diff mbox series

[bug#47364,2/2] services: slim: Add pam-gnupg support.

Message ID 20210324165233.28428-2-go.wigust@gmail.com
State Accepted
Headers show
Series Add pam-gnupg and PAM rules for SLiM | expand

Checks

Context Check Description
cbaines/submitting builds success
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch success View Laminar job
cbaines/issue success View issue

Commit Message

Oleg Pykhalov March 24, 2021, 4:52 p.m. UTC 
* gnu/system/pam.scm (unix-pam-service): Add account and session PAM entries
for pam-gnupg.
* doc/guix.texi (X Window): Document this.
* gnu/services/xorg.scm (<slim-configuration>)[gnupg?]: New record field.
(slim-pam-service): Pass "#:gnupg?" argument to "unix-pam-service".
---
 doc/guix.texi         |  8 ++++++++
 gnu/services/xorg.scm |  7 ++++++-
 gnu/system/pam.scm    | 15 +++++++++++++--
 3 files changed, 27 insertions(+), 3 deletions(-)

Comments

M March 24, 2021, 7:22 p.m. UTC | #1 
Hi,

I'm not familiar with PAM, so I can't do much reviewing about that
(seems ok, though I'm no expert).  Some nitpicks:

On Wed, 2021-03-24 at 19:52 +0300, Oleg Pykhalov wrote:
> [...]
> 
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index ad02586be8..75edd01908 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> [...]
>     (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
> -                   login-uid?)
> +                   login-uid? (gnupg? #f))

Nitpick: keyword variables have #f as default by default, so you could just write ...

     (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
> -                   login-uid?)
> +                   login-uid? gnupg?)

... here.  As a minimal example, you could run the following code in a Guile REPL:

> ;; These both evaluate to (#f #f)!
> ((lambda* (#:key login-uid? gnupg?) (list login-uid? gnupg?)))
> ((lambda* (#:key login-uid? (gnupg? #f)) (list login-uid? gnupg?)))

Hmm, maybe (allow-root? #f) could be replaced with simply allow-root? here ...

>        "Return a standard Unix-style PAM service for NAME.  When
>  ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When ALLOW-ROOT? is
>  true, allow root to run the command without authentication.  When MOTD is

It would be nice if this docstring documents GNUPG? as well.

Greetings,
Maxime.
diff mbox series

Patch

diff --git a/doc/guix.texi b/doc/guix.texi
index 94ecd2c247..f549930c63 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17765,6 +17765,14 @@  Data type representing the configuration of @code{slim-service-type}.
 @item @code{allow-empty-passwords?} (default: @code{#t})
 Whether to allow logins with empty passwords.
 
+@item @code{gnupg?} (default: @code{#f})
+If enabled, @code{pam-gnupg} will attempt to automatically unlock the
+user's GPG keys with the login password via @code{gpg-agent}.  The
+keygrips of all keys to be unlocked should be written to
+@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
+--with-keygrip}.  Presetting passphrases must be enabled by adding
+@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
+
 @item @code{auto-login?} (default: @code{#f})
 @itemx @code{default-user} (default: @code{""})
 When @code{auto-login?} is false, SLiM presents a log-in screen.
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 60611dc77d..65b138b4f4 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -8,6 +8,7 @@ 
 ;;; Copyright © 2020 shtwzrd <shtwzrd@protonmail.com>
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020 Alex Griffin <a@ajgrf.com>
+;;; Copyright © 2021 Oleg Pykhalov <go.wigust@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -541,6 +542,8 @@  a `service-extension', as used by `set-xorg-configuration'."
         (default slim))
   (allow-empty-passwords? slim-configuration-allow-empty-passwords?
                           (default #t))
+  (gnupg? slim-configuration-gnupg?
+          (default #f))
   (auto-login? slim-configuration-auto-login?
                (default #f))
   (default-user slim-configuration-default-user
@@ -570,7 +573,9 @@  a `service-extension', as used by `set-xorg-configuration'."
          "slim"
          #:login-uid? #t
          #:allow-empty-passwords?
-         (slim-configuration-allow-empty-passwords? config))))
+         (slim-configuration-allow-empty-passwords? config)
+         #:gnupg?
+         (slim-configuration-gnupg? config))))
 
 (define (slim-shepherd-service config)
   (let* ((xinitrc (xinitrc #:fallback-session
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index ad02586be8..75edd01908 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -27,6 +27,7 @@ 
   #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-26)
   #:use-module ((guix utils) #:select (%current-system))
+  #:use-module (gnu packages linux)
   #:export (pam-service
             pam-service-name
             pam-service-account
@@ -208,7 +209,7 @@  dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
                (control "required")
                (module "pam_env.so"))))
     (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
-                   login-uid?)
+                   login-uid? (gnupg? #f))
       "Return a standard Unix-style PAM service for NAME.  When
 ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When ALLOW-ROOT? is
 true, allow root to run the command without authentication.  When MOTD is
@@ -229,7 +230,12 @@  When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
                                 (control "required")
                                 (module "pam_unix.so")
                                 (arguments '("nullok")))
-                               unix))))
+                               unix))
+                     (if gnupg?
+                         (list (pam-entry
+                                (control "required")
+                                (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+                         '())))
        (password (list (pam-entry
                         (control "required")
                         (module "pam_unix.so")
@@ -247,6 +253,11 @@  When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
                                (control "required")
                                (module "pam_loginuid.so")))
                         '())
+                  ,@(if gnupg?
+                        (list (pam-entry
+                               (control "required")
+                               (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+                        '())
                   ,env ,unix))))))
 
 (define (rootok-pam-service command)