From patchwork Sat Nov 13 20:11:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Graves X-Patchwork-Id: 34452 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A5E2627BBE3; Sat, 13 Nov 2021 22:50:33 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0E34527BBE1 for ; Sat, 13 Nov 2021 22:50:33 +0000 (GMT) Received: from localhost ([::1]:41194 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mm1qx-0002XC-Vz for patchwork@mira.cbaines.net; Sat, 13 Nov 2021 17:50:32 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53938) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mm1qV-0002Wx-2Z for guix-patches@gnu.org; Sat, 13 Nov 2021 17:50:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:36824) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mm1qU-0000dx-Pv for guix-patches@gnu.org; Sat, 13 Nov 2021 17:50:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mm1qU-0005kW-OO for guix-patches@gnu.org; Sat, 13 Nov 2021 17:50:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#51785] pam-gnupg References: <87czn53ijd.fsf@ngraves.fr> In-Reply-To: <87czn53ijd.fsf@ngraves.fr> Resent-From: Nicolas Graves Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 13 Nov 2021 22:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51785 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 51785@debbugs.gnu.org Cc: Josselin Poiret , Tobias Geerinckx-Rice Received: via spool by 51785-submit@debbugs.gnu.org id=B51785.163684376222017 (code B ref 51785); Sat, 13 Nov 2021 22:50:02 +0000 Received: (at 51785) by debbugs.gnu.org; 13 Nov 2021 22:49:22 +0000 Received: from localhost ([127.0.0.1]:48366 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mm1pn-0005j0-D6 for submit@debbugs.gnu.org; Sat, 13 Nov 2021 17:49:22 -0500 Received: from 13.mo584.mail-out.ovh.net ([178.33.251.8]:58319) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mm0Ct-00032B-N5 for 51785@debbugs.gnu.org; Sat, 13 Nov 2021 16:05:05 -0500 Received: from player797.ha.ovh.net (unknown [10.108.1.112]) by mo584.mail-out.ovh.net (Postfix) with ESMTP id 260CD22340 for <51785@debbugs.gnu.org>; Sat, 13 Nov 2021 21:05:02 +0000 (UTC) Received: from ngraves.fr (201.238.0.109.rev.sfr.net [109.0.238.201]) (Authenticated sender: ngraves@ngraves.fr) by player797.ha.ovh.net (Postfix) with ESMTPSA id 7F790202A2EE3; Sat, 13 Nov 2021 21:04:59 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-100R003fc396292-6c68-4678-83e0-e38d309f6faa, 65E45D71A6384DFBD99378824CE1DC8C6FBF2CD1) smtp.auth=ngraves@ngraves.fr X-OVh-ClientIp: 109.0.238.201 User-agent: mu4e 1.6.9; emacs 28.0.50 Date: Sat, 13 Nov 2021 21:11:58 +0100 Message-ID: <87tugfdax1.fsf@ngraves.fr> MIME-Version: 1.0 X-Ovh-Tracer-Id: 2917488137135645207 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvuddrvdehgddugeehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpegfhffvufffkfggtgesmhdtreertdertdenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpefhheffleffhfeugfeltdelieeuhfeutdevgeefjeefudeileehgfevheefudehueenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppedtrddtrddtrddtpddutdelrddtrddvfeekrddvtddunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhpohhuthdphhgvlhhopehplhgrhigvrhejleejrdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhrtghpthhtohephedujeekheesuggvsggsuhhgshdrghhnuhdrohhrgh X-Mailman-Approved-At: Sat, 13 Nov 2021 17:49:19 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: Nicolas Graves X-ACL-Warn: , Nicolas Graves via Guix-patches X-Patchwork-Original-From: Nicolas Graves via Guix-patches via From: Nicolas Graves X-getmail-retrieved-from-mailbox: Patches Thanks for your answers Josselin and Tobias, (For the record, I just pinned all the commits from other channels in my channels.scm and pulled guix with guix pull --allow-downgrades --disable-authentication) I finally managed to get the pam module to work but it eventually raised more questions than expected. Basically now the module starts well, but my shepherd service gpg-agent doesn't (I guess because pam starts it, and that shepherd can't take over). It's fine for the purpose I was installing pam-gnupg for (having direct access to password-store passwords after login), but hinders the rest of related activities (e.g. signing commits). Above this question, I was wondering about the order of pam-modules startup. A look at the manual pages and the examples for modules show a clear hierarchy for at least a few modules (pam_unix > pam_loginuid > pam_elogind > pam_gnupg for instance), which is not respected in guix's implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix). Although it seems to work, is it normal / purposeful / without consequences ? If no, as a solution, maybe implementing a hierarchy might help. For instance, something like : 1) Base modules (pam_unix, pam_env, pam_loginuid) 2) Modules added elsewhere with pam-root-service (pam_elogind, graphical login managers modules) 3) Other modules (pam_gnupg, pam_motd...) The last question I have is about the configuration of pam_gnupg. On the official repo (https://github.com/cruegge/pam-gnupg), it seems that there is a recommended configuration (e.g. setting the priority as optional), which is once again not respected in the actual configuration. I did add the few lines to address this (but is there a reason why that is not the case ?) I'm willing to help make these changes if useful and on the right track, but I don't have much experience with guile. Cheers, Nicolas From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001 From: Nicolas Graves Date: Sat, 13 Nov 2021 21:48:16 +0100 Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance. --- gnu/system/pam.scm | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index d6d02e59f5..0f0b09e347 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -244,19 +244,19 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")) (module "pam_unix.so") ;; Store SHA-512 encrypted passwords in /etc/shadow. (arguments '("sha512" "shadow"))))) - (session `(,@(if motd + (session `(,env ,unix + ,@(if login-uid? + (list (pam-entry ;to fill in /proc/self/loginuid + (control "required") + (module "pam_loginuid.so"))) + '()) + ,@(if motd (list (pam-entry (control "optional") (module "pam_motd.so") (arguments (list #~(string-append "motd=" #$motd))))) '()) - ,@(if login-uid? - (list (pam-entry ;to fill in /proc/self/loginuid - (control "required") - (module "pam_loginuid.so"))) - '()) - ,env ,unix ,@(if gnupg? (list (pam-entry (control "optional") -- 2.33.1