me
/
guix
Archived
1
0
Fork 0

services: screen-locker-service-type: Configurable PAM and setuid.

screen-locker-service-type by default does both define PAM entry
and make program setuid binary. Normally both methods are
mutually exclusive, if binary has setuid set it does not really
needs PAM, otherway around also similar, if PAM is enabled
binary should not relay on setuid.

Recent swaylock package now compiled with PAM support. When PAM
support is compiled in, swaylock rejects executing if binary is
also setuid program.

This change turns screen-locker-configuration from strict
PAM AND setuid to more flexible PAM AND/OR setuid. Allowing
swaylock to be configured properly while supporting other
screen locker preferences.

* gnu/services/xorg.scm (screen-locker-configuration): Switch from
define-record-type to define-configuration.
[using-pam?]: New field to control PAM entry existence.
[using-setuid?]: New field to control setuid binary existence.
(screen-locker-pam-services): Should not make unix-pam-service if
using-pam? is set to #f.
(screen-locker-setuid-programs): Should not make program setuid
program if using-setuid? is set to #f.
(screen-locker-generate-doc): Internal function to generate
configuration documentation.
(screen-locker-service): Adapt to new screen-locker-configuration.
* gnu/services/desktop.scm (desktop-services-for-system): Adapt to
new screen-locker-configuration.
* doc/guix.texi: Reflect new changes to screen-locker-configuration.

Signed-off-by: Josselin Poiret <dev@jpoiret.xyz>
master
muradm 2023-05-22 22:06:51 +03:00 committed by Josselin Poiret
parent 65bce4d9f9
commit f4f5ee6ad6
No known key found for this signature in database
GPG Key ID: 505E40B916171A8A
4 changed files with 80 additions and 34 deletions

View File

@ -2147,7 +2147,10 @@ be made setuid-root so it can authenticate users, and it needs a PAM service. Th
can be achieved by adding the following service to your @file{config.scm}: can be achieved by adding the following service to your @file{config.scm}:
@lisp @lisp
(screen-locker-service slock) (service screen-locker-services-type
(screen-locker-configuration
(name "slock")
(program (file-append slock "/bin/slock"))))
@end lisp @end lisp
If you manually lock your screen, e.g. by directly calling slock when you want to lock If you manually lock your screen, e.g. by directly calling slock when you want to lock

View File

@ -97,7 +97,7 @@ Copyright @copyright{} 2021 Hui Lu@*
Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright{} 2021 pukkamustard@*
Copyright @copyright{} 2021 Alice Brenon@* Copyright @copyright{} 2021 Alice Brenon@*
Copyright @copyright{} 2021, 2022 Josselin Poiret@* Copyright @copyright{} 2021, 2022 Josselin Poiret@*
Copyright @copyright{} 2021 muradm@* Copyright @copyright{} 2021, 2023 muradm@*
Copyright @copyright{} 2021, 2022 Andrew Tropin@* Copyright @copyright{} 2021, 2022 Andrew Tropin@*
Copyright @copyright{} 2021 Sarah Morgensen@* Copyright @copyright{} 2021 Sarah Morgensen@*
Copyright @copyright{} 2022 Remco van 't Veer@* Copyright @copyright{} 2022 Remco van 't Veer@*
@ -22530,37 +22530,63 @@ Usually the X server is started by a login manager.
@defvar screen-locker-service-type @defvar screen-locker-service-type
Type for a service that adds a package for a screen locker or screen Type for a service that adds a package for a screen locker or screen
saver to the set of setuid programs and add a PAM entry for it. The saver to the set of setuid programs and/or add a PAM entry for it. The
value for this service is a @code{<screen-locker-configuration>} object. value for this service is a @code{<screen-locker-configuration>} object.
While the default behavior is to setup both a setuid program and PAM
entry, these two methods are redundant. Screen locker programs may not
execute when PAM is configured and @code{setuid} is set on their
executable. In this case, @code{using-setuid?} can be set to @code{#f}.
For example, to make XlockMore usable: For example, to make XlockMore usable:
@lisp @lisp
(service screen-locker-service-type (service screen-locker-service-type
(screen-locker-configuration (screen-locker-configuration
"xlock" (file-append xlockmore "/bin/xlock") #f)) (name "xlock")
(program (file-append xlockmore "/bin/xlock"))))
@end lisp @end lisp
makes the good ol' XlockMore usable. makes the good ol' XlockMore usable.
For example, swaylock fails to execute when compiled with PAM support
and setuid enabled. One can thus disable setuid:
@lisp
(service screen-locker-service-type
(screen-locker-configuration
(name "swaylock")
(program (file-append xlockmore "/bin/xlock"))
(using-pam? #t)
(using-setuid? #f)))
@end lisp
@end defvar @end defvar
@deftp {Data Type} screen-locker-configuration @deftp {Data Type} screen-locker-configuration
Data type representing the configuration of Available @code{screen-locker-configuration} fields are:
@code{screen-locker-service-type}.
@table @asis @table @asis
@item @code{name} (type: string) @item @code{name} (type: string)
Name of the screen locker. Name of the screen locker.
@item @code{program} (type: gexp) @item @code{program} (type: file-like)
Path to the executable for the screen locker as a G-Expression. Path to the executable for the screen locker as a G-Expression.
@item @code{allow-empty-password?} (type: boolean) @item @code{allow-empty-password?} (default: @code{#f}) (type: boolean)
Whether to allow empty passwords. Whether to allow empty passwords.
@item @code{using-pam?} (default: @code{#t}) (type: boolean)
Whether to setup PAM entry.
@item @code{using-setuid?} (default: @code{#t}) (type: boolean)
Whether to setup program as setuid binary.
@end table @end table
@end deftp @end deftp
@node Printing Services @node Printing Services
@subsection Printing Services @subsection Printing Services

View File

@ -1839,10 +1839,12 @@ applications needing access to be root.")
;; Screen lockers are a pretty useful thing and these are small. ;; Screen lockers are a pretty useful thing and these are small.
(service screen-locker-service-type (service screen-locker-service-type
(screen-locker-configuration (screen-locker-configuration
"slock" (file-append slock "/bin/slock") #f)) (name "slock")
(program (file-append slock "/bin/slock"))))
(service screen-locker-service-type (service screen-locker-service-type
(screen-locker-configuration (screen-locker-configuration
"xlock" (file-append xlockmore "/bin/xlock") #f)) (name "xlock")
(program (file-append xlockmore "/bin/xlock"))))
;; Add udev rules for MTP devices so that non-root users can access ;; Add udev rules for MTP devices so that non-root users can access
;; them. ;; them.

View File

@ -13,6 +13,7 @@
;;; Copyright © 2021 Josselin Poiret <josselin.poiret@protonmail.ch> ;;; Copyright © 2021 Josselin Poiret <josselin.poiret@protonmail.ch>
;;; Copyright © 2022 Chris Marusich <cmmarusich@gmail.com> ;;; Copyright © 2022 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2022 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2022 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2023 muradm <mail@muradm.net>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -112,6 +113,8 @@
screen-locker-configuration-name screen-locker-configuration-name
screen-locker-configuration-program screen-locker-configuration-program
screen-locker-configuration-allow-empty-password? screen-locker-configuration-allow-empty-password?
screen-locker-configuration-using-pam?
screen-locker-configuration-using-setuid?
screen-locker-service-type screen-locker-service-type
screen-locker-service ; deprecated screen-locker-service ; deprecated
@ -703,30 +706,38 @@ reboot_cmd " shepherd "/sbin/reboot\n"
;;; Screen lockers & co. ;;; Screen lockers & co.
;;; ;;;
(define-record-type <screen-locker-configuration> (define-configuration/no-serialization screen-locker-configuration
(screen-locker-configuration name program allow-empty-password?) (name
screen-locker-configuration? string
(name screen-locker-configuration-name) ;string "Name of the screen locker.")
(program screen-locker-configuration-program) ;gexp (program
file-like
"Path to the executable for the screen locker as a G-Expression.")
(allow-empty-password? (allow-empty-password?
screen-locker-configuration-allow-empty-password?)) ;Boolean (boolean #f)
"Whether to allow empty passwords.")
(using-pam?
(boolean #t)
"Whether to setup PAM entry.")
(using-setuid?
(boolean #t)
"Whether to setup program as setuid binary."))
(define-deprecated/public-alias (define (screen-locker-pam-services config)
screen-locker (match-record config <screen-locker-configuration>
screen-locker-configuration) (name allow-empty-password? using-pam?)
(if using-pam?
(define-deprecated/public-alias
screen-locker?
screen-locker-configuration?)
(define screen-locker-pam-services
(match-lambda
(($ <screen-locker-configuration> name _ empty?)
(list (unix-pam-service name (list (unix-pam-service name
#:allow-empty-passwords? empty?))))) #:allow-empty-passwords?
allow-empty-password?))
'())))
(define screen-locker-setuid-programs (define (screen-locker-setuid-programs config)
(compose list file-like->setuid-program screen-locker-configuration-program)) (match-record config <screen-locker-configuration>
(name program using-setuid?)
(if using-setuid?
(list (file-like->setuid-program program))
'())))
(define screen-locker-service-type (define screen-locker-service-type
(service-type (name 'screen-locker) (service-type (name 'screen-locker)
@ -740,6 +751,9 @@ reboot_cmd " shepherd "/sbin/reboot\n"
the graphical server by making it setuid-root, so it can authenticate users, the graphical server by making it setuid-root, so it can authenticate users,
and by creating a PAM service for it."))) and by creating a PAM service for it.")))
(define (screen-locker-generate-doc)
(configuration->documentation 'screen-locker-configuration))
(define-deprecated (screen-locker-service package (define-deprecated (screen-locker-service package
#:optional #:optional
(program (package-name package)) (program (package-name package))
@ -755,9 +769,10 @@ for it. For example:
makes the good ol' XlockMore usable." makes the good ol' XlockMore usable."
(service screen-locker-service-type (service screen-locker-service-type
(screen-locker-configuration program (screen-locker-configuration
(file-append package "/bin/" program) (name program)
allow-empty-passwords?))) (program (file-append package "/bin/" program))
(allow-empty-password? allow-empty-passwords?))))
;;; ;;;