From patchwork Tue Mar 21 21:06:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brian Cully X-Patchwork-Id: 48550 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D764216F87; Tue, 21 Mar 2023 21:07:29 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7D1B116F49 for ; Tue, 21 Mar 2023 21:07:27 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pejCE-0005xx-MI; Tue, 21 Mar 2023 17:07:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pejCA-0005xT-FE for guix-patches@gnu.org; Tue, 21 Mar 2023 17:07:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pejC9-0006sG-S0; Tue, 21 Mar 2023 17:07:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pejC9-0002N5-NO; Tue, 21 Mar 2023 17:07:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#62357] [PATCH] services: base: add pam-mount-volume support for greetd Resent-From: Brian Cully Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, guix-patches@gnu.org Resent-Date: Tue, 21 Mar 2023 21:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62357 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 62357@debbugs.gnu.org Cc: Brian Cully , ludo@gnu.org X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: ludo@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16794328159100 (code B ref -1); Tue, 21 Mar 2023 21:07:01 +0000 Received: (at submit) by debbugs.gnu.org; 21 Mar 2023 21:06:55 +0000 Received: from localhost ([127.0.0.1]:60976 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pejC2-0002Mh-Gd for submit@debbugs.gnu.org; Tue, 21 Mar 2023 17:06:55 -0400 Received: from lists.gnu.org ([209.51.188.17]:45492) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pejC0-0002MZ-HK for submit@debbugs.gnu.org; Tue, 21 Mar 2023 17:06:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pejBv-0005sm-34 for guix-patches@gnu.org; Tue, 21 Mar 2023 17:06:48 -0400 Received: from coleridge.kublai.com ([166.84.7.167] helo=mail.spork.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pejBs-0006nk-9K for guix-patches@gnu.org; Tue, 21 Mar 2023 17:06:46 -0400 Received: from psyduck.jhoto.kublai.com (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id 1671094F2; Tue, 21 Mar 2023 17:06:28 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1679432788; bh=33K/anoJjVzHj0mYkJCBwe0/nTBePwhIfPUY0igiX1A=; h=From:To:Cc:Subject:Date; b=Hr8iP1ShM3rxsKigKZAhivgLUoK5I5WvdXTVRRwdBfZE52dSz98yFopkifJYdc9lu 1GPmu7C/FQx2OA/+iNAVW4AOoyaTvacOCUr/NsoBKn0inBXyIVIwJ/Ie2Sz/0ntvXn BehgxYoDPg37Yc5RgmGeS5Og4PuGwfe+3tBIT4Jk= Date: Tue, 21 Mar 2023 17:06:22 -0400 Message-Id: <3dc92c40bf6940f2453d1912af08c47771dfa42b.1679432782.git.bjc@spork.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Received-SPF: pass client-ip=166.84.7.167; envelope-from=bjc@spork.org; helo=mail.spork.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Brian Cully X-ACL-Warn: , Brian Cully via Guix-patches X-Patchwork-Original-From: Brian Cully via Guix-patches via From: Brian Cully Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches This patch lets users create mounts automatically on login with the greetd service by adding `pam-mount-volume' records via the `extra-pam-mount-volumes' field of `greetd-configuration'. The existing rules for XDG_RUNTIME_DIR have been migrated to `%base-pam-mount-volumes' and are installed by default. * gnu/services/base.scm (): new record (pam-mount-volume->sxml): new procedure (%base-pam-mount-volumes): new variable (greetd-pam-mount-rules): new function (%greetd-pam-mount-rules): removed variable (): new field `extra-pam-mount-volumes' --- gnu/services/base.scm | 114 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 107 insertions(+), 7 deletions(-) base-commit: 306bd7b8b952b1e721fd36a9d69b3373862e8087 diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 2c984a0747..4da2090141 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -248,6 +248,27 @@ (define-module (gnu services base) pam-limits-service-type pam-limits-service + pam-mount-volume + pam-mount-volume-user + pam-mount-volume-uid + pam-mount-volume-pgrp + pam-mount-volume-gid + pam-mount-volume-sgrp + pam-mount-volume-fstype + pam-mount-volume-noroot + pam-mount-volume-server + pam-mount-volume-path + pam-mount-volume-path + pam-mount-volume-mountpoint + pam-mount-volume-header + pam-mount-volume-options + pam-mount-volume-ssh + pam-mount-volume-cipher + pam-mount-volume-fskeycipher + pam-mount-volume-fskeyhash + pam-mount-volume-fskeypath + %base-pam-mount-volumes + greetd-service-type greetd-configuration greetd-terminal-configuration @@ -3170,6 +3191,82 @@ (define (make-greetd-terminal-configuration-file config) "user = " default-session-user "\n" "command = " default-session-command "\n"))) +(define-record-type* + pam-mount-volume make-pam-mount-volume + pam-mount-volume? + (user pam-mount-volume-user (default #f)) ; string + (uid pam-mount-volume-uid (default #f)) ; number or (number . number) + (pgrp pam-mount-volume-pgrp (default #f)) ; string + (gid pam-mount-volume-gid (default #f)) ; number or (number . number) + (sgrp pam-mount-volume-sgrp (default #f)) ; string + (fstype pam-mount-volume-fstype (default #f)) ; string + (noroot pam-mount-volume-noroot (default #f)) ; bool + (server pam-mount-volume-server (default #f)) ; string + (path pam-mount-volume-path (default #f)) ; string + (mountpoint pam-mount-volume-mountpoint (default #f)) ; string + (header pam-mount-volume-header (default #f)) ; string + (options pam-mount-volume-options (default #f)) ; string + (ssh pam-mount-volume-ssh (default #f)) ; bool + (cipher pam-mount-volume-cipher (default #f)) ; string + (fskeycipher pam-mount-volume-fskeycipher (default #f)) ; string + (fskeyhash pam-mount-volume-fskeyhash (default #f)) ; string + (fskeypath pam-mount-volume-fskeypath (default #f))) ; string + +(define (pam-mount-volume->sxml volume) + "Return SXML formatted VOLUME, suitable for pam_mount configuration." + (define (string-for value) + (and value (format #f "~a" value))) + + (define (bool-for value) + (if value + "1" + "0")) + + (define (number-or-range-for value) + (match value + (#f #f) + ((start . end) + (format #f "~a-~a" start end)) + (number + (format #f "~a" number)))) + + (define attrs + (filter + (cut cadr <>) + (map (lambda (field-desc) + (let* ((field-name (car field-desc)) + (field-formatter (cdr field-desc)) + (field-accessor (record-accessor field-name))) + (list field-name (field-formatter (field-accessor volume))))) + `((user . ,string-for) + (uid . ,number-or-range-for) + (pgrp . ,string-for) + (gid . ,number-or-range-for) + (sgrp . ,string-for) + (fstype . ,string-for) + (noroot . ,bool-for) + (server . ,string-for) + (path . ,string-for) + (mountpoint . ,string-for) + (header . ,string-for) + (options . ,string-for) + (ssh . ,bool-for) + (cipher . ,string-for) + (fskeycipher . ,string-for) + (fskeyhash . ,string-for) + (fskeypath . ,string-for))))) + + `(volume (@ ,@attrs))) + +(define %base-pam-mount-volumes + (list + (pam-mount-volume->sxml + (pam-mount-volume + (sgrp "users") + (fstype "tmpfs") + (mountpoint "/run/user/%(USERUID)") + (options "noexec,nosuid,nodev,size=1g,mode=0700,uid=%(USERUID),gid=%(USERGID)"))))) + (define %greetd-file-systems (list (file-system (device "none") @@ -3180,12 +3277,14 @@ (define %greetd-file-systems (options "mode=0755") (create-mount-point? #t)))) -(define %greetd-pam-mount-rules +(define (greetd-pam-mount-rules config) + (define volumes + (append (map pam-mount-volume->sxml + (greetd-extra-pam-mount-volumes config)) + %base-pam-mount-volumes)) + `((debug (@ (enable "0"))) - (volume (@ (sgrp "users") - (fstype "tmpfs") - (mountpoint "/run/user/%(USERUID)") - (options "noexec,nosuid,nodev,size=1g,mode=0700,uid=%(USERUID),gid=%(USERGID)"))) + ,@volumes (logout (@ (wait "0") (hup "0") (term "yes") @@ -3198,7 +3297,8 @@ (define-record-type* (motd greetd-motd (default %default-motd)) (allow-empty-passwords? greetd-allow-empty-passwords? (default #t)) (terminals greetd-terminals (default '())) - (greeter-supplementary-groups greetd-greeter-supplementary-groups (default '()))) + (greeter-supplementary-groups greetd-greeter-supplementary-groups (default '())) + (extra-pam-mount-volumes greetd-extra-pam-mount-volumes (default '()))) (define (greetd-accounts config) (list (user-group (name "greeter") (system? #t)) @@ -3219,7 +3319,7 @@ (define (make-greetd-pam-mount-conf-file config) '(*TOP* (*PI* xml "version='1.0' encoding='utf-8'") (pam_mount - #$@%greetd-pam-mount-rules + #$@(greetd-pam-mount-rules config) (pmvarrun #$(file-append greetd-pam-mount "/sbin/pmvarrun -u '%(USER)' -o '%(OPERATION)'"))))