[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helpe
|
From: |
Andrew Tropin |
|
Subject: |
[bug#53468] [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper. |
|
Date: |
Sun, 23 Jan 2022 17:08:43 +0300 |
Attaching a second version of the patch, added missing import and
lambda.
From ad876e5b134072601fa97d82a39b320a269f34a5 Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Thu, 13 Jan 2022 21:41:58 +0300
Subject: [RFC PATCH v2] gnu: linux-pam: Change path to unix_chkpwd helper.
* gnu/packages/patches/change-path-to-unix_chkpwd.patch: New file
* gnu/packages/linux.scm (linux-pam): Add patch.
* gnu/system/pam.scm (pam-root-service-type): Add unix_chkpwd to setuid
binaries.
---
gnu/packages/linux.scm | 3 +-
.../patches/change-path-to-unix_chkpwd.patch | 54 +++++++++++++++++++
gnu/system/pam.scm | 10 +++-
3 files changed, 64 insertions(+), 3 deletions(-)
create mode 100644 gnu/packages/patches/change-path-to-unix_chkpwd.patch
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7b12cb8ec1..ee0df3c625 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1590,7 +1590,8 @@ (define-public linux-pam
(sha256
(base32
"1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
- (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+ (patches (search-patches "change-path-to-unix_chkpwd.patch"
+ "linux-pam-no-setfsuid.patch"))))
(build-system gnu-build-system)
(native-inputs
diff --git a/gnu/packages/patches/change-path-to-unix_chkpwd.patch
b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
new file mode 100644
index 0000000000..90a8b639f6
--- /dev/null
+++ b/gnu/packages/patches/change-path-to-unix_chkpwd.patch
@@ -0,0 +1,54 @@
+From f314ab148b488e23a2e48e7222964e46d0d03447 Mon Sep 17 00:00:00 2001
+From: Andrew Tropin <andrew@trop.in>
+Date: Wed, 12 Jan 2022 17:17:42 +0300
+Subject: [PATCH] Change path to unix_chkpwd.
+
+---
+ modules/pam_unix/pam_unix_acct.c | 4 ++--
+ modules/pam_unix/support.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c
b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0..2fdec6c7 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -122,12 +122,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned
long long ctrl,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ args[2] = "chkexpiry";
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 27ca7127..d02f394e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -523,7 +523,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh,
const char *passwd,
+ }
+
+ /* exec binary helper */
+- args[0] = CHKPWD_HELPER;
++ args[0] = "/run/setuid-programs/unix_chkpwd";
+ args[1] = user;
+ if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
+ args[2]="nullok";
+@@ -532,7 +532,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh,
const char *passwd,
+ }
+
+ DIAG_PUSH_IGNORE_CAST_QUAL;
+- execve(CHKPWD_HELPER, (char *const *) args, envp);
++ execve("/run/setuid-programs/unix_chkpwd", (char *const *) args, envp);
+ DIAG_POP_IGNORE_CAST_QUAL;
+
+ /* should not get here: exit with error */
+--
+2.34.0
+
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 2574e019f1..b635681642 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -21,6 +21,7 @@ (define-module (gnu system pam)
#:use-module (guix derivations)
#:use-module (guix gexp)
#:use-module (gnu services)
+ #:use-module (gnu system setuid)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
@@ -375,8 +376,13 @@ (define (extend-configuration initial extensions)
(define pam-root-service-type
(service-type (name 'pam)
- (extensions (list (service-extension etc-service-type
- /etc-entry)))
+ (extensions
+ (list (service-extension
+ setuid-program-service-type
+ (lambda (_)
+ (list (file-like->setuid-program
+ (file-append linux-pam
"/sbin/unix_chkpwd")))))
+ (service-extension etc-service-type /etc-entry)))
;; Arguments include <pam-service> as well as procedures.
(compose concatenate)
--
2.34.0
Reconfigured my system with the patch above.
I tested it with the swaylock built with pam support:
--8<---------------cut here---------------start------------->8---
(define-public swaylock
(package
(name "swaylock")
(version "1.6")
(source
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/swaywm/swaylock";)
(commit "5150d3869cd801cb2badb3c645fa41c01bbfbbbf")))
(file-name (git-file-name name version))
(sha256
(base32 "16n389w5hx8f8dqnhzjgimxmaw648cnnmifazx6zwx2v5vhxa38r"))))
(build-system meson-build-system)
(inputs (list cairo gdk-pixbuf libxkbcommon
linux-pam
wayland))
(native-inputs (list pango pkg-config scdoc wayland-protocols))
(home-page "https://github.com/swaywm/sway";)
(synopsis "Screen locking utility for Wayland compositors")
(description "Swaylock is a screen locking utility for Wayland
compositors.")
(license license:expat)))
--8<---------------cut here---------------end--------------->8---
and following system service:
--8<---------------cut here---------------start------------->8---
(simple-service
'sway-add-swaylock-pam
pam-root-service-type
(list
(unix-pam-service "swaylock")))
--8<---------------cut here---------------end--------------->8---
I'll make a patch for swaylock separately, when this ticket will be
resolved.
--
Best regards,
Andrew Tropin
signature.asc
Description: PGP signature