From patchwork Mon May 22 19:06:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: muradm X-Patchwork-Id: 50238 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D268127BBE2; Mon, 22 May 2023 20:11:58 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 63E4327BBE9 for ; Mon, 22 May 2023 20:11:56 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q1At6-00029L-3w; Mon, 22 May 2023 15:08:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q1At3-00022G-69 for guix-patches@gnu.org; Mon, 22 May 2023 15:08:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1q1At0-0004SD-CR for guix-patches@gnu.org; Mon, 22 May 2023 15:08:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1q1Asz-0005ag-R2 for guix-patches@gnu.org; Mon, 22 May 2023 15:08:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63652] [PATCH] services: screen-locker-service-type: Configurable PAM and setuid. Resent-From: muradm Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 22 May 2023 19:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 63652 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63652@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.168478242321410 (code B ref -1); Mon, 22 May 2023 19:08:01 +0000 Received: (at submit) by debbugs.gnu.org; 22 May 2023 19:07:03 +0000 Received: from localhost ([127.0.0.1]:36599 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q1As2-0005ZF-MS for submit@debbugs.gnu.org; Mon, 22 May 2023 15:07:03 -0400 Received: from lists.gnu.org ([209.51.188.17]:33298) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q1Arx-0005Yl-MG for submit@debbugs.gnu.org; Mon, 22 May 2023 15:07:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q1Arx-0008AL-AM for guix-patches@gnu.org; Mon, 22 May 2023 15:06:57 -0400 Received: from nomad-cl1.muradm.net ([139.162.159.157]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q1Aru-0004Dg-Ug for guix-patches@gnu.org; Mon, 22 May 2023 15:06:57 -0400 Received: from localhost ([127.0.0.1]:50804) by nomad-cl1.muradm.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1q1Arn-0003bC-0v for guix-patches@gnu.org; Mon, 22 May 2023 19:06:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=muradm.net; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id:Date :Subject:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DAUYncLVfkse3j4l7XuL6/RKr40wyYriIW+TxRgNyzs=; b=j/LybjOGhcR5KtWaDQSL6Ag44G 8ZXzfUK/2oyArC0eava7xUF2vVktBArLKKgkij0GJfUlKaLfKReoDsCWWdMpUzPIc9DFZchIYgATV L+Xn+mIbtMOu+vtHFW/5F7oRaFcis5slP2+M2R9dMo327eBDITLr3DW6OTdgMrVfcHKSm1QV47g+I 8jV6f606XYcgR0JZRJ0Bn5hPPB5sj8RainCV5/ust2Cl1lYyOckQ5Z5gafjpXy4tncTmA6KaUOv1X QxULKfYZXVdAWkP8ipJJ3x5NzgWHo86hBXpCggqthEAdaDe3QFFuoU80Whc/6JzGzTjIq/noopYhk fnK/9MIrdEsZqxh4vi6XbbTl/Um3R+0zS46uwKVgiTcoWDzqs5/oz7qmsmjwWRIuVe6sTJj7k71gf TQa57EeHSaazbHixsiVGnHqHBkyPzlnMCQobJC9J1XJLPQuemBSlzxsddUr30nt4g+sNoUdN0hVDN ZyMcUqeF5EyNLZkADKDxAX9A; Received: from muradm by localhost with local (Exim 4.96) (envelope-from ) id 1q1Arr-0006tZ-0j for guix-patches@gnu.org; Mon, 22 May 2023 22:06:51 +0300 From: muradm Date: Mon, 22 May 2023 22:06:51 +0300 Message-Id: <84127ca20c41459b18200f39356f7964fa75f943.1684782409.git.mail@muradm.net> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 Received-SPF: pass client-ip=139.162.159.157; envelope-from=mail@muradm.net; helo=nomad-cl1.muradm.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches screen-locker-service-type by default does both define PAM entry and make program setuid binary. Normally both methods are mutually exclusive, if binary has setuid set it does not really needs PAM, otherway around also similar, if PAM is enabled binary should not relay on setuid. Recent swaylock package now compiled with PAM support. When PAM support is compiled in, swaylock rejects executing if binary is also setuid program. This change turns screen-locker-configuration from strict PAM AND setuid to more flexible PAM AND/OR setuid. Allowing swaylock to be configured properly while supporting other screen locker preferences. * gnu/services/xorg.scm (screen-locker-configuration): Switch from define-record-type to define-configuration. [using-pam?]: New field to control PAM entry existence. [using-setuid?]: New field to control setuid binary existence. (screen-locker-pam-services): Should not make unix-pam-service if using-pam? is set to #f. (screen-locker-setuid-programs): Should not make program setuid program if using-setuid? is set to #f. (screen-locker-generate-doc): Internal function to generate configuration documentation. (screen-locker-service): Adapt to new screen-locker-configuration. * gnu/services/desktop.scm (desktop-services-for-system): Adapt to new screen-locker-configuration. * doc/guix.texi: Reflect new changes to screen-locker-configuration. --- doc/guix.texi | 32 +++++++++++++++++++---- gnu/services/desktop.scm | 8 ++++-- gnu/services/xorg.scm | 55 ++++++++++++++++++++++++++++------------ 3 files changed, 72 insertions(+), 23 deletions(-) base-commit: dff1689bb37e5303868584d3f1d7a33cbcb7f51e diff --git a/doc/guix.texi b/doc/guix.texi index f4cca66d76..079afaeba5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -22474,9 +22474,14 @@ X Window @defvar screen-locker-service-type Type for a service that adds a package for a screen locker or screen -saver to the set of setuid programs and add a PAM entry for it. The +saver to the set of setuid programs and/or add a PAM entry for it. The value for this service is a @code{} object. +While default behavior is to setup both setuid program and PAM entry, +they are effectively mutually exclusive. Screen locker programs may +prevent executing when PAM is configured, and @code{setuid} is set on +executable. Then @code{using-setuid?} can be set to @code{#f}. + For example, to make XlockMore usable: @lisp @@ -22486,25 +22491,42 @@ X Window @end lisp makes the good ol' XlockMore usable. + +For example, swaylock fails to execute when compiled with PAM support +and setuid enabled, then one can disable setuid: + +@lisp +(service screen-locker-service-type + (screen-locker-configuration + "swaylock" (file-append xlockmore "/bin/xlock") #f #t #f)) +@end lisp + @end defvar @deftp {Data Type} screen-locker-configuration -Data type representing the configuration of -@code{screen-locker-service-type}. +Available @code{screen-locker-configuration} fields are: @table @asis @item @code{name} (type: string) Name of the screen locker. -@item @code{program} (type: gexp) +@item @code{program} (type: file-like) Path to the executable for the screen locker as a G-Expression. -@item @code{allow-empty-password?} (type: boolean) +@item @code{allow-empty-password?} (default: @code{#f}) (type: boolean) Whether to allow empty passwords. +@item @code{using-pam?} (default: @code{#t}) (type: boolean) +Whether to setup PAM entry. + +@item @code{using-setuid?} (default: @code{#t}) (type: boolean) +Whether to setup program as setuid binary. + @end table + @end deftp + @node Printing Services @subsection Printing Services diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 64eac1117d..639e99ff79 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1839,10 +1839,14 @@ (define* (desktop-services-for-system #:optional ;; Screen lockers are a pretty useful thing and these are small. (service screen-locker-service-type (screen-locker-configuration - "slock" (file-append slock "/bin/slock") #f)) + (name "slock") + (program (file-append slock "/bin/slock")) + (allow-empty-password? #f))) (service screen-locker-service-type (screen-locker-configuration - "xlock" (file-append xlockmore "/bin/xlock") #f)) + (name "xlock") + (program (file-append xlock "/bin/xlock")) + (allow-empty-password? #f))) ;; Add udev rules for MTP devices so that non-root users can access ;; them. diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8b6080fd26..b6c1636660 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -13,6 +13,7 @@ ;;; Copyright © 2021 Josselin Poiret ;;; Copyright © 2022 Chris Marusich ;;; Copyright © 2022 Maxim Cournoyer +;;; Copyright © 2023 muradm ;;; ;;; This file is part of GNU Guix. ;;; @@ -112,6 +113,8 @@ (define-module (gnu services xorg) screen-locker-configuration-name screen-locker-configuration-program screen-locker-configuration-allow-empty-password? + screen-locker-configuration-using-pam? + screen-locker-configuration-using-setuid? screen-locker-service-type screen-locker-service ; deprecated @@ -703,13 +706,22 @@ (define slim-service-type ;;; Screen lockers & co. ;;; -(define-record-type - (screen-locker-configuration name program allow-empty-password?) - screen-locker-configuration? - (name screen-locker-configuration-name) ;string - (program screen-locker-configuration-program) ;gexp +(define-configuration/no-serialization screen-locker-configuration + (name + string + "Name of the screen locker.") + (program + file-like + "Path to the executable for the screen locker as a G-Expression.") (allow-empty-password? - screen-locker-configuration-allow-empty-password?)) ;Boolean + (boolean #f) + "Whether to allow empty passwords.") + (using-pam? + (boolean #t) + "Whether to setup PAM entry.") + (using-setuid? + (boolean #t) + "Whether to setup program as setuid binary.")) (define-deprecated/public-alias screen-locker @@ -719,14 +731,21 @@ (define-deprecated/public-alias screen-locker? screen-locker-configuration?) -(define screen-locker-pam-services - (match-lambda - (($ name _ empty?) - (list (unix-pam-service name - #:allow-empty-passwords? empty?))))) +(define (screen-locker-pam-services config) + (match-record config + (name allow-empty-password? using-pam?) + (if using-pam? + (list (unix-pam-service name + #:allow-empty-passwords? + allow-empty-password?)) + '()))) -(define screen-locker-setuid-programs - (compose list file-like->setuid-program screen-locker-configuration-program)) +(define (screen-locker-setuid-programs config) + (match-record config + (name program using-setuid?) + (if using-setuid? + (list (file-like->setuid-program program)) + '()))) (define screen-locker-service-type (service-type (name 'screen-locker) @@ -740,6 +759,9 @@ (define screen-locker-service-type the graphical server by making it setuid-root, so it can authenticate users, and by creating a PAM service for it."))) +(define (screen-locker-generate-doc) + (configuration->documentation 'screen-locker-configuration)) + (define-deprecated (screen-locker-service package #:optional (program (package-name package)) @@ -755,9 +777,10 @@ (define-deprecated (screen-locker-service package makes the good ol' XlockMore usable." (service screen-locker-service-type - (screen-locker-configuration program - (file-append package "/bin/" program) - allow-empty-passwords?))) + (screen-locker-configuration + (name program) + (program (file-append package "/bin/" program)) + (allow-empty-password? allow-empty-passwords?)))) ;;;