[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
05/07: system: pam: Add #:login-uid? parameter to 'unix-pam-service'.
From: |
guix-commits |
Subject: |
05/07: system: pam: Add #:login-uid? parameter to 'unix-pam-service'. |
Date: |
Thu, 9 May 2019 06:11:47 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix.
commit af55ca481d9e6c1d1e06632f96d550b42f33210f
Author: Ludovic Courtès <address@hidden>
Date: Thu May 9 11:42:03 2019 +0200
system: pam: Add #:login-uid? parameter to 'unix-pam-service'.
* gnu/system/pam.scm (unix-pam-service): Add #:login-uid? parameter. In
then 'session' field, add "pam_loginuid.so" as required when LOGIN-UID?
is true.
---
gnu/system/pam.scm | 69 ++++++++++++++++++++++++++++++------------------------
1 file changed, 38 insertions(+), 31 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 13f76a5..85f7551 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <address@hidden>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019 Ludovic Courtès
<address@hidden>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -207,40 +207,47 @@ dumped in /etc/pam.d/NAME, where NAME is the name of
SERVICE."
(env (pam-entry ; to honor /etc/environment.
(control "required")
(module "pam_env.so"))))
- (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd)
+ (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
+ login-uid?)
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
-true, it should be a file-like object used as the message-of-the-day."
+true, it should be a file-like object used as the message-of-the-day.
+When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
+/proc/self/loginuid, which the libc 'getlogin' function relies on."
;; See
<http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
- (let ((name* name))
- (pam-service
- (name name*)
- (account (list unix))
- (auth (append (if allow-root?
- (list (pam-entry
- (control "sufficient")
- (module "pam_rootok.so")))
- '())
- (list (if allow-empty-passwords?
- (pam-entry
- (control "required")
- (module "pam_unix.so")
- (arguments '("nullok")))
- unix))))
- (password (list (pam-entry
- (control "required")
- (module "pam_unix.so")
- ;; Store SHA-512 encrypted passwords in /etc/shadow.
- (arguments '("sha512" "shadow")))))
- (session (if motd
- (list env unix
- (pam-entry
- (control "optional")
- (module "pam_motd.so")
- (arguments
- (list #~(string-append "motd=" #$motd)))))
- (list env unix))))))))
+ (pam-service
+ (name name)
+ (account (list unix))
+ (auth (append (if allow-root?
+ (list (pam-entry
+ (control "sufficient")
+ (module "pam_rootok.so")))
+ '())
+ (list (if allow-empty-passwords?
+ (pam-entry
+ (control "required")
+ (module "pam_unix.so")
+ (arguments '("nullok")))
+ unix))))
+ (password (list (pam-entry
+ (control "required")
+ (module "pam_unix.so")
+ ;; Store SHA-512 encrypted passwords in /etc/shadow.
+ (arguments '("sha512" "shadow")))))
+ (session `(,@(if motd
+ (list (pam-entry
+ (control "optional")
+ (module "pam_motd.so")
+ (arguments
+ (list #~(string-append "motd=" #$motd)))))
+ '())
+ ,@(if login-uid?
+ (list (pam-entry ;to fill in /proc/self/loginuid
+ (control "required")
+ (module "pam_loginuid.so")))
+ '())
+ ,env ,unix))))))
(define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to
- branch master updated (4ac8dd4 -> 4506018), guix-commits, 2019/05/09
- 01/07: installer: Add missing 'G_' call., guix-commits, 2019/05/09
- 02/07: bootloader: grub: Remove unneeded 'terminal_output'., guix-commits, 2019/05/09
- 03/07: services: slim: Provide the 'xorg-server' Shepherd service., guix-commits, 2019/05/09
- 04/07: gnu: Add hostapd., guix-commits, 2019/05/09
- 05/07: system: pam: Add #:login-uid? parameter to 'unix-pam-service'.,
guix-commits <=
- 07/07: gnu: Mercurial: Update to 5.0, guix-commits, 2019/05/09
- 06/07: services: Log-in services now require "pam_loginuid"., guix-commits, 2019/05/09