diff mbox series

[bug#53468,RFC] gnu: linux-pam: Change path to unix_chkpwd helper.

Message ID 87tudu38yz.fsf@trop.in
State Accepted
Headers show
Series [bug#53468,RFC] gnu: linux-pam: Change path to unix_chkpwd helper. | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch success View Laminar job
cbaines/issue success View issue

Commit Message

Andrew Tropin Jan. 13, 2022, 6:41 p.m. UTC 
* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
The quote from unix_chkpwd.c:
> * This program is designed to run setuid(root) or with sufficient
> * privilege to read all of the unix password databases. It is designed
> * to provide a mechanism for the current user (defined by this
> * process's uid) to verify their own password.

Without suid bit it will fail in various use cases: for example utilities like
xlock or swaylock compiled with pam support won't be able to unlock the
screen.  To fix it I added unix_chkpwd binary to list of Guix System's setuid
programs and added a patch, which hardcodes /run/setuid-programs/unix_chkpwd
path in pam_unix module source code of linux-pam package.  However, I'm not
sure if it's a proper solution, please share your thoughts and conserns.

 gnu/packages/linux.scm                        |  3 +-
 .../patches/change-path-to-unix_chkpwd.patch  | 54 +++++++++++++++++++
 gnu/system/pam.scm                            |  8 ++-
 3 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch

Comments

Tomas Volf March 3, 2023, 11:33 p.m. UTC | #1 
Hello,

I would like to ask when this could be available on master? It seems it was
added into core-updates more then a year ago. As far as I understand this is the
only blocker preventing me from using xscreensaver. Last update under the bug
is:

> It’s not scheduled, but it’s likely several months from now…

So I would like to ask if there is any update on this. No pressure, just asking.

Thanks and have a nice day,

W.
Leo Famulari March 7, 2023, 5:57 p.m. UTC | #2 
On Sat, Mar 04, 2023 at 12:33:56AM +0100, wolf wrote:
> So I would like to ask if there is any update on this. No pressure, just asking.

The core-updates branch is now actively being prepared for the merge
into master. It's probably still at least one month away, if not several
months. Unfortunately we can't predict the timeframe.
diff mbox series

Patch

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@  (define-public linux-pam
        (sha256
         (base32
          "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
-       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (patches (search-patches "change-path-to-unix_chkpwd.patch"
+                                "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@ 
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c       | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+     }
+ 
+     /* exec binary helper */
+-    args[0] = CHKPWD_HELPER;
++    args[0] = "/run/setuid-programs/unix_chkpwd";
+     args[1] = user;
+     args[2] = "chkexpiry";
+ 
+     DIAG_PUSH_IGNORE_CAST_QUAL;
+-    execve(CHKPWD_HELPER, (char *const *) args, envp);
++    execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+     DIAG_POP_IGNORE_CAST_QUAL;
+ 
+     pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	}
+ 
+ 	/* exec binary helper */
+-	args[0] = CHKPWD_HELPER;
++	args[0] = "/run/setuid-programs/unix_chkpwd";
+ 	args[1] = user;
+ 	if (off(UNIX__NONULL, ctrl)) {	/* this means we've succeeded */
+ 	  args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	}
+ 
+ 	DIAG_PUSH_IGNORE_CAST_QUAL;
+-	execve(CHKPWD_HELPER, (char *const *) args, envp);
++	execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ 	DIAG_POP_IGNORE_CAST_QUAL;
+ 
+ 	/* should not get here: exit with error */
+-- 
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..48cd2ebf2c 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -375,8 +375,12 @@  (define (extend-configuration initial extensions)
 
 (define pam-root-service-type
   (service-type (name 'pam)
-                (extensions (list (service-extension etc-service-type
-                                                     /etc-entry)))
+                (extensions
+                 (list (service-extension etc-service-type /etc-entry)
+                       (service-extension
+                        setuid-program-service-type
+                        (list (file-like->setuid-program
+                               (file-append linux-pam "/sbin/unix_chkpwd"))))))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)