nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

system: Allow root to run "su" without password. 

* gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
auth field when ALLOW-ROOT? is #T.
(base-pam-services): Allow root to run "su" without authentication.
This commit is contained in:
Ricardo Wurmus 2017-05-08 12:21:02 +02:00
parent f000828575
commit e586257b55
No known key found for this signature in database
GPG Key ID: 197A5888235FACAC
1 changed files with 21 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
gnu/system/pam.scm
View File

@ -204,21 +204,27 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(env (pam-entry ; to honor /etc/environment. (env (pam-entry ; to honor /etc/environment.
(control "required") (control "required")
(module "pam_env.so")))) (module "pam_env.so"))))
(lambda* (name #:key allow-empty-passwords? motd) (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd)
"Return a standard Unix-style PAM service for NAME. When "Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When MOTD is true, it ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
should be a file-like object used as the message-of-the-day." true, allow root to run the command without authentication. When MOTD is
true, it should be a file-like object used as the message-of-the-day."
;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>. ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
(let ((name* name)) (let ((name* name))
(pam-service (pam-service
(name name*) (name name*)
(account (list unix)) (account (list unix))
(auth (list (if allow-empty-passwords? (auth (append (if allow-root?
(pam-entry (list (pam-entry
(control "required") (control "sufficient")
(module "pam_unix.so") (module "pam_rootok.so")))
(arguments '("nullok"))) '())
unix))) (list (if allow-empty-passwords?
(pam-entry
(control "required")
(module "pam_unix.so")
(arguments '("nullok")))
unix))))
(password (list (pam-entry (password (list (pam-entry
(control "required") (control "required")
(module "pam_unix.so") (module "pam_unix.so")
@ -256,7 +262,12 @@ authenticate to run COMMAND."
;; These programs are setuid-root. ;; These programs are setuid-root.
(map (cut unix-pam-service <> (map (cut unix-pam-service <>
#:allow-empty-passwords? allow-empty-passwords?) #:allow-empty-passwords? allow-empty-passwords?)
'("su" "passwd" "sudo")) '("passwd" "sudo"))
;; This is setuid-root, as well. Allow root to run "su" without
;; authenticating.
(list (unix-pam-service "su"
#:allow-empty-passwords? allow-empty-passwords?
#:allow-root? #t))
;; These programs are not setuid-root, and we want root to be able ;; These programs are not setuid-root, and we want root to be able
;; to run them without having to authenticate (notably because ;; to run them without having to authenticate (notably because