[bug#63383,3/4] Refer to the built-in Linux-PAM modules by their absolute paths.

Message ID	1642be1ee49d66939d092d80289518ed6ed578e2.1683593547.git.felix.lechner@lease-up.com
State	New
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#63383] [PATCH 3/4] Refer to the built-in Linux-PAM modules by their absolute paths. Resent-From: Felix Lechner <felix.lechner@lease-up.com> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 09 May 2023 00:59:02 +0000 Resent-Message-ID: <handler.63383.B63383.168359390423326@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: 63383@debbugs.gnu.org Cc: Felix Lechner <felix.lechner@lease-up.com> Date: Mon, 8 May 2023 17:58:08 -0700 Message-Id: <1642be1ee49d66939d092d80289518ed6ed578e2.1683593547.git.felix.lechner@lease-up.com> In-Reply-To: <cover.1683593547.git.felix.lechner@lease-up.com> References: <cover.1683593547.git.felix.lechner@lease-up.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Reply-to: Felix Lechner <felix.lechner@lease-up.com> From: Felix Lechner via Guix-patches via <guix-patches@gnu.org> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches
Series	Various PAM improvements \| expand [bug#63383,0/4] Various PAM improvements [bug#63383,1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files. [bug#63383,2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type. [bug#63383,3/4] Refer to the built-in Linux-PAM modules by their absolute paths. [bug#63383,4/4] Use more file-append.

diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 16dcc55483..9f1671e142 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -58,8 +58,8 @@ (define-module (gnu services base) #:use-module (gnu packages admin) #:use-module ((gnu packages linux) #:select (alsa-utils btrfs-progs crda eudev - e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools - util-linux xfsprogs)) + e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2 + rng-tools util-linux xfsprogs)) #:use-module (gnu packages bash) #:use-module ((gnu packages base) #:select (coreutils glibc glibc-utf8-locales tar @@ -1612,7 +1612,7 @@ (define pam-limits-service-type (lambda (pam) (let ((pam-limits (pam-entry (control "required") - (module "pam_limits.so") + (module (file-append linux-pam "/lib/security/pam_limits.so")) (arguments (list #~(string-append "conf=" #$limits-file)))))) (if (member (pam-service-name pam) diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm index 0b9094cda1..b820c7dcf3 100644 --- a/gnu/services/lightdm.scm +++ b/gnu/services/lightdm.scm @@ -24,6 +24,7 @@ (define-module (gnu services lightdm) #:use-module (gnu packages display-managers) #:use-module (gnu packages freedesktop) #:use-module (gnu packages gnome) + #:use-module (gnu packages linux) #:use-module (gnu packages vnc) #:use-module (gnu packages xorg) #:use-module (gnu services configuration) @@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service) (name "lightdm-greeter") (auth (list ;; Load environment from /etc/environment and ~/.pam_environment. - (pam-entry (control "required") (module "pam_env.so")) + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_env.so"))) ;; Always let the greeter start without authentication. - (pam-entry (control "required") (module "pam_permit.so")))) + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) ;; No action required for account management - (account (list (pam-entry (control "required") (module "pam_permit.so")))) + (account (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) ;; Prohibit changing password. - (password (list (pam-entry (control "required") (module "pam_deny.so")))) + (password (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) ;; Setup session. - (session (list (pam-entry (control "required") (module "pam_unix.so")))))) + (session (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_unix.so"))))))) (define (lightdm-autologin-pam-service) "Return a PAM service for @command{lightdm-autologin}}." (pam-service (name "lightdm-autologin") - (auth - (list - ;; Block login if user is globally disabled. - (pam-entry (control "required") (module "pam_nologin.so")) - (pam-entry (control "required") (module "pam_succeed_if.so") - (arguments (list "uid >= 1000"))) - ;; Allow access without authentication. - (pam-entry (control "required") (module "pam_permit.so")))) + (auth (list + ;; Block login if user is globally disabled. + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_nologin.so"))) + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_succeed_if.so")) + (arguments (list "uid >= 1000"))) + ;; Allow access without authentication. + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) ;; Stop autologin if account requires action. - (account (list (pam-entry (control "required") (module "pam_unix.so")))) + (account (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_unix.so"))))) ;; Prohibit changing password. - (password (list (pam-entry (control "required") (module "pam_deny.so")))) + (password (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) ;; Setup session. - (session (list (pam-entry (control "required") (module "pam_unix.so")))))) + (session (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_unix.so"))))))) (define (lightdm-pam-services config) (list (lightdm-pam-service config) diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm index 9e02f1cc81..6138a31f0d 100644 --- a/gnu/services/sddm.scm +++ b/gnu/services/sddm.scm @@ -23,6 +23,7 @@ (define-module (gnu services sddm) #:use-module (gnu packages admin) #:use-module (gnu packages display-managers) #:use-module (gnu packages freedesktop) + #:use-module (gnu packages linux) #:use-module (gnu packages xorg) #:use-module (gnu services) #:use-module (gnu services shepherd) @@ -185,32 +186,32 @@ (define (sddm-pam-service config) (list (pam-entry (control "requisite") - (module "pam_nologin.so")) + (module (file-append linux-pam "/lib/security/pam_nologin.so"))) (pam-entry (control "required") - (module "pam_env.so")) + (module (file-append linux-pam "/lib/security/pam_env.so"))) (pam-entry (control "required") - (module "pam_succeed_if.so") + (module (file-append linux-pam "/lib/security/pam_succeed_if.so")) (arguments (list (string-append "uid >= " (number->string (sddm-configuration-minimum-uid config))) "quiet"))) ;; should be factored out into system-auth (pam-entry (control "required") - (module "pam_unix.so")))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))) (account (list ;; should be factored out into system-account (pam-entry (control "required") - (module "pam_unix.so")))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))) (password (list ;; should be factored out into system-password (pam-entry (control "required") - (module "pam_unix.so") + (module (file-append linux-pam "/lib/security/pam_unix.so")) (arguments (list "sha512" "shadow" "try_first_pass"))))) (session (list @@ -218,7 +219,7 @@ (module "pam_unix.so") ;; should be factored out into system-session (pam-entry (control "required") - (module "pam_unix.so")))))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))))) (define (sddm-greeter-pam-service) "Return a PAM service for @command{sddm-greeter}." @@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service) ;; Load environment from /etc/environment and ~/.pam_environment (pam-entry (control "required") - (module "pam_env.so")) + (module (file-append linux-pam "/lib/security/pam_env.so"))) ;; Always let the greeter start without authentication (pam-entry (control "required") - (module "pam_permit.so")))) + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) (account (list ;; No action required for account management (pam-entry (control "required") - (module "pam_permit.so")))) + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) (password (list ;; Can't change password (pam-entry (control "required") - (module "pam_deny.so")))) + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) (session (list ;; Setup session (pam-entry (control "required") - (module "pam_unix.so")))))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))))) (define (sddm-autologin-pam-service config) "Return a PAM service for @command{sddm-autologin}" @@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config) (list (pam-entry (control "requisite") - (module "pam_nologin.so")) + (module (file-append linux-pam "/lib/security/pam_nologin.so"))) (pam-entry (control "required") - (module "pam_succeed_if.so") + (module (file-append linux-pam "/lib/security/pam_succeed_if.so")) (arguments (list (string-append "uid >= " (number->string (sddm-configuration-minimum-uid config))) "quiet"))) (pam-entry (control "required") - (module "pam_permit.so")))) + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) (account (list (pam-entry @@ -280,7 +281,7 @@ (module "sddm")))) (list (pam-entry (control "required") - (module "pam_deny.so")))) + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) (session (list (pam-entry diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 7295a45b59..878a336d0d 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -50,6 +50,7 @@ (define-module (gnu services xorg) #:use-module (gnu packages freedesktop) #:use-module (gnu packages gnustep) #:use-module (gnu packages gnome) + #:use-module (gnu packages linux) #:use-module (gnu packages admin) #:use-module (gnu packages bash) #:use-module (gnu system shadow) @@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config) "/lib/security/pam_gdm.so"))) (pam-entry (control "sufficient") - (module "pam_permit.so"))))) + (module (file-append linux-pam "/lib/security/pam_permit.so")))))) (pam-service (inherit (unix-pam-service "gdm-launch-environment")) (auth (list (pam-entry (control "required") - (module "pam_permit.so"))))) + (module (file-append linux-pam "/lib/security/pam_permit.so")))))) (unix-pam-service "gdm-password" #:login-uid? #t #:allow-empty-passwords? diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index b635681642..5e6a209caf 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -194,7 +194,7 @@ (define %pam-other-services ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.) (let ((deny (pam-entry (control "required") - (module "pam_deny.so")))) + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) (pam-service (name "other") (account (list deny)) @@ -205,10 +205,10 @@ (module "pam_deny.so")))) (define unix-pam-service (let ((unix (pam-entry (control "required") - (module "pam_unix.so"))) + (module (file-append linux-pam "/lib/security/pam_unix.so")))) (env (pam-entry ; to honor /etc/environment. (control "required") - (module "pam_env.so")))) + (module (file-append linux-pam "/lib/security/pam_env.so"))))) (lambda* (name #:key allow-empty-passwords? allow-root? motd login-uid? gnupg?) "Return a standard Unix-style PAM service for NAME. When @@ -226,12 +226,12 @@ (module "pam_env.so")))) (auth (append (if allow-root? (list (pam-entry (control "sufficient") - (module "pam_rootok.so"))) + (module (file-append linux-pam "/lib/security/pam_rootok.so")))) '()) (list (if allow-empty-passwords? (pam-entry (control "required") - (module "pam_unix.so") + (module (file-append linux-pam "/lib/security/pam_unix.so")) (arguments '("nullok"))) unix)) (if gnupg? @@ -241,20 +241,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) '()))) (password (list (pam-entry (control "required") - (module "pam_unix.so") + (module (file-append linux-pam "/lib/security/pam_unix.so")) ;; Store SHA-512 encrypted passwords in /etc/shadow. (arguments '("sha512" "shadow"))))) (session `(,@(if motd (list (pam-entry (control "optional") - (module "pam_motd.so") + (module (file-append linux-pam "/lib/security/pam_motd.so")) (arguments (list #~(string-append "motd=" #$motd))))) '()) ,@(if login-uid? (list (pam-entry ;to fill in /proc/self/loginuid (control "required") - (module "pam_loginuid.so"))) + (module (file-append linux-pam "/lib/security/pam_loginuid.so")))) '()) ,@(if gnupg? (list (pam-entry @@ -268,13 +268,13 @@ (define (rootok-pam-service command) authenticate to run COMMAND." (let ((unix (pam-entry (control "required") - (module "pam_unix.so")))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))) (pam-service (name command) (account (list unix)) (auth (list (pam-entry (control "sufficient") - (module "pam_rootok.so")))) + (module (file-append linux-pam "/lib/security/pam_rootok.so"))))) (password (list unix)) (session (list unix)))))

[bug#63383,3/4] Refer to the built-in Linux-PAM modules by their absolute paths.

Commit Message

Patch