nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

system: pam: Add #:login-uid? parameter to 'unix-pam-service'. 

* gnu/system/pam.scm (unix-pam-service): Add #:login-uid? parameter.  In
then 'session' field, add "pam_loginuid.so" as required when LOGIN-UID?
is true.
master
Ludovic Courtès 2019-05-09 11:42:03 +02:00
parent 56038bac60
commit af55ca481d
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
1 changed files with 38 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
gnu/system/pam.scm
View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -207,40 +207,47 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(env (pam-entry ; to honor /etc/environment. (env (pam-entry ; to honor /etc/environment.
(control "required") (control "required")
(module "pam_env.so")))) (module "pam_env.so"))))
(lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd) (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
login-uid?)
"Return a standard Unix-style PAM service for NAME. When "Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is true, allow root to run the command without authentication. When MOTD is
true, it should be a file-like object used as the message-of-the-day." true, it should be a file-like object used as the message-of-the-day.
When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
/proc/self/loginuid, which the libc 'getlogin' function relies on."
;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>. ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
(let ((name* name)) (pam-service
(pam-service (name name)
(name name*) (account (list unix))
(account (list unix)) (auth (append (if allow-root?
(auth (append (if allow-root? (list (pam-entry
(list (pam-entry (control "sufficient")
(control "sufficient") (module "pam_rootok.so")))
(module "pam_rootok.so"))) '())
'()) (list (if allow-empty-passwords?
(list (if allow-empty-passwords? (pam-entry
(pam-entry (control "required")
(control "required") (module "pam_unix.so")
(module "pam_unix.so") (arguments '("nullok")))
(arguments '("nullok"))) unix))))
unix)))) (password (list (pam-entry
(password (list (pam-entry (control "required")
(control "required") (module "pam_unix.so")
(module "pam_unix.so") ;; Store SHA-512 encrypted passwords in /etc/shadow.
;; Store SHA-512 encrypted passwords in /etc/shadow. (arguments '("sha512" "shadow")))))
(arguments '("sha512" "shadow"))))) (session `(,@(if motd
(session (if motd (list (pam-entry
(list env unix (control "optional")
(pam-entry (module "pam_motd.so")
(control "optional") (arguments
(module "pam_motd.so") (list #~(string-append "motd=" #$motd)))))
(arguments '())
(list #~(string-append "motd=" #$motd))))) ,@(if login-uid?
(list env unix)))))))) (list (pam-entry ;to fill in /proc/self/loginuid
(control "required")
(module "pam_loginuid.so")))
'())
,env ,unix))))))
(define (rootok-pam-service command) (define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to "Return a PAM service for COMMAND such that 'root' does not need to