me
/
guix
Archived
1
0
Fork 0
Code

gnu: linux-pam: Change path to unix_chkpwd helper. 

* gnu/packages/patches/linux-pam-unix_chkpwd.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (linux-pam): Use it.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.

Co-authored-by: Ludovic Courtès <ludo@gnu.org>
master
Andrew Tropin 2022-02-06 08:16:54 +03:00 committed by Ludovic Courtès
parent b31ef5638b
commit f172118ca4
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
4 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
gnu/local.mk
View File

@ -1433,6 +1433,7 @@ dist_patch_DATA = \
%D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \ %D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \
%D%/packages/patches/linux-libre-arm64-generic-pinebook-lcd.patch \ %D%/packages/patches/linux-libre-arm64-generic-pinebook-lcd.patch \
%D%/packages/patches/linux-pam-no-setfsuid.patch \ %D%/packages/patches/linux-pam-no-setfsuid.patch \
%D%/packages/patches/linux-pam-unix_chkpwd.patch \
%D%/packages/patches/linuxdcpp-openssl-1.1.patch \ %D%/packages/patches/linuxdcpp-openssl-1.1.patch \
%D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/lirc-reproducible-build.patch \ %D%/packages/patches/lirc-reproducible-build.patch \

3
gnu/packages/linux.scm
View File

@ -1596,7 +1596,8 @@ which need to be installed separately.")
(sha256 (sha256
(base32 (base32
"1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790")) "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
(patches (search-patches "linux-pam-no-setfsuid.patch")))) (patches (search-patches "linux-pam-unix_chkpwd.patch"
"linux-pam-no-setfsuid.patch"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(native-inputs (native-inputs

9
gnu/packages/patches/linux-pam-unix_chkpwd.patch 100644
View File

@ -0,0 +1,9 @@
unix_chkpwd is designed to have a suid bit, but it's not possible to set it
for files in the store. This patch tells unix_pam.so to look for
unix_chkpwd in setuid program directory on Guix System.
--- a/modules/pam_unix/Makefile.in
+++ b/modules/pam_unix/Makefile.in
@@ -651,1 +651,1 @@
- -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
+ -DCHKPWD_HELPER=\"/run/setuid-programs/unix_chkpwd\" \

10
gnu/system/pam.scm
View File

@ -21,6 +21,7 @@
#:use-module (guix derivations) #:use-module (guix derivations)
#:use-module (guix gexp) #:use-module (guix gexp)
#:use-module (gnu services) #:use-module (gnu services)
#:use-module (gnu system setuid)
#:use-module (ice-9 match) #:use-module (ice-9 match)
#:use-module (srfi srfi-1) #:use-module (srfi srfi-1)
#:use-module (srfi srfi-9) #:use-module (srfi srfi-9)
@ -375,8 +376,13 @@ strings or string-valued gexps."
(define pam-root-service-type (define pam-root-service-type
(service-type (name 'pam) (service-type (name 'pam)
(extensions (list (service-extension etc-service-type (extensions
/etc-entry))) (list (service-extension
setuid-program-service-type
(lambda (_)
(list (file-like->setuid-program
(file-append linux-pam "/sbin/unix_chkpwd")))))
(service-extension etc-service-type /etc-entry)))
;; Arguments include <pam-service> as well as procedures. ;; Arguments include <pam-service> as well as procedures.
(compose concatenate) (compose concatenate)