae17afabd71301893f1c56ff4e9d01c68.1683917556.git.felix.lechner@lease-up.com
This commit was tested and is already deployed in production.

* gnu/services/base.scm: Drop config file limits.conf from /etc; use absolute
path in store instead.
---
gnu/services/base.scm | 63 +++++++++++++++++++++----------------------
1 file changed, 30 insertions(+), 33 deletions(-)

Toggle diff (89 lines)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index fdc2c8c764..4bef781977 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1603,38 +1603,36 @@ (define-deprecated (syslog-service #:optional (config (syslog-configuration)))
(define pam-limits-service-type
(let ((pam-extension
- (pam-extension
- (transformer
- (lambda (pam)
- (let ((pam-limits (pam-entry
- (control "required")
- (module "pam_limits.so")
- (arguments
- '("conf=/etc/security/limits.conf")))))
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password"
- "sddm" "sudo" "sshd"))
- (pam-service
- (inherit pam)
- (session (cons pam-limits
- (pam-service-session pam))))
- pam))))))
-
- ;; XXX: Using file-like objects is deprecated, use lists instead.
- ;; This is to be reduced into the list? case when the deprecated
- ;; code gets removed.
- ;; Create /etc/security containing the provided "limits.conf" file.
- (security-limits
+ (lambda (limits-file)
+ (pam-extension
+ (transformer
+ (lambda (pam)
+ (let ((pam-limits (pam-entry
+ (control "required")
+ (module "pam_limits.so")
+ (arguments
+ (list #~(string-append "conf=" #$limits-file))))))
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password" "sddm"
+ "sudo" "sshd"))
+ (pam-service
+ (inherit pam)
+ (session (cons pam-limits
+ (pam-service-session pam))))
+ pam)))))))
+ (make-limits-file
(match-lambda
+ ;; XXX: Using file-like objects is deprecated, use lists instead.
+ ;; This is to be reduced into the list? case when the deprecated
+ ;; code gets removed.
((? file-like? obj)
(warning (G_ "Using file-like value for \
'pam-limits-service-type' is deprecated~%"))
- `(("security/limits.conf" ,obj)))
+ obj)
((? list? lst)
- `(("security/limits.conf"
- ,(plain-file "limits.conf"
- (string-join (map pam-limits-entry->string lst)
- "\n" 'suffix)))))
+ (plain-file "limits.conf"
+ (string-join (map pam-limits-entry->string lst)
+ "\n" 'suffix)))
(_ (raise
(formatted-message
(G_ "invalid input for 'pam-limits-service-type'~%")))))))
@@ -1642,13 +1640,12 @@ (module "pam_limits.so")
(service-type
(name 'limits)
(extensions
- (list (service-extension etc-service-type security-limits)
- (service-extension pam-root-service-type
- (lambda _ (list pam-extension)))))
+ (list (service-extension pam-root-service-type
+ (lambda (config)
+ (list (pam-extension (make-limits-file config)))))))
(description
- "Install the specified resource usage limits by populating
-@file{/etc/security/limits.conf} and using the @code{pam_limits}
-authentication module.")
+ "Use the @code{pam_limits} authentication module to set the specified
+resource usage limits.")
(default-value '()))))
(define-deprecated (pam-limits-service #:optional (limits '()))
--
2.40.1
F
F
Felix Lechner wrote on 12 May 2023 20:52
[PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths.
(address . 63383@debbugs.gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
f3be0c6f9f71c103772fe6f24d83fbf1f7593283.1683917556.git.felix.lechner@lease-up.com
In the complex world that is Guix, this commit allows the processing of PAM
stacks by means other than the official libpam.so.

An assumption was voiced that absolute paths here might be unfavorable for
upgrades [1] but the author of this commit is not sure about that.


This commit was tested and is already being deployed in production.

* gnu/services/base.scm
* gnu/services/lightdm.scm
* gnu/services/sddm.scm
* gnu/services/xorg.scm
* gnu/system/pam.scm: Refer to the built-in PAM modules, which are shipped
with Linux-PAM, by their absolute paths in the store.
---
gnu/services/base.scm | 6 ++--
gnu/services/lightdm.scm | 60 +++++++++++++++++++++++++++++-----------
gnu/services/sddm.scm | 33 +++++++++++-----------
gnu/services/xorg.scm | 5 ++--
gnu/system/pam.scm | 20 +++++++-------
5 files changed, 77 insertions(+), 47 deletions(-)

Toggle diff (348 lines)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4bef781977..5d0542b39d 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -58,8 +58,8 @@ (define-module (gnu services base)
#:use-module (gnu packages admin)
#:use-module ((gnu packages linux)
#:select (alsa-utils btrfs-progs crda eudev
- e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools
- util-linux xfsprogs))
+ e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2
+ rng-tools util-linux xfsprogs))
#:use-module (gnu packages bash)
#:use-module ((gnu packages base)
#:select (coreutils glibc glibc-utf8-locales tar
@@ -1609,7 +1609,7 @@ (define pam-limits-service-type
(lambda (pam)
(let ((pam-limits (pam-entry
(control "required")
- (module "pam_limits.so")
+ (module (file-append linux-pam "/lib/security/pam_limits.so"))
(arguments
(list #~(string-append "conf=" #$limits-file))))))
(if (member (pam-service-name pam)
diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm
index b966f402d6..9927e8769b 100644
--- a/gnu/services/lightdm.scm
+++ b/gnu/services/lightdm.scm
@@ -24,6 +24,7 @@ (define-module (gnu services lightdm)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages vnc)
#:use-module (gnu packages xorg)
#:use-module (gnu services configuration)
@@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service)
(name "lightdm-greeter")
(auth (list
;; Load environment from /etc/environment and ~/.pam_environment.
- (pam-entry (control "required") (module "pam_env.so"))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; No action required for account management
- (account (list (pam-entry (control "required") (module "pam_permit.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-autologin-pam-service)
"Return a PAM service for @command{lightdm-autologin}}."
(pam-service
(name "lightdm-autologin")
- (auth
- (list
- ;; Block login if user is globally disabled.
- (pam-entry (control "required") (module "pam_nologin.so"))
- (pam-entry (control "required") (module "pam_succeed_if.so")
- (arguments (list "uid >= 1000")))
- ;; Allow access without authentication.
- (pam-entry (control "required") (module "pam_permit.so"))))
+ (auth (list
+ ;; Block login if user is globally disabled.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
+ (arguments (list "uid >= 1000")))
+ ;; Allow access without authentication.
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
;; Stop autologin if account requires action.
- (account (list (pam-entry (control "required") (module "pam_unix.so"))))
+ (account (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
;; Prohibit changing password.
- (password (list (pam-entry (control "required") (module "pam_deny.so"))))
+ (password (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
;; Setup session.
- (session (list (pam-entry (control "required") (module "pam_unix.so"))))))
+ (session (list
+ (pam-entry
+ (control "required")
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (lightdm-pam-services config)
(list (lightdm-pam-service config)
diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm
index c9a7ba96f4..9cd4d23bdb 100644
--- a/gnu/services/sddm.scm
+++ b/gnu/services/sddm.scm
@@ -23,6 +23,7 @@ (define-module (gnu services sddm)
#:use-module (gnu packages admin)
#:use-module (gnu packages display-managers)
#:use-module (gnu packages freedesktop)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages xorg)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
@@ -185,32 +186,32 @@ (define (sddm-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
;; should be factored out into system-auth
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(account
(list
;; should be factored out into system-account
(pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(password
(list
;; should be factored out into system-password
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments (list "sha512" "shadow" "try_first_pass")))))
(session
(list
@@ -218,7 +219,7 @@ (module "pam_unix.so")
;; should be factored out into system-session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-greeter-pam-service)
"Return a PAM service for @command{sddm-greeter}."
@@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service)
;; Load environment from /etc/environment and ~/.pam_environment
(pam-entry
(control "required")
- (module "pam_env.so"))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))
;; Always let the greeter start without authentication
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
;; No action required for account management
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(password
(list
;; Can't change password
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
;; Setup session
(pam-entry
(control "required")
- (module "pam_unix.so"))))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))))
(define (sddm-autologin-pam-service config)
"Return a PAM service for @command{sddm-autologin}"
@@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config)
(list
(pam-entry
(control "requisite")
- (module "pam_nologin.so"))
+ (module (file-append linux-pam "/lib/security/pam_nologin.so")))
(pam-entry
(control "required")
- (module "pam_succeed_if.so")
+ (module (file-append linux-pam "/lib/security/pam_succeed_if.so"))
(arguments (list (string-append "uid >= "
(number->string (sddm-configuration-minimum-uid config)))
"quiet")))
(pam-entry
(control "required")
- (module "pam_permit.so"))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so")))))
(account
(list
(pam-entry
@@ -280,7 +281,7 @@ (module "sddm"))))
(list
(pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(session
(list
(pam-entry
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 8b6080fd26..97fbde3511 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -50,6 +50,7 @@ (define-module (gnu services xorg)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnustep)
#:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
#:use-module (gnu system shadow)
@@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config)
"/lib/security/pam_gdm.so")))
(pam-entry
(control "sufficient")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(pam-service
(inherit (unix-pam-service "gdm-launch-environment"))
(auth (list (pam-entry
(control "required")
- (module "pam_permit.so")))))
+ (module (file-append linux-pam "/lib/security/pam_permit.so"))))))
(unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords?
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index adc40c975f..e3711e2b1e 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -202,7 +202,7 @@ (define %pam-other-services
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
(let ((deny (pam-entry
(control "required")
- (module "pam_deny.so"))))
+ (module (file-append linux-pam "/lib/security/pam_deny.so")))))
(pam-service
(name "other")
(account (list deny))
@@ -213,10 +213,10 @@ (module "pam_deny.so"))))
(define unix-pam-service
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so")))
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))))
(env (pam-entry ; to honor /etc/environment.
(control "required")
- (module "pam_env.so"))))
+ (module (file-append linux-pam "/lib/security/pam_env.so")))))
(lambda* (name #:key allow-empty-passwords? allow-root? motd
login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
@@ -234,12 +234,12 @@ (module "pam_env.so"))))
(auth (append (if allow-root?
(list (pam-entry
(control "sufficient")
- (module "pam_rootok.so")))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so"))))
'())
(list (if allow-empty-passwords?
(pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
(arguments '("nullok")))
unix))
(if gnupg?
@@ -249,20 +249,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())))
(password (list (pam-entry
(control "required")
- (module "pam_unix.so")
+ (module (file-append linux-pam "/lib/security/pam_unix.so"))
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
(session `(,@(if motd
(list (pam-entry
(control "optional")
- (module "pam_motd.so")
+ (module (file-append linux-pam "/lib/security/pam_motd.so"))
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
,@(if login-uid?
(list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
- (module "pam_loginuid.so")))
+ (module (file-append linux-pam "/lib/security/pam_loginuid.so"))))
'())
,@(if gnupg?
(list (pam-entry
@@ -276,13 +276,13 @@ (define (rootok-pam-service command)
authenticate to run COMMAND."
(let ((unix (pam-entry
(control "required")
- (module "pam_unix.so"))))
+ (module (file-append linux-pam "/lib/security/pam_unix.so")))))
(pam-service
(name command)
(account (list unix))
(auth (list (pam-entry
(control "sufficient")
- (module "pam_rootok.so"))))
+ (module (file-append linux-pam "/lib/security/pam_rootok.so")))))
(password (list unix))
(session (list unix)))))
--
2.40.1
F
F
Felix Lechner wrote on 12 May 2023 20:52
[PATCH v2 4/4] Use more file-append.
(address . 63383@debbugs.gnu.org)(name . Felix Lechner)(address . felix.lechner@lease-up.com)
c496e154f52cc97eb786efefce7f3470596229b8.1683917556.git.felix.lechner@lease-up.com
Based on the author's review of the code base as well as past commits, similar
invocations are in the process of being changed over from string-append to
file-append.

* gnu/services/authentication.scm
* gnu/services/base.scm
* gnu/services/kerberos.scm
* gnu/services/pam-mount.scm: Use more file-append instead of string-append.
---
gnu/services/authentication.scm | 2 +-
gnu/services/base.scm | 2 +-
gnu/services/kerberos.scm | 4 ++--
gnu/services/pam-mount.scm | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)

Toggle diff (56 lines)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index f1ad1b1afe..fbfef2d3d0 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -504,7 +504,7 @@ (define (nslcd-shepherd-service config)
(define (pam-ldap-pam-service config)
"Return a PAM service for LDAP authentication."
(define pam-ldap-module
- #~(string-append #$(nslcd-configuration-nss-pam-ldapd config)
+ (file-append (nslcd-configuration-nss-pam-ldapd config)
"/lib/security/pam_ldap.so"))
(pam-extension
(transformer
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 5d0542b39d..a6c501e2c2 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3253,7 +3253,7 @@ (define (greetd-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module #~(string-append #$greetd-pam-mount "/lib/security/pam_mount.so"))
+ (module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
(arguments '("disable_interactive"))))
(list
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 1a1b37f890..a6f540a9b6 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -432,8 +432,8 @@ (define (pam-krb5-pam-service config)
(transformer
(lambda (pam)
(define pam-krb5-module
- #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
- "/lib/security/pam_krb5.so"))
+ (file-append (pam-krb5-configuration-pam-krb5 config)
+ "/lib/security/pam_krb5.so"))
(let ((pam-krb5-sufficient
(pam-entry
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index 21c34ddd61..afaa2704cd 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -87,7 +87,7 @@ (define (pam-mount-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
+ (module (file-append pam-mount "/lib/security/pam_mount.so"))))
(list
(pam-extension
(transformer
--
2.40.1
F
F
Felix Lechner wrote on 28 Jun 2023 20:44
Fwd: PAM may cause issues on system updates
(address . 63383@debbugs.gnu.org)
CAFHYt56SpBw71_kNVcx-Jrjvn9PES3yn+L6CLt3o-ywcEnVJTw@mail.gmail.com
[an earlier version was sent to the wrong bug]

Hi,

There is another bug that was probably a reason why some folks
hesitated to accept this patch:


In that bug, Ludo' proposed to refer from Shepherd services to PAM
services by absolute paths. I believe it is a viable and worthy
solution.

(By contrast, this bug makes PAM services refer to PAM modules by
absolute paths.)

Another solution could be to make all PAM modules and services Guile
scripts. While admittedly a more comprehensive effort, I believe such
an upgrade might be popular in the broader community, which is
generally tired of PAM. The only prerequisite to execute those scripts
would be a working copy of GNU Guile (i.e. no libpam or libc).

Kind regards
Felix
L
L
Ludovic Courtès wrote on 15 Aug 2023 22:19
Re: bug#63383: [PATCH 0/4] Various PAM improvements
(name . Felix Lechner)(address . felix.lechner@lease-up.com)
87cyzo83e1.fsf_-_@gnu.org
Hi,

Sorry for the long delay!

Felix Lechner <felix.lechner@lease-up.com> skribis:

Toggle quote (12 lines)
> There is another bug that was probably a reason why some folks
> hesitated to accept this patch:
>
> https://issues.guix.gnu.org/32182
>
> In that bug, Ludo' proposed to refer from Shepherd services to PAM
> services by absolute paths. I believe it is a viable and worthy
> solution.
>
> (By contrast, this bug makes PAM services refer to PAM modules by
> absolute paths.)

Right. For this reason, I’m dropping the patch that adds more absolute
file names for all modules shipped with ‘linux-pam’ but keeping the rest.

Toggle quote (6 lines)
> Another solution could be to make all PAM modules and services Guile
> scripts. While admittedly a more comprehensive effort, I believe such
> an upgrade might be popular in the broader community, which is
> generally tired of PAM. The only prerequisite to execute those scripts
> would be a working copy of GNU Guile (i.e. no libpam or libc).

Hmm are you suggesting a PAM rewrite in Guile?

Thanks,
Ludo’.
Closed
F
F
Felix Lechner wrote on 16 Aug 2023 20:21
(name . Ludovic Courtès)(address . ludo@gnu.org)
CAFHYt55cjoEfaoQCcyoxd+GzmQQWA0Fno4mv3+A9Dmjgc2qNLw@mail.gmail.com
Hi Ludo'

On Tue, Aug 15, 2023 at 1:19?PM Ludovic Courtès <ludo@gnu.org> wrote:
Toggle quote (4 lines)
>
> I’m dropping the patch that adds more absolute
> file names for all modules shipped with ‘linux-pam’ but keeping the rest.

Thanks for doing that. It was the right thing to do.

Toggle quote (2 lines)
> Hmm are you suggesting a PAM rewrite in Guile?

Thanks for asking! I rewrote PAM in Guile some time ago [1] but it
still uses a shared library to start Guile via the good old "tortoise"
interface. [2] Upon reflection, I am not sure it would shelter us from
all potential compatibility issues on upgrades, including upgrades of
Guile.

Perhaps it would be best for Guix to adopt a fully script-driven
approach similar to OpenBSD. [3] Maxim may have alluded to it in a
correspondence on this topic elsewhere.

Kind regards
Felix

Closed
?