system: Allow root to use 'groupadd' & co. without authenticating.
This fixes a bug whereby, if #:allow-root-passwords was #f, 'groupadd' would ask for a password. This is particularly problematic during activation. * gnu/system/linux.scm (rootok-pam-service): New procedure. (base-pam-services): Use it for all the user* and group* commands.master
Ludovic Courtès
parent
f109696473
commit
da417ffe3b
|
|
@ -152,15 +152,36 @@ should be the name of a file used as the message-of-the-day."
|
||||||
(list #~(string-append "motd=" #$motd)))))
|
(list #~(string-append "motd=" #$motd)))))
|
||||||
(list unix))))))))
|
(list unix))))))))
|
||||||
|
|
||||||
|
(define (rootok-pam-service command)
|
||||||
|
"Return a PAM service for COMMAND such that 'root' does not need to
|
||||||
|
authenticate to run COMMAND."
|
||||||
|
(let ((unix (pam-entry
|
||||||
|
(control "required")
|
||||||
|
(module "pam_unix.so"))))
|
||||||
|
(pam-service
|
||||||
|
(name command)
|
||||||
|
(account (list unix))
|
||||||
|
(auth (list (pam-entry
|
||||||
|
(control "sufficient")
|
||||||
|
(module "pam_rootok.so"))))
|
||||||
|
(password (list unix))
|
||||||
|
(session (list unix)))))
|
||||||
|
|
||||||
(define* (base-pam-services #:key allow-empty-passwords?)
|
(define* (base-pam-services #:key allow-empty-passwords?)
|
||||||
"Return the list of basic PAM services everyone would want."
|
"Return the list of basic PAM services everyone would want."
|
||||||
(cons %pam-other-services
|
;; TODO: Add other Shadow programs?
|
||||||
(map (cut unix-pam-service <>
|
(append (list %pam-other-services)
|
||||||
#:allow-empty-passwords? allow-empty-passwords?)
|
|
||||||
'("su" "passwd" "sudo"
|
;; These programs are setuid-root.
|
||||||
"useradd" "userdel" "usermod"
|
(map (cut unix-pam-service <>
|
||||||
"groupadd" "groupdel" "groupmod"
|
#:allow-empty-passwords? allow-empty-passwords?)
|
||||||
;; TODO: Add other Shadow programs?
|
'("su" "passwd" "sudo"))
|
||||||
))))
|
|
||||||
|
;; These programs are not setuid-root, and we want root to be able
|
||||||
|
;; to run them without having to authenticate (notably because
|
||||||
|
;; 'useradd' and 'groupadd' are run during system activation.)
|
||||||
|
(map rootok-pam-service
|
||||||
|
'("useradd" "userdel" "usermod"
|
||||||
|
"groupadd" "groupdel" "groupmod"))))
|
||||||
|
|
||||||
;;; linux.scm ends here
|
;;; linux.scm ends here
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue