From patchwork Fri Sep 23 05:00:34 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-Patchwork-Id: 42867
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 07EB827BBEB; Fri, 23 Sep 2022 06:05:47 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No,
 score=-2.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 1923827BBEA
	for <patchwork@mira.cbaines.net>; Fri, 23 Sep 2022 06:05:46 +0100 (BST)
Received: from localhost ([::1]:49666 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1obasj-0005Qg-8l
	for patchwork@mira.cbaines.net; Fri, 23 Sep 2022 01:05:45 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48518)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1obapB-0003VF-8D
 for guix-patches@gnu.org; Fri, 23 Sep 2022 01:02:05 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:39960)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1obapA-00026K-W6
 for guix-patches@gnu.org; Fri, 23 Sep 2022 01:02:05 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1obapA-00055D-S1
 for guix-patches@gnu.org; Fri, 23 Sep 2022 01:02:04 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#58014] [PATCH 07/15] services: gdm: Add a configuration field to
 enable XDMCP.
Resent-From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 23 Sep 2022 05:02:04 +0000
Resent-Message-ID: <handler.58014.B58014.166390928819381@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 58014
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 58014@debbugs.gnu.org
Cc: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Received: via spool by 58014-submit@debbugs.gnu.org id=B58014.166390928819381
 (code B ref 58014); Fri, 23 Sep 2022 05:02:04 +0000
Received: (at 58014) by debbugs.gnu.org; 23 Sep 2022 05:01:28 +0000
Received: from localhost ([127.0.0.1]:39016 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1obaoa-00052X-0d
 for submit@debbugs.gnu.org; Fri, 23 Sep 2022 01:01:28 -0400
Received: from mail-qt1-f171.google.com ([209.85.160.171]:35411)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1obaoT-00051q-9s
 for 58014@debbugs.gnu.org; Fri, 23 Sep 2022 01:01:22 -0400
Received: by mail-qt1-f171.google.com with SMTP id g23so7773768qtu.2
 for <58014@debbugs.gnu.org>; Thu, 22 Sep 2022 22:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date;
 bh=mKtkUXsQ6/2gCIm55+oimAhOW2aN4vzuvy38TjlMnTU=;
 b=h8uHKOVDgmV94LDOq0ayMqo9o+ajdlEvCY1EM2PLVnYzdZCK6R8TyTPudOclZOfVVl
 mQfVpnFLBXuQ16kvmRqFmpr4ki5wet4WIkU6QRTSDUWb2aUo5el2wEd4xARYblBWb8zd
 b8hByeZ9lbvxIiMoy3Ii9SMwtNWFyfMbUih5TDYZnrYYkU6HGsu1gz4Khyhe7LoR6/f2
 RER0vgWlLqhmCp+r6EgsWHwxiE/CdZnovMOiU1ROJ1IbFhiXyOmg4l0in85HhT5bnyXg
 Vd8dYGkmLlqz0eB64yJOjwJUoTVrcviUxsUF8Vw7ljrUuW827T3zLZHQ+cFTuS7IgNDE
 3XAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date;
 bh=mKtkUXsQ6/2gCIm55+oimAhOW2aN4vzuvy38TjlMnTU=;
 b=tv/+KVZYDfGMYccAxXEclYnZwla+ZWHK2Zfzs52JKeogWdaWl+NRyDPt3Kc1glW/yh
 41weKmORWbsT8L05A4UGZ5UnR4MSsuox6Ol9sLRBhqaD8ouW2m/X3JbkEEwR40uzTvoG
 EHTiPfcdMkqAlxIj0DLqmMm1c9UdFuLrsHzMBEwhsCYsu/mmbNAeZZwqFkxWGpjYS62s
 Av6xQH46U5IpCRI5+VqdnjuDWaNem3wbHBFV01rUv12nEE8dAR7srK4A3FmkXsFAhN+r
 btmF32PaPYR+apCuZVbQrHdEdqfcxxAX4qmJt/spNslyKm6U+J3tNn7syZcxKx1id0nq
 RnPw==
X-Gm-Message-State: ACrzQf2gIhPrNGDGh8paaHXoCdddBZaEYbpiS1Gbx/5nCPRbDKWuq+Dw
 OEzZmazn7I9H/uu80/IOLuIGhH77m3s=
X-Google-Smtp-Source: 
 AMsMyM524xUY91+n6cD/Y41XCgfrGfQBfnGAipn6c5niOyKBwi6nqANllpBoC4swv57yeMQTWegmBQ==
X-Received: by 2002:ac8:5cd5:0:b0:35b:bbd1:20ea with SMTP id
 s21-20020ac85cd5000000b0035bbbd120eamr5708796qta.549.1663909275616;
 Thu, 22 Sep 2022 22:01:15 -0700 (PDT)
Received: from localhost.localdomain ([2607:fad8:4:3::1001])
 by smtp.gmail.com with ESMTPSA id
 de4-20020a05620a370400b006bbb07ebd83sm5263534qkb.108.2022.09.22.22.01.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 22 Sep 2022 22:01:15 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Fri, 23 Sep 2022 01:00:34 -0400
Message-Id: <20220923050042.29893-7-maxim.cournoyer@gmail.com>
X-Mailer: git-send-email 2.37.3
In-Reply-To: <20220923050042.29893-1-maxim.cournoyer@gmail.com>
References: <20220923050042.29893-1-maxim.cournoyer@gmail.com>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-getmail-retrieved-from-mailbox: Patches

* gnu/services/xorg.scm (<gdm-configuration>)[xdmcp?]: New field.
* gnu/services/xorg.scm (gdm-configuration-file): Use it.  Use (ice-9 format)
to serialize boolean.
(gdm-polkit-rules): New variable.
(gdm-service-type): Use it to extend polkit.
* doc/guix.texi (X Window): Document it.
---
 doc/guix.texi         |  6 +++++
 gnu/services/xorg.scm | 56 +++++++++++++++++++++++++++++++++++++------
 2 files changed, 55 insertions(+), 7 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index eb12efa85e..be1f2e0063 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -21062,6 +21062,12 @@ Configuration of the Xorg graphical server.
 @item @code{x-session} (default: @code{(xinitrc)})
 Script to run before starting a X session.
 
+@item @code{xdmcp?} (default: @code{#f})
+When true, enable the X Display Manager Control Protocol (XDMCP).  This
+should only be enabled in trusted environments, as the protocol is not
+secure.  When enabled, GDM listens for XDMCP queries on the UDP port
+177.
+
 @item @code{dbus-daemon} (default: @code{dbus-daemon-wrapper})
 File name of the @code{dbus-daemon} executable.
 
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 3ff290c197..eb77822741 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -63,6 +63,7 @@ (define-module (gnu services xorg)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
   #:use-module (srfi srfi-26)
+  #:use-module (ice-9 format)
   #:use-module (ice-9 match)
   #:export (xorg-configuration
             xorg-configuration?
@@ -885,6 +886,8 @@ (define-record-type* <gdm-configuration>
                       (default (xorg-configuration)))
   (x-session gdm-configuration-x-session
              (default (xinitrc)))
+  (xdmcp? gdm-configuration-xdmcp?
+          (default #f))
   (wayland? gdm-configuration-wayland? (default #f))
   (wayland-session gdm-configuration-wayland-session
                    (default gdm-wayland-session-wrapper)))
@@ -913,18 +916,20 @@ (define (gdm-configuration-file config)
                    ;; See also
                    ;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=39281>.
                    "InitialSetupEnable=false\n"
-                   "WaylandEnable=" (if (gdm-configuration-wayland? config)
-                                        "true"
-                                        "false") "\n"
+                   (format #f "WaylandEnable=~:[false~;true~]~%"
+                           (gdm-configuration-wayland? config))
                    "\n"
                    "[debug]\n"
-                   "Enable=" (if (gdm-configuration-debug? config)
-                                 "true"
-                                 "false") "\n"
+                   (format #f "Enable=~:[false~;true~]~%"
+                           (gdm-configuration-debug? config))
                    "\n"
                    "[security]\n"
                    "#DisallowTCP=true\n"
-                   "#AllowRemoteAutoLogin=false\n"))
+                   "#AllowRemoteAutoLogin=false\n"
+                   "\n"
+                   "[xdmcp]\n"
+                   (format #f "Enable=~:[false~;true~]~%"
+                           (gdm-configuration-xdmcp? config))))
 
 (define (gdm-pam-service config)
   "Return a PAM service for @command{gdm}."
@@ -995,6 +1000,41 @@ (define (gdm-shepherd-service config)
          (stop #~(make-kill-destructor))
          (respawn? #t))))
 
+(define gdm-polkit-rules
+  (lambda (config)
+    (if (gdm-configuration-xdmcp? config)
+        ;; Allow remote (XDMCP) users to use colord; otherwise an
+        ;; authentication dialog would appear on the GDM screen (see the
+        ;; upstream bug:
+        ;; https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/issues/273).
+        (list (computed-file
+               "02-allow-colord.rules"
+               (with-imported-modules '((guix build utils))
+                 #~(begin
+                     (use-modules (guix build utils))
+
+                     (let* ((rules.d
+                             (string-append #$output
+                                            "/share/polkit-1"
+                                            "/rules.d"))
+                            (allow-colord.rules (string-append
+                                                 rules.d
+                                                 "/02-allow-colord.rules")))
+                       (mkdir-p rules.d)
+                       (call-with-output-file allow-colord.rules
+                         (lambda (port)
+                           ;; This workaround enables any local or remote in
+                           ;; the "users" group to use colord (see:
+                           ;; https://c-nergy.be/blog/?p=12073).
+                           (format port "\
+polkit.addRule(function(action, subject) {
+   if (action.id.match(\"org.freedesktop.color-manager\")) {
+      polkit.log(\"POLKIT DEBUG returning YES for action: \" + action);
+      return polkit.Result.YES;
+   }
+});~%"))))))))
+        '())))
+
 (define gdm-service-type
   (handle-xorg-configuration gdm-configuration
     (service-type (name 'gdm)
@@ -1005,6 +1045,8 @@ (define gdm-service-type
                                             (const %gdm-accounts))
                          (service-extension pam-root-service-type
                                             gdm-pam-service)
+                         (service-extension polkit-service-type
+                                            gdm-polkit-rules)
                          (service-extension profile-service-type
                                             gdm-configuration-gnome-shell-assets)
                          (service-extension dbus-root-service-type