From patchwork Thu May 1 13:42:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Felix Lechner X-Patchwork-Id: 42212 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D352827BC49; Thu, 1 May 2025 14:44:24 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id AD71B27BC4A for ; Thu, 1 May 2025 14:44:22 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uAUD1-0007Q0-Qt; Thu, 01 May 2025 09:44:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAUCp-0007KM-Q2 for guix-patches@gnu.org; Thu, 01 May 2025 09:44:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uAUCp-0002DA-2G; Thu, 01 May 2025 09:44:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=n18ziyKLmau3VOeoR1nnaB+UBbKcX91Hv5RGl2U9hAQ=; b=bhuck1LZgpMJSo12z+E4sSJNG4P9HRQ1pHYQtoomgvOKB2QwzYK1IjweyiLapsVCYPflMK5P8PL+8Qp9tlvEyHMqszjkLVTTODsMQxBlwu6SS/3lRraGFxKkMmO9DIJvt58ElcvfT72xZPqMjp8CguyZ+88jCpN0bprssu92pJu0gqgWiHW2tmivyUvY/H5Be2ugy/ZYt93RNuMjPHhhOzkoY14MLAevLy1oMVe/Ofu2mB0kcDGYzH6/Kg65WB7c6TJIorKMMbnE6v8AwOYeb2vtpbYsJ8UzMrYpf/dvvFH6iNjpGd6GON8izGiQo6y3ltbvwrCrzJu7MD0BaqFCXg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uAUCo-0001Lg-2P; Thu, 01 May 2025 09:44:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#72316] [PATCH v2 2/3] Add a guile-pam-module service. Resent-From: Felix Lechner Original-Sender: "Debbugs-submit" Resent-CC: gabriel@erlikon.ch, ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Thu, 01 May 2025 13:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72316 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 72316@debbugs.gnu.org Cc: Maxim Cournoyer , Ludovic =?utf-8?q?Court?= =?utf-8?q?=C3=A8s?= , Z572 , Florian Pelz , Felix Lechner , Matthew Trzcinski , Gabriel Wicki , Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Gabriel Wicki , Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 72316-submit@debbugs.gnu.org id=B72316.17461069865064 (code B ref 72316); Thu, 01 May 2025 13:44:02 +0000 Received: (at 72316) by debbugs.gnu.org; 1 May 2025 13:43:06 +0000 Received: from localhost ([127.0.0.1]:49851 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAUBt-0001JW-Nh for submit@debbugs.gnu.org; Thu, 01 May 2025 09:43:06 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]:33450) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAUBq-0001I8-8h for 72316@debbugs.gnu.org; Thu, 01 May 2025 09:43:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=CSG8A4aL5+qEagR 8kBnXJg9L659smKP4AlYG2eoUdAo=; h=references:in-reply-to:date:subject: cc:to:from; d=lease-up.com; b=AkzpUp5F1SZNdzJmLU34QDGJ9vWmpsV5KMFh9CkB cPurd0jCzO71TNkQyMcSVYiueo4f4mc5NQW9RkjwMQj99NGdikhFHWCflaZre2/LttEx7x qtG5tJayA6o7CZtgYmHGwm3AjDv/uKpSaswTpWRR+ynQA/0YujsejgMfrIdOA= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id b103aa7b (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 1 May 2025 13:43:01 +0000 (UTC) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id eb4d078c; Thu, 1 May 2025 13:43:00 +0000 (UTC) Date: Thu, 1 May 2025 06:42:36 -0700 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: <878qnj80pt.fsf@iscas.ac.cn> References: <878qnj80pt.fsf@iscas.ac.cn> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner X-ACL-Warn: , Felix Lechner via Guix-patches X-Patchwork-Original-From: Felix Lechner via Guix-patches via From: Felix Lechner Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Change-Id: I1da0fe25f542cf9d8c22d26a7434f952585119e6 --- doc/guix.texi | 89 ++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/pam.scm | 105 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 195 insertions(+) create mode 100644 gnu/services/pam.scm diff --git a/doc/guix.texi b/doc/guix.texi index 90d90b2e1eb..11480cb0ae5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -412,6 +412,7 @@ Top * Telephony Services:: Telephony services. * File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. +* Guile-PAM Services:: Guile-PAM services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. * Web Services:: Web servers. @@ -19437,6 +19438,7 @@ Services * Telephony Services:: Telephony services. * File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. +* Guile-PAM Services:: Guile-PAM services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. * Web Services:: Web servers. @@ -33149,6 +33151,93 @@ Monitoring Services @end deftp +@c %end of fragment + +@node Guile-PAM Services +@subsection Guile-PAM Services +@cindex Guile-PAM + +The @code{(gnu services pam)} module provides services related to the +authentication mechanism @dfn{Guile-PAM}. + +Guile-PAM is a reimplementation in GNU Guile of the venerable Linux-PAM +authentication system. For details, please have a look at the Texinfo +manual in the @code{guile-pam} package. + +@defvar guile-pam-module-service-type +A service type for Guile-PAM modules. +@end defvar + +@noindent +Here is an example of its use: +@lisp +(define welcome-pamda-file + (scheme-file + "welcome-pamda-file" + #~(begin + (use-modules (ice-9 format)) + + (lambda (action handle flags options) + (case action + ;; authentication management + ((pam_sm_authenticate) + (format #t "In a working module, we would now identify you.~%")) + ((pam_sm_setcred) + (format #t "In a working module, we would now help you manage additional credentials.~%")) + ;; account management + ((pam_sm_acct_mgmt) + (format #t "In a working module, we would now confirm your access rights.~%")) + ;; password management + ((pam_sm_chauthtok) + (format #t "In a working module, we would now change your password.~%")) + ;; session management + ((pam_sm_open_session) + (format #t "In a working module, we would now open a session for you.~%")) + ((pam_sm_close_session) + (format #t "In a working module, we would now close your session.~%")) + (else + (format #t "In a working module, we would not know what to do about action '~s'.~%" + action))) + 'PAM_SUCCESS)))) + +(service guile-pam-module-service-type + (guile-pam-module-configuration + (rules "optional") + (module welcome-pamda-file) + (services '("login" + "greetd" + "su" + "slim" + "gdm-password" + "sddm")))) +@end lisp + +@c %start of fragment + +@deftp {Data Type} guile-pam-module-configuration +Available @code{guile-pam-module-configuration} fields are: + +@table @asis +@item @code{rules} (type: maybe-string) +Determines how the module's return value is evaluated. + +@item @code{module} (type: maybe-file-like) +A Guile-PAM pamda file or a classical PAM module. + +@item @code{services} (type: maybe-list-of-strings) +List of PAM service names for which to install the module. + +@item @code{guile-inputs} (type: maybe-list-of-packages) +Guile inputs available in the PAM module + +@item @code{foreign-library-path} (type: maybe-list-of-packages) +Search path for shared objects and libraries. + +@end table + +@end deftp + + @c %end of fragment @node Kerberos Services diff --git a/gnu/local.mk b/gnu/local.mk index f6f95bbf10b..3d3da58d659 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,6 +764,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/networking.scm \ %D%/services/nix.scm \ %D%/services/nfs.scm \ + %D%/services/pam.scm \ %D%/services/pam-mount.scm \ %D%/services/power.scm \ %D%/services/science.scm \ diff --git a/gnu/services/pam.scm b/gnu/services/pam.scm new file mode 100644 index 00000000000..a242067e380 --- /dev/null +++ b/gnu/services/pam.scm @@ -0,0 +1,105 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Felix Lechner +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services pam) + #:use-module (gnu packages guile) + #:use-module (gnu packages guile-xyz) + #:use-module (gnu packages linux) + #:use-module (gnu packages mes) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu system pam) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (guix utils) + #:use-module (srfi srfi-1) + #:export (guile-pam-module-configuration)) + +(define-maybe string) +(define-maybe list-of-strings) +(define-maybe file-like) + +(define-maybe string-or-file-like) +(define (string-or-file-like? val) + (or (string? val) (file-like? val))) + +(define-maybe list-of-packages) +(define (list-of-packages? val) + (and (list? val) (map package? val))) + +(define-configuration/no-serialization guile-pam-module-configuration + (rules + maybe-string + "Determines how the module's return value is evaluated.") + (module + maybe-file-like + "A Guile-PAM pamda file or a classical PAM module.") + (services + maybe-list-of-strings + "List of PAM service names for which to install the module.") + (guile-inputs + maybe-list-of-packages + "Guile inputs available in the PAM module") + (foreign-library-path + maybe-list-of-packages + "Search path for shared objects and libraries.") ) + +(define (guile-pam-module-service config) + "Return a list of for guile-pam-module for CONFIG." + (match-record + config (foreign-library-path + guile-inputs + module + rules + services) + (list + (pam-extension + (transformer + (lambda (pam) + (if (member (pam-service-name pam) services) + (let* ((new-entry + (pam-entry + (control rules) + (module module) + (guile-inputs (if (eq? %unset-value guile-inputs) + '() + guile-inputs)) + (foreign-library-path (if (eq? %unset-value foreign-library-path) + '() + foreign-library-path))))) + (pam-service + (inherit pam) + (auth (append (pam-service-auth pam) + (list new-entry))) + (account (append (pam-service-account pam) + (list new-entry))) + (session (append (pam-service-session pam) + (list new-entry))) + (password (append (pam-service-password pam) + (list new-entry))))) + pam))))))) + +(define-public guile-pam-module-service-type + (service-type + (name 'guile-pam-module) + (extensions (list (service-extension pam-root-service-type + guile-pam-module-service))) + (compose concatenate) + (default-value (guile-pam-module-configuration)) + (description "Load Guile code as part of Linux-PAM.")))