From patchwork Sun Jun 4 09:42:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josselin Poiret X-Patchwork-Id: 50592 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 78C7D27BBE2; Sun, 4 Jun 2023 10:43:12 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, SPF_HELO_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 591CD27BBE2 for ; Sun, 4 Jun 2023 10:43:11 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q5kGN-0004TY-S2; Sun, 04 Jun 2023 05:43:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q5kGM-0004TH-RA for guix-patches@gnu.org; Sun, 04 Jun 2023 05:43:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1q5kGM-0004Pt-Io for guix-patches@gnu.org; Sun, 04 Jun 2023 05:43:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1q5kGM-0004D8-Ea for guix-patches@gnu.org; Sun, 04 Jun 2023 05:43:02 -0400 Subject: bug#63652: [PATCH] services: screen-locker-service-type: Configurable PAM and setuid. Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-To: guix-patches@gnu.org Resent-Date: Sun, 04 Jun 2023 09:43:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 63652 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: muradm , 63652-done@debbugs.gnu.org Mail-Followup-To: 63652@debbugs.gnu.org, dev@jpoiret.xyz, mail@muradm.net Received: via spool by 63652-done@debbugs.gnu.org id=D63652.168587174316131 (code D ref 63652); Sun, 04 Jun 2023 09:43:02 +0000 Received: (at 63652-done) by debbugs.gnu.org; 4 Jun 2023 09:42:23 +0000 Received: from localhost ([127.0.0.1]:45062 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q5kFj-0004C5-6I for submit@debbugs.gnu.org; Sun, 04 Jun 2023 05:42:23 -0400 Received: from jpoiret.xyz ([206.189.101.64]:55644) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q5kFh-0004Bx-2F for 63652-done@debbugs.gnu.org; Sun, 04 Jun 2023 05:42:21 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 156CE184F27; Sun, 4 Jun 2023 09:42:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1685871740; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=W36dmsVKacdlW6AO7P+mcEnJl6C4gJulaTpZnob5wkE=; b=n2jnzIQsJkxskaKVSij766VRkS0gDYCgzv6kidpEbFrVbw1KvTtt8Gj8M1cj8VQj1wlPQX VJn6U2CBMepzZsEwxj6uwwK0fQlipmT0pSx6eXfJvdfQFqVlHQ3PMcdl2tlmiYzETbVwL+ rEtTXWDy0Z19Zp59tkWREhHHI1cDCX+uy6Gl22PnLcQ+Y82YXDneAtZEC4CxWPfoH6G1+1 OI90FcS45i29Z2OUQTaAMpRgh1VMAX2uDjI9KGX5nvD8OMsFOn5f/1GcHLlx99bYZ3n8To 5teFH+KXqfI+oqwOgLz2TIwhsbcO9RtE3Km9vgMA8Ggjp7ksDqJ/qTCsWL13OQ== In-Reply-To: <84127ca20c41459b18200f39356f7964fa75f943.1684782409.git.mail@muradm.net> References: <84127ca20c41459b18200f39356f7964fa75f943.1684782409.git.mail@muradm.net> Date: Sun, 04 Jun 2023 11:42:18 +0200 Message-ID: <87a5xfef7p.fsf@jpoiret.xyz> MIME-Version: 1.0 X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Josselin Poiret X-ACL-Warn: , Josselin Poiret via Guix-patches X-Patchwork-Original-From: Josselin Poiret via Guix-patches via From: Josselin Poiret Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Hi muradm, muradm writes: > screen-locker-service-type by default does both define PAM entry > and make program setuid binary. Normally both methods are > mutually exclusive, if binary has setuid set it does not really > needs PAM, otherway around also similar, if PAM is enabled > binary should not relay on setuid. > > Recent swaylock package now compiled with PAM support. When PAM > support is compiled in, swaylock rejects executing if binary is > also setuid program. > > This change turns screen-locker-configuration from strict > PAM AND setuid to more flexible PAM AND/OR setuid. Allowing > swaylock to be configured properly while supporting other > screen locker preferences. > > * gnu/services/xorg.scm (screen-locker-configuration): Switch from > define-record-type to define-configuration. > [using-pam?]: New field to control PAM entry existence. > [using-setuid?]: New field to control setuid binary existence. > (screen-locker-pam-services): Should not make unix-pam-service if > using-pam? is set to #f. > (screen-locker-setuid-programs): Should not make program setuid > program if using-setuid? is set to #f. > (screen-locker-generate-doc): Internal function to generate > configuration documentation. > (screen-locker-service): Adapt to new screen-locker-configuration. > * gnu/services/desktop.scm (desktop-services-for-system): Adapt to > new screen-locker-configuration. > * doc/guix.texi: Reflect new changes to screen-locker-configuration. Thanks! Tested and pushed as f4f5ee6ad6e2432f52e37c549211df8f1cdbb571 with the following changes: diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index b1ffa72c0e..b9f5f6b6a9 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -2147,7 +2147,10 @@ Xorg can be achieved by adding the following service to your @file{config.scm}: @lisp -(screen-locker-service slock) +(service screen-locker-services-type + (screen-locker-configuration + (name "slock") + (program (file-append slock "/bin/slock")))) @end lisp If you manually lock your screen, e.g. by directly calling slock when you want to lock diff --git a/doc/guix.texi b/doc/guix.texi index 704bbd39d2..db37676e12 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -97,7 +97,7 @@ Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright{} 2021 Alice Brenon@* Copyright @copyright{} 2021, 2022 Josselin Poiret@* -Copyright @copyright{} 2021 muradm@* +Copyright @copyright{} 2021, 2023 muradm@* Copyright @copyright{} 2021, 2022 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* Copyright @copyright{} 2022 Remco van 't Veer@* @@ -22533,28 +22533,32 @@ X Window saver to the set of setuid programs and/or add a PAM entry for it. The value for this service is a @code{} object. -While default behavior is to setup both setuid program and PAM entry, -they are effectively mutually exclusive. Screen locker programs may -prevent executing when PAM is configured, and @code{setuid} is set on -executable. Then @code{using-setuid?} can be set to @code{#f}. +While the default behavior is to setup both a setuid program and PAM +entry, these two methods are redundant. Screen locker programs may not +execute when PAM is configured and @code{setuid} is set on their +executable. In this case, @code{using-setuid?} can be set to @code{#f}. For example, to make XlockMore usable: @lisp (service screen-locker-service-type (screen-locker-configuration - "xlock" (file-append xlockmore "/bin/xlock") #f)) + (name "xlock") + (program (file-append xlockmore "/bin/xlock")))) @end lisp makes the good ol' XlockMore usable. For example, swaylock fails to execute when compiled with PAM support -and setuid enabled, then one can disable setuid: +and setuid enabled. One can thus disable setuid: @lisp (service screen-locker-service-type (screen-locker-configuration - "swaylock" (file-append xlockmore "/bin/xlock") #f #t #f)) + (name "swaylock") + (program (file-append xlockmore "/bin/xlock")) + (using-pam? #t) + (using-setuid? #f))) @end lisp @end defvar diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 639e99ff79..a63748b652 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1840,13 +1840,11 @@ (define* (desktop-services-for-system #:optional (service screen-locker-service-type (screen-locker-configuration (name "slock") - (program (file-append slock "/bin/slock")) - (allow-empty-password? #f))) + (program (file-append slock "/bin/slock")))) (service screen-locker-service-type (screen-locker-configuration (name "xlock") - (program (file-append xlock "/bin/xlock")) - (allow-empty-password? #f))) + (program (file-append xlockmore "/bin/xlock")))) ;; Add udev rules for MTP devices so that non-root users can access ;; them. diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index b6c1636660..f8cf9f25b6 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -723,14 +723,6 @@ (define-configuration/no-serialization screen-locker-configuration (boolean #t) "Whether to setup program as setuid binary.")) -(define-deprecated/public-alias - screen-locker - screen-locker-configuration) - -(define-deprecated/public-alias - screen-locker? - screen-locker-configuration?) - (define (screen-locker-pam-services config) (match-record config (name allow-empty-password? using-pam?)