guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

branch core-updates updated: gnu: linux-pam: Change path to unix_chkpwd


From: guix-commits
Subject: branch core-updates updated: gnu: linux-pam: Change path to unix_chkpwd helper.
Date: Thu, 10 Feb 2022 17:41:03 -0500

This is an automated email from the git hooks/post-receive script.

civodul pushed a commit to branch core-updates
in repository guix.

The following commit(s) were added to refs/heads/core-updates by this push:
     new f172118ca4 gnu: linux-pam: Change path to unix_chkpwd helper.
f172118ca4 is described below

commit f172118ca43369af548af2d4edecb07890f917e8
Author: Andrew Tropin <andrew@trop.in>
AuthorDate: Sun Feb 6 08:16:54 2022 +0300

    gnu: linux-pam: Change path to unix_chkpwd helper.
    
    * gnu/packages/patches/linux-pam-unix_chkpwd.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/linux.scm (linux-pam): Use it.
    * gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid.
    
    Co-authored-by: Ludovic Court├Ęs <ludo@gnu.org>
---
 gnu/local.mk                                     |  1 +
 gnu/packages/linux.scm                           |  3 ++-
 gnu/packages/patches/linux-pam-unix_chkpwd.patch |  9 +++++++++
 gnu/system/pam.scm                               | 10 ++++++++--
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index dceaa53145..59c1b21cd6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1433,6 +1433,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \
   %D%/packages/patches/linux-libre-arm64-generic-pinebook-lcd.patch \
   %D%/packages/patches/linux-pam-no-setfsuid.patch             \
+  %D%/packages/patches/linux-pam-unix_chkpwd.patch             \
   %D%/packages/patches/linuxdcpp-openssl-1.1.patch             \
   %D%/packages/patches/lirc-localstatedir.patch                        \
   %D%/packages/patches/lirc-reproducible-build.patch           \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 94eff5d5c8..c9e6ab12c2 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1596,7 +1596,8 @@ which need to be installed separately.")
        (sha256
         (base32
          "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
-       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (patches (search-patches "linux-pam-unix_chkpwd.patch"
+                                "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/patches/linux-pam-unix_chkpwd.patch 
b/gnu/packages/patches/linux-pam-unix_chkpwd.patch
new file mode 100644
index 0000000000..0e865ff18c
--- /dev/null
+++ b/gnu/packages/patches/linux-pam-unix_chkpwd.patch
@@ -0,0 +1,9 @@
+unix_chkpwd is designed to have a suid bit, but it's not possible to set it
+for files in the store.  This patch tells unix_pam.so to look for
+unix_chkpwd in setuid program directory on Guix System.
+
+--- a/modules/pam_unix/Makefile.in
++++ b/modules/pam_unix/Makefile.in
+@@ -651,1 +651,1 @@
+-      -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
++      -DCHKPWD_HELPER=\"/run/setuid-programs/unix_chkpwd\" \
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@
   #:use-module (guix derivations)
   #:use-module (guix gexp)
   #:use-module (gnu services)
+  #:use-module (gnu system setuid)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ strings or string-valued gexps."
 
 (define pam-root-service-type
   (service-type (name 'pam)
-                (extensions (list (service-extension etc-service-type
-                                                     /etc-entry)))
+                (extensions
+                 (list (service-extension
+                        setuid-program-service-type
+                        (lambda (_)
+                          (list (file-like->setuid-program
+                                 (file-append linux-pam 
"/sbin/unix_chkpwd")))))
+                       (service-extension etc-service-type /etc-entry)))
 
                 ;; Arguments include <pam-service> as well as procedures.
                 (compose concatenate)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]