services: screen-locker-service-type: Configurable PAM and setuid.
screen-locker-service-type by default does both define PAM entry and make program setuid binary. Normally both methods are mutually exclusive, if binary has setuid set it does not really needs PAM, otherway around also similar, if PAM is enabled binary should not relay on setuid. Recent swaylock package now compiled with PAM support. When PAM support is compiled in, swaylock rejects executing if binary is also setuid program. This change turns screen-locker-configuration from strict PAM AND setuid to more flexible PAM AND/OR setuid. Allowing swaylock to be configured properly while supporting other screen locker preferences. * gnu/services/xorg.scm (screen-locker-configuration): Switch from define-record-type to define-configuration. [using-pam?]: New field to control PAM entry existence. [using-setuid?]: New field to control setuid binary existence. (screen-locker-pam-services): Should not make unix-pam-service if using-pam? is set to #f. (screen-locker-setuid-programs): Should not make program setuid program if using-setuid? is set to #f. (screen-locker-generate-doc): Internal function to generate configuration documentation. (screen-locker-service): Adapt to new screen-locker-configuration. * gnu/services/desktop.scm (desktop-services-for-system): Adapt to new screen-locker-configuration. * doc/guix.texi: Reflect new changes to screen-locker-configuration. Signed-off-by: Josselin Poiret <dev@jpoiret.xyz>master
parent
65bce4d9f9
commit
f4f5ee6ad6
|
@ -2147,7 +2147,10 @@ be made setuid-root so it can authenticate users, and it needs a PAM service. Th
|
||||||
can be achieved by adding the following service to your @file{config.scm}:
|
can be achieved by adding the following service to your @file{config.scm}:
|
||||||
|
|
||||||
@lisp
|
@lisp
|
||||||
(screen-locker-service slock)
|
(service screen-locker-services-type
|
||||||
|
(screen-locker-configuration
|
||||||
|
(name "slock")
|
||||||
|
(program (file-append slock "/bin/slock"))))
|
||||||
@end lisp
|
@end lisp
|
||||||
|
|
||||||
If you manually lock your screen, e.g. by directly calling slock when you want to lock
|
If you manually lock your screen, e.g. by directly calling slock when you want to lock
|
||||||
|
|
|
@ -97,7 +97,7 @@ Copyright @copyright{} 2021 Hui Lu@*
|
||||||
Copyright @copyright{} 2021 pukkamustard@*
|
Copyright @copyright{} 2021 pukkamustard@*
|
||||||
Copyright @copyright{} 2021 Alice Brenon@*
|
Copyright @copyright{} 2021 Alice Brenon@*
|
||||||
Copyright @copyright{} 2021, 2022 Josselin Poiret@*
|
Copyright @copyright{} 2021, 2022 Josselin Poiret@*
|
||||||
Copyright @copyright{} 2021 muradm@*
|
Copyright @copyright{} 2021, 2023 muradm@*
|
||||||
Copyright @copyright{} 2021, 2022 Andrew Tropin@*
|
Copyright @copyright{} 2021, 2022 Andrew Tropin@*
|
||||||
Copyright @copyright{} 2021 Sarah Morgensen@*
|
Copyright @copyright{} 2021 Sarah Morgensen@*
|
||||||
Copyright @copyright{} 2022 Remco van 't Veer@*
|
Copyright @copyright{} 2022 Remco van 't Veer@*
|
||||||
|
@ -22530,37 +22530,63 @@ Usually the X server is started by a login manager.
|
||||||
|
|
||||||
@defvar screen-locker-service-type
|
@defvar screen-locker-service-type
|
||||||
Type for a service that adds a package for a screen locker or screen
|
Type for a service that adds a package for a screen locker or screen
|
||||||
saver to the set of setuid programs and add a PAM entry for it. The
|
saver to the set of setuid programs and/or add a PAM entry for it. The
|
||||||
value for this service is a @code{<screen-locker-configuration>} object.
|
value for this service is a @code{<screen-locker-configuration>} object.
|
||||||
|
|
||||||
|
While the default behavior is to setup both a setuid program and PAM
|
||||||
|
entry, these two methods are redundant. Screen locker programs may not
|
||||||
|
execute when PAM is configured and @code{setuid} is set on their
|
||||||
|
executable. In this case, @code{using-setuid?} can be set to @code{#f}.
|
||||||
|
|
||||||
For example, to make XlockMore usable:
|
For example, to make XlockMore usable:
|
||||||
|
|
||||||
@lisp
|
@lisp
|
||||||
(service screen-locker-service-type
|
(service screen-locker-service-type
|
||||||
(screen-locker-configuration
|
(screen-locker-configuration
|
||||||
"xlock" (file-append xlockmore "/bin/xlock") #f))
|
(name "xlock")
|
||||||
|
(program (file-append xlockmore "/bin/xlock"))))
|
||||||
@end lisp
|
@end lisp
|
||||||
|
|
||||||
makes the good ol' XlockMore usable.
|
makes the good ol' XlockMore usable.
|
||||||
|
|
||||||
|
For example, swaylock fails to execute when compiled with PAM support
|
||||||
|
and setuid enabled. One can thus disable setuid:
|
||||||
|
|
||||||
|
@lisp
|
||||||
|
(service screen-locker-service-type
|
||||||
|
(screen-locker-configuration
|
||||||
|
(name "swaylock")
|
||||||
|
(program (file-append xlockmore "/bin/xlock"))
|
||||||
|
(using-pam? #t)
|
||||||
|
(using-setuid? #f)))
|
||||||
|
@end lisp
|
||||||
|
|
||||||
@end defvar
|
@end defvar
|
||||||
|
|
||||||
@deftp {Data Type} screen-locker-configuration
|
@deftp {Data Type} screen-locker-configuration
|
||||||
Data type representing the configuration of
|
Available @code{screen-locker-configuration} fields are:
|
||||||
@code{screen-locker-service-type}.
|
|
||||||
|
|
||||||
@table @asis
|
@table @asis
|
||||||
@item @code{name} (type: string)
|
@item @code{name} (type: string)
|
||||||
Name of the screen locker.
|
Name of the screen locker.
|
||||||
|
|
||||||
@item @code{program} (type: gexp)
|
@item @code{program} (type: file-like)
|
||||||
Path to the executable for the screen locker as a G-Expression.
|
Path to the executable for the screen locker as a G-Expression.
|
||||||
|
|
||||||
@item @code{allow-empty-password?} (type: boolean)
|
@item @code{allow-empty-password?} (default: @code{#f}) (type: boolean)
|
||||||
Whether to allow empty passwords.
|
Whether to allow empty passwords.
|
||||||
|
|
||||||
|
@item @code{using-pam?} (default: @code{#t}) (type: boolean)
|
||||||
|
Whether to setup PAM entry.
|
||||||
|
|
||||||
|
@item @code{using-setuid?} (default: @code{#t}) (type: boolean)
|
||||||
|
Whether to setup program as setuid binary.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
@end deftp
|
@end deftp
|
||||||
|
|
||||||
|
|
||||||
@node Printing Services
|
@node Printing Services
|
||||||
@subsection Printing Services
|
@subsection Printing Services
|
||||||
|
|
||||||
|
|
|
@ -1839,10 +1839,12 @@ applications needing access to be root.")
|
||||||
;; Screen lockers are a pretty useful thing and these are small.
|
;; Screen lockers are a pretty useful thing and these are small.
|
||||||
(service screen-locker-service-type
|
(service screen-locker-service-type
|
||||||
(screen-locker-configuration
|
(screen-locker-configuration
|
||||||
"slock" (file-append slock "/bin/slock") #f))
|
(name "slock")
|
||||||
|
(program (file-append slock "/bin/slock"))))
|
||||||
(service screen-locker-service-type
|
(service screen-locker-service-type
|
||||||
(screen-locker-configuration
|
(screen-locker-configuration
|
||||||
"xlock" (file-append xlockmore "/bin/xlock") #f))
|
(name "xlock")
|
||||||
|
(program (file-append xlockmore "/bin/xlock"))))
|
||||||
|
|
||||||
;; Add udev rules for MTP devices so that non-root users can access
|
;; Add udev rules for MTP devices so that non-root users can access
|
||||||
;; them.
|
;; them.
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
;;; Copyright © 2021 Josselin Poiret <josselin.poiret@protonmail.ch>
|
;;; Copyright © 2021 Josselin Poiret <josselin.poiret@protonmail.ch>
|
||||||
;;; Copyright © 2022 Chris Marusich <cmmarusich@gmail.com>
|
;;; Copyright © 2022 Chris Marusich <cmmarusich@gmail.com>
|
||||||
;;; Copyright © 2022 Maxim Cournoyer <maxim.cournoyer@gmail.com>
|
;;; Copyright © 2022 Maxim Cournoyer <maxim.cournoyer@gmail.com>
|
||||||
|
;;; Copyright © 2023 muradm <mail@muradm.net>
|
||||||
;;;
|
;;;
|
||||||
;;; This file is part of GNU Guix.
|
;;; This file is part of GNU Guix.
|
||||||
;;;
|
;;;
|
||||||
|
@ -112,6 +113,8 @@
|
||||||
screen-locker-configuration-name
|
screen-locker-configuration-name
|
||||||
screen-locker-configuration-program
|
screen-locker-configuration-program
|
||||||
screen-locker-configuration-allow-empty-password?
|
screen-locker-configuration-allow-empty-password?
|
||||||
|
screen-locker-configuration-using-pam?
|
||||||
|
screen-locker-configuration-using-setuid?
|
||||||
screen-locker-service-type
|
screen-locker-service-type
|
||||||
screen-locker-service ; deprecated
|
screen-locker-service ; deprecated
|
||||||
|
|
||||||
|
@ -703,30 +706,38 @@ reboot_cmd " shepherd "/sbin/reboot\n"
|
||||||
;;; Screen lockers & co.
|
;;; Screen lockers & co.
|
||||||
;;;
|
;;;
|
||||||
|
|
||||||
(define-record-type <screen-locker-configuration>
|
(define-configuration/no-serialization screen-locker-configuration
|
||||||
(screen-locker-configuration name program allow-empty-password?)
|
(name
|
||||||
screen-locker-configuration?
|
string
|
||||||
(name screen-locker-configuration-name) ;string
|
"Name of the screen locker.")
|
||||||
(program screen-locker-configuration-program) ;gexp
|
(program
|
||||||
|
file-like
|
||||||
|
"Path to the executable for the screen locker as a G-Expression.")
|
||||||
(allow-empty-password?
|
(allow-empty-password?
|
||||||
screen-locker-configuration-allow-empty-password?)) ;Boolean
|
(boolean #f)
|
||||||
|
"Whether to allow empty passwords.")
|
||||||
|
(using-pam?
|
||||||
|
(boolean #t)
|
||||||
|
"Whether to setup PAM entry.")
|
||||||
|
(using-setuid?
|
||||||
|
(boolean #t)
|
||||||
|
"Whether to setup program as setuid binary."))
|
||||||
|
|
||||||
(define-deprecated/public-alias
|
(define (screen-locker-pam-services config)
|
||||||
screen-locker
|
(match-record config <screen-locker-configuration>
|
||||||
screen-locker-configuration)
|
(name allow-empty-password? using-pam?)
|
||||||
|
(if using-pam?
|
||||||
(define-deprecated/public-alias
|
|
||||||
screen-locker?
|
|
||||||
screen-locker-configuration?)
|
|
||||||
|
|
||||||
(define screen-locker-pam-services
|
|
||||||
(match-lambda
|
|
||||||
(($ <screen-locker-configuration> name _ empty?)
|
|
||||||
(list (unix-pam-service name
|
(list (unix-pam-service name
|
||||||
#:allow-empty-passwords? empty?)))))
|
#:allow-empty-passwords?
|
||||||
|
allow-empty-password?))
|
||||||
|
'())))
|
||||||
|
|
||||||
(define screen-locker-setuid-programs
|
(define (screen-locker-setuid-programs config)
|
||||||
(compose list file-like->setuid-program screen-locker-configuration-program))
|
(match-record config <screen-locker-configuration>
|
||||||
|
(name program using-setuid?)
|
||||||
|
(if using-setuid?
|
||||||
|
(list (file-like->setuid-program program))
|
||||||
|
'())))
|
||||||
|
|
||||||
(define screen-locker-service-type
|
(define screen-locker-service-type
|
||||||
(service-type (name 'screen-locker)
|
(service-type (name 'screen-locker)
|
||||||
|
@ -740,6 +751,9 @@ reboot_cmd " shepherd "/sbin/reboot\n"
|
||||||
the graphical server by making it setuid-root, so it can authenticate users,
|
the graphical server by making it setuid-root, so it can authenticate users,
|
||||||
and by creating a PAM service for it.")))
|
and by creating a PAM service for it.")))
|
||||||
|
|
||||||
|
(define (screen-locker-generate-doc)
|
||||||
|
(configuration->documentation 'screen-locker-configuration))
|
||||||
|
|
||||||
(define-deprecated (screen-locker-service package
|
(define-deprecated (screen-locker-service package
|
||||||
#:optional
|
#:optional
|
||||||
(program (package-name package))
|
(program (package-name package))
|
||||||
|
@ -755,9 +769,10 @@ for it. For example:
|
||||||
|
|
||||||
makes the good ol' XlockMore usable."
|
makes the good ol' XlockMore usable."
|
||||||
(service screen-locker-service-type
|
(service screen-locker-service-type
|
||||||
(screen-locker-configuration program
|
(screen-locker-configuration
|
||||||
(file-append package "/bin/" program)
|
(name program)
|
||||||
allow-empty-passwords?)))
|
(program (file-append package "/bin/" program))
|
||||||
|
(allow-empty-password? allow-empty-passwords?))))
|
||||||
|
|
||||||
|
|
||||||
;;;
|
;;;
|
||||||
|
|
Reference in New Issue