[bug#63383,v2,3/4] Refer to the built-in Linux-PAM modules by their absolute paths.

Message ID	f3be0c6f9f71c103772fe6f24d83fbf1f7593283.1683917556.git.felix.lechner@lease-up.com
State	New
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#63383] [PATCH v2 3/4] Refer to the built-in Linux-PAM modules by their absolute paths. Resent-From: Felix Lechner <felix.lechner@lease-up.com> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 12 May 2023 18:53:04 +0000 Resent-Message-ID: <handler.63383.B63383.168391758313808@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: 63383@debbugs.gnu.org Cc: Felix Lechner <felix.lechner@lease-up.com> Date: Fri, 12 May 2023 11:52:49 -0700 Message-Id: <f3be0c6f9f71c103772fe6f24d83fbf1f7593283.1683917556.git.felix.lechner@lease-up.com> In-Reply-To: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com> References: <1d5c51bdf283c808ff65a3cedbdd1078fb45a05b.1683917556.git.felix.lechner@lease-up.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Reply-to: Felix Lechner <felix.lechner@lease-up.com> From: Felix Lechner via Guix-patches via <guix-patches@gnu.org> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches
Series	[bug#63383,v2,1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files. \| expand [bug#63383,v2,1/4] In PAM test, confirm ulimits actually imposed instead of comparing config files. [bug#63383,v2,2/4] Drop limits.conf from /etc/security; use directly in pam-limits-service-type. [bug#63383,v2,3/4] Refer to the built-in Linux-PAM modules by their absolute paths. [bug#63383,v2,4/4] Use more file-append.

diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 4bef781977..5d0542b39d 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -58,8 +58,8 @@ (define-module (gnu services base) #:use-module (gnu packages admin) #:use-module ((gnu packages linux) #:select (alsa-utils btrfs-progs crda eudev - e2fsprogs f2fs-tools fuse gpm kbd lvm2 rng-tools - util-linux xfsprogs)) + e2fsprogs f2fs-tools fuse gpm kbd linux-pam lvm2 + rng-tools util-linux xfsprogs)) #:use-module (gnu packages bash) #:use-module ((gnu packages base) #:select (coreutils glibc glibc-utf8-locales tar @@ -1609,7 +1609,7 @@ (define pam-limits-service-type (lambda (pam) (let ((pam-limits (pam-entry (control "required") - (module "pam_limits.so") + (module (file-append linux-pam "/lib/security/pam_limits.so")) (arguments (list #~(string-append "conf=" #$limits-file)))))) (if (member (pam-service-name pam) diff --git a/gnu/services/lightdm.scm b/gnu/services/lightdm.scm index b966f402d6..9927e8769b 100644 --- a/gnu/services/lightdm.scm +++ b/gnu/services/lightdm.scm @@ -24,6 +24,7 @@ (define-module (gnu services lightdm) #:use-module (gnu packages display-managers) #:use-module (gnu packages freedesktop) #:use-module (gnu packages gnome) + #:use-module (gnu packages linux) #:use-module (gnu packages vnc) #:use-module (gnu packages xorg) #:use-module (gnu services configuration) @@ -546,34 +547,61 @@ (define (lightdm-greeter-pam-service) (name "lightdm-greeter") (auth (list ;; Load environment from /etc/environment and ~/.pam_environment. - (pam-entry (control "required") (module "pam_env.so")) + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_env.so"))) ;; Always let the greeter start without authentication. - (pam-entry (control "required") (module "pam_permit.so")))) + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) ;; No action required for account management - (account (list (pam-entry (control "required") (module "pam_permit.so")))) + (account (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) ;; Prohibit changing password. - (password (list (pam-entry (control "required") (module "pam_deny.so")))) + (password (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) ;; Setup session. - (session (list (pam-entry (control "required") (module "pam_unix.so")))))) + (session (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_unix.so"))))))) (define (lightdm-autologin-pam-service) "Return a PAM service for @command{lightdm-autologin}}." (pam-service (name "lightdm-autologin") - (auth - (list - ;; Block login if user is globally disabled. - (pam-entry (control "required") (module "pam_nologin.so")) - (pam-entry (control "required") (module "pam_succeed_if.so") - (arguments (list "uid >= 1000"))) - ;; Allow access without authentication. - (pam-entry (control "required") (module "pam_permit.so")))) + (auth (list + ;; Block login if user is globally disabled. + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_nologin.so"))) + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_succeed_if.so")) + (arguments (list "uid >= 1000"))) + ;; Allow access without authentication. + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) ;; Stop autologin if account requires action. - (account (list (pam-entry (control "required") (module "pam_unix.so")))) + (account (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_unix.so"))))) ;; Prohibit changing password. - (password (list (pam-entry (control "required") (module "pam_deny.so")))) + (password (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) ;; Setup session. - (session (list (pam-entry (control "required") (module "pam_unix.so")))))) + (session (list + (pam-entry + (control "required") + (module (file-append linux-pam "/lib/security/pam_unix.so"))))))) (define (lightdm-pam-services config) (list (lightdm-pam-service config) diff --git a/gnu/services/sddm.scm b/gnu/services/sddm.scm index c9a7ba96f4..9cd4d23bdb 100644 --- a/gnu/services/sddm.scm +++ b/gnu/services/sddm.scm @@ -23,6 +23,7 @@ (define-module (gnu services sddm) #:use-module (gnu packages admin) #:use-module (gnu packages display-managers) #:use-module (gnu packages freedesktop) + #:use-module (gnu packages linux) #:use-module (gnu packages xorg) #:use-module (gnu services) #:use-module (gnu services shepherd) @@ -185,32 +186,32 @@ (define (sddm-pam-service config) (list (pam-entry (control "requisite") - (module "pam_nologin.so")) + (module (file-append linux-pam "/lib/security/pam_nologin.so"))) (pam-entry (control "required") - (module "pam_env.so")) + (module (file-append linux-pam "/lib/security/pam_env.so"))) (pam-entry (control "required") - (module "pam_succeed_if.so") + (module (file-append linux-pam "/lib/security/pam_succeed_if.so")) (arguments (list (string-append "uid >= " (number->string (sddm-configuration-minimum-uid config))) "quiet"))) ;; should be factored out into system-auth (pam-entry (control "required") - (module "pam_unix.so")))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))) (account (list ;; should be factored out into system-account (pam-entry (control "required") - (module "pam_unix.so")))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))) (password (list ;; should be factored out into system-password (pam-entry (control "required") - (module "pam_unix.so") + (module (file-append linux-pam "/lib/security/pam_unix.so")) (arguments (list "sha512" "shadow" "try_first_pass"))))) (session (list @@ -218,7 +219,7 @@ (module "pam_unix.so") ;; should be factored out into system-session (pam-entry (control "required") - (module "pam_unix.so")))))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))))) (define (sddm-greeter-pam-service) "Return a PAM service for @command{sddm-greeter}." @@ -229,29 +230,29 @@ (define (sddm-greeter-pam-service) ;; Load environment from /etc/environment and ~/.pam_environment (pam-entry (control "required") - (module "pam_env.so")) + (module (file-append linux-pam "/lib/security/pam_env.so"))) ;; Always let the greeter start without authentication (pam-entry (control "required") - (module "pam_permit.so")))) + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) (account (list ;; No action required for account management (pam-entry (control "required") - (module "pam_permit.so")))) + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) (password (list ;; Can't change password (pam-entry (control "required") - (module "pam_deny.so")))) + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) (session (list ;; Setup session (pam-entry (control "required") - (module "pam_unix.so")))))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))))) (define (sddm-autologin-pam-service config) "Return a PAM service for @command{sddm-autologin}" @@ -261,16 +262,16 @@ (define (sddm-autologin-pam-service config) (list (pam-entry (control "requisite") - (module "pam_nologin.so")) + (module (file-append linux-pam "/lib/security/pam_nologin.so"))) (pam-entry (control "required") - (module "pam_succeed_if.so") + (module (file-append linux-pam "/lib/security/pam_succeed_if.so")) (arguments (list (string-append "uid >= " (number->string (sddm-configuration-minimum-uid config))) "quiet"))) (pam-entry (control "required") - (module "pam_permit.so")))) + (module (file-append linux-pam "/lib/security/pam_permit.so"))))) (account (list (pam-entry @@ -280,7 +281,7 @@ (module "sddm")))) (list (pam-entry (control "required") - (module "pam_deny.so")))) + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) (session (list (pam-entry diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8b6080fd26..97fbde3511 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -50,6 +50,7 @@ (define-module (gnu services xorg) #:use-module (gnu packages freedesktop) #:use-module (gnu packages gnustep) #:use-module (gnu packages gnome) + #:use-module (gnu packages linux) #:use-module (gnu packages admin) #:use-module (gnu packages bash) #:use-module (gnu system shadow) @@ -1101,12 +1102,12 @@ (module (file-append (gdm-configuration-gdm config) "/lib/security/pam_gdm.so"))) (pam-entry (control "sufficient") - (module "pam_permit.so"))))) + (module (file-append linux-pam "/lib/security/pam_permit.so")))))) (pam-service (inherit (unix-pam-service "gdm-launch-environment")) (auth (list (pam-entry (control "required") - (module "pam_permit.so"))))) + (module (file-append linux-pam "/lib/security/pam_permit.so")))))) (unix-pam-service "gdm-password" #:login-uid? #t #:allow-empty-passwords? diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index adc40c975f..e3711e2b1e 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -202,7 +202,7 @@ (define %pam-other-services ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.) (let ((deny (pam-entry (control "required") - (module "pam_deny.so")))) + (module (file-append linux-pam "/lib/security/pam_deny.so"))))) (pam-service (name "other") (account (list deny)) @@ -213,10 +213,10 @@ (module "pam_deny.so")))) (define unix-pam-service (let ((unix (pam-entry (control "required") - (module "pam_unix.so"))) + (module (file-append linux-pam "/lib/security/pam_unix.so")))) (env (pam-entry ; to honor /etc/environment. (control "required") - (module "pam_env.so")))) + (module (file-append linux-pam "/lib/security/pam_env.so"))))) (lambda* (name #:key allow-empty-passwords? allow-root? motd login-uid? gnupg?) "Return a standard Unix-style PAM service for NAME. When @@ -234,12 +234,12 @@ (module "pam_env.so")))) (auth (append (if allow-root? (list (pam-entry (control "sufficient") - (module "pam_rootok.so"))) + (module (file-append linux-pam "/lib/security/pam_rootok.so")))) '()) (list (if allow-empty-passwords? (pam-entry (control "required") - (module "pam_unix.so") + (module (file-append linux-pam "/lib/security/pam_unix.so")) (arguments '("nullok"))) unix)) (if gnupg? @@ -249,20 +249,20 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) '()))) (password (list (pam-entry (control "required") - (module "pam_unix.so") + (module (file-append linux-pam "/lib/security/pam_unix.so")) ;; Store SHA-512 encrypted passwords in /etc/shadow. (arguments '("sha512" "shadow"))))) (session `(,@(if motd (list (pam-entry (control "optional") - (module "pam_motd.so") + (module (file-append linux-pam "/lib/security/pam_motd.so")) (arguments (list #~(string-append "motd=" #$motd))))) '()) ,@(if login-uid? (list (pam-entry ;to fill in /proc/self/loginuid (control "required") - (module "pam_loginuid.so"))) + (module (file-append linux-pam "/lib/security/pam_loginuid.so")))) '()) ,@(if gnupg? (list (pam-entry @@ -276,13 +276,13 @@ (define (rootok-pam-service command) authenticate to run COMMAND." (let ((unix (pam-entry (control "required") - (module "pam_unix.so")))) + (module (file-append linux-pam "/lib/security/pam_unix.so"))))) (pam-service (name command) (account (list unix)) (auth (list (pam-entry (control "sufficient") - (module "pam_rootok.so")))) + (module (file-append linux-pam "/lib/security/pam_rootok.so"))))) (password (list unix)) (session (list unix)))))

[bug#63383,v2,3/4] Refer to the built-in Linux-PAM modules by their absolute paths.

Commit Message

Patch