X-Loop: help-debbugs@HIDDEN
Subject: [bug#65538] [PATCH v2] services: greetd: Add pam-gnupg support.
Resent-From: Carlos =?UTF-8?Q?Dur=C3=A1n_?= =?UTF-8?Q?Dom=C3=ADnguez?= <wurt@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: , guix-patches@HIDDEN
Resent-Date: Fri, 25 Aug 2023 14:50:02 +0000
Resent-Message-ID: <handler.65538.B.169297495923462 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 65538
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 65538 <at> debbugs.gnu.org
Cc: Carlos =?UTF-8?Q?Dur=C3=A1n_?= =?UTF-8?Q?Dom=C3=ADnguez?= <wurt@HIDDEN>, ( <paren@HIDDEN>, Christopher Baines <mail@HIDDEN>, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Raghav Gururajan <rg@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, jgart <jgart@HIDDEN>
X-Debbugs-Original-To: guix-patches@HIDDEN
X-Debbugs-Original-Xcc: ( <paren@HIDDEN>, Christopher Baines <mail@HIDDEN>, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Raghav Gururajan <rg@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, jgart <jgart@HIDDEN>
Received: via spool by submit <at> debbugs.gnu.org id=B.169297495923462
(code B ref -1); Fri, 25 Aug 2023 14:50:02 +0000
Received: (at submit) by debbugs.gnu.org; 25 Aug 2023 14:49:19 +0000
Received: from localhost ([127.0.0.1]:41039 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qZY7i-00066L-D1
for submit <at> debbugs.gnu.org; Fri, 25 Aug 2023 10:49:19 -0400
Received: from lists.gnu.org ([2001:470:142::17]:47544)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <wurt@HIDDEN>) id 1qZY7e-000667-PH
for submit <at> debbugs.gnu.org; Fri, 25 Aug 2023 10:49:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <wurt@HIDDEN>)
id 1qZY7U-0006WN-OX
for guix-patches@HIDDEN; Fri, 25 Aug 2023 10:49:04 -0400
Received: from mail.wurtshell.com ([2001:41d0:304:200::95da]
helo=wurtshell.com)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <wurt@HIDDEN>)
id 1qZY7R-0000pf-Dw
for guix-patches@HIDDEN; Fri, 25 Aug 2023 10:49:04 -0400
Received: from localhost.localdomain (unknown
[IPv6:2a0c:5a80:8003:4600:e206:e6ff:fe9a:ab42])
by wurtshell.com (Postfix) with ESMTPSA id 51DD367173;
Fri, 25 Aug 2023 14:48:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wurtshell.com;
s=mail; t=1692974936;
bh=9D0TlmMB/uWlTC1UsxbcRuyAWXb74PG+HchLl55b6f8=;
h=From:To:Cc:Subject:Date:From;
b=jNVJcDZ0WORHupiG7VQsuGBTVvJaSLJ/i9DJ3P+D+EWkJGut4AZFIMLIeaBa94OAf
5hCTkjIQSGCbEjYIYfVfYUMRGOgveDilz16I2/N92jcnSVBCtMPPYf4VhYTaoNO6wI
M8di8Hxr84TZwgpBN2d7RdHWMNWzTHnNJs5XjfoEkFmgqmL4wrU6ZDA1fXv1kgI6ai
1vnukYcXFUPHJznvdVSJLnjYbv61ZqyyUDRTdYVMHlRM5qvNVGi83P4Vk3vZq/nq38
ithdmieYgokOhpCZy/qrqvrqrOuwutCX1EE7REPyvB3s9XFgJg3job0KAXxaVM1q9t
nCxDgBxTOe3Dg==
From: Carlos =?UTF-8?Q?Dur=C3=A1n_?= =?UTF-8?Q?Dom=C3=ADnguez?= <wurt@HIDDEN>
Date: Fri, 25 Aug 2023 16:48:03 +0200
Message-ID: <20230825144806.6315-1-wurt@HIDDEN>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2001:41d0:304:200::95da;
envelope-from=wurt@HIDDEN; helo=wurtshell.com
X-Spam_score_int: 12
X-Spam_score: 1.2
X-Spam_bar: +
X-Spam_report: (1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_SBL_CSS=3.335,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 4.5 (++++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: I retry to implement the pam-gnupg module for the greetd
system
service. It is A PAM module that hands over your login password to gpg-agent.
I added de documentation and the insert-before procedure ( [...]
Content analysis details: (4.5 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[2001:41d0:304:200:0:0:0:95da listed in] [zen.spamhaus.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;
id=wurt%40wurtshell.com; ip=2001%3A470%3A142%3A%3A17; r=debbugs.gnu.org]
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 3.5 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: I retry to implement the pam-gnupg module for the greetd system
service. It is A PAM module that hands over your login password to gpg-agent.
I added de documentation and the insert-before procedure ( [...]
Content analysis details: (3.5 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[2001:41d0:304:200:0:0:0:95da listed in]
[zen.spamhaus.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=wurt%40wurtshell.com;ip=2001%3A470%3A142%3A%3A17;r=debbugs.gnu.org]
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
I retry to implement the pam-gnupg module for the greetd system service. It is A PAM module that hands over your login password to gpg-agent. I added de documentation and the insert-before procedure (maybe it needs a better name), to ensure that the pam-gnupg module will be loaded at the end.
* doc/guix.texi: documentation about #:gnupg? option on (greetd-configuration).
* gnu/services.scm (insert-before): new procedure.
* gnu/services/base.scm (greetd-configuration): new option #:gnupg?.
* gnu/services/pam-mount.scm: ensure that pam mount module goes before pam gnupg module.
* gnu/system/pam.scm (pam-gnupg-module?): new procedure and ensure that pam gnupg module is at the end of (unix-pam-service).
---
doc/guix.texi | 9 +++++++++
gnu/services.scm | 11 ++++++++++-
gnu/services/base.scm | 28 ++++++++++++++++++----------
gnu/services/pam-mount.scm | 14 +++++++++-----
gnu/system/pam.scm | 13 ++++++++++---
5 files changed, 56 insertions(+), 19 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index e8c67b0cd8..1fe38bd971 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -119,6 +119,7 @@ Copyright @copyright{} 2023 Tanguy Le Carrour@*
Copyright @copyright{} 2023 Zheng Junjie@*
Copyright @copyright{} 2023 Brian Cully@*
Copyright @copyright{} 2023 Felix Lechner@*
+Copyright @copyright{} 2023 Carlos Durán Domínguez@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -19666,6 +19667,14 @@ A file-like object containing the ``message of the day''.
Allow empty passwords by default so that first-time users can log in when
the 'root' account has just been created.
+@item @code{gnupg?} (default: @code{#f})
+If enabled, @code{pam-gnupg} will attempt to automatically unlock the
+user's GPG keys with the login password via @code{gpg-agent}. The
+keygrips of all keys to be unlocked should be written to
+@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
+--with-keygrip}. Presetting passphrases must be enabled by adding
+@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
+
@item @code{terminals} (default: @code{'()})
List of @code{greetd-terminal-configuration} per terminal for which
@code{greetd} should be started.
diff --git a/gnu/services.scm b/gnu/services.scm
index eb9258977e..118b8973ff 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -129,7 +129,8 @@ (define-module (gnu services)
%boot-service
%activation-service
- etc-service) ; deprecated
+ etc-service ; deprecated
+ insert-before)
#:re-export (;; Note: Re-export 'delete' to allow for proper syntax matching
;; in 'modify-services' forms. See
;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=26805#16>.
@@ -1248,4 +1249,12 @@ (define-syntax-rule (for-home exp ...)
(syntax-parameterize ((for-home? (identifier-syntax #t)))
exp ...))
+(define (insert-before pred lst1 lst2)
+ "Return a list appending LST2 just before the first element on LST1 that
+ satisfy the predicate PRED."
+ (cond
+ ((null? lst1) lst2)
+ ((pred (car lst1)) (append lst2 lst1))
+ (else (cons (car lst1) (insert-before pred (cdr lst1) lst2)))))
+
;;; services.scm ends here.
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index b3f2d2e8b8..34aeb4f7d2 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -21,6 +21,7 @@
;;; Copyright © 2022 Justin Veilleux <terramorpha@HIDDEN>
;;; Copyright © 2022 ( <paren@HIDDEN>
;;; Copyright © 2023 Bruno Victal <mirai@HIDDEN>
+;;; Copyright © 2023 Carlos Durán Domínguez <wurt@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -3227,6 +3228,7 @@ (define-record-type* <greetd-configuration>
greetd-configuration?
(motd greetd-motd (default %default-motd))
(allow-empty-passwords? greetd-allow-empty-passwords? (default #t))
+ (gnupg? greetd-gnupg? (default #f))
(terminals greetd-terminals (default '()))
(greeter-supplementary-groups greetd-greeter-supplementary-groups (default '())))
@@ -3266,25 +3268,31 @@ (define optional-pam-mount
(module (file-append greetd-pam-mount "/lib/security/pam_mount.so"))
(arguments '("disable_interactive"))))
+ (define (optional-pam-mount-transformer pam)
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password"))
+ (pam-service
+ (inherit pam)
+ ;; SLiM could have pam-gnupg module, and pam-mount must be before it.
+ (auth (insert-before pam-gnupg-module?
+ (pam-service-auth pam)
+ (list optional-pam-mount)))
+ (session (insert-before pam-gnupg-module?
+ (pam-service-session pam)
+ (list optional-pam-mount))))
+ pam))
(list
(unix-pam-service "greetd"
#:login-uid? #t
#:allow-empty-passwords?
(greetd-allow-empty-passwords? config)
+ #:gnupg?
+ (greetd-gnupg? config)
#:motd
(greetd-motd config))
(pam-extension
(transformer
- (lambda (pam)
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password"))
- (pam-service
- (inherit pam)
- (auth (append (pam-service-auth pam)
- (list optional-pam-mount)))
- (session (append (pam-service-session pam)
- (list optional-pam-mount))))
- pam))))))
+ optional-pam-mount-transformer))))
(define (greetd-shepherd-services config)
(map
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index b3a02e82e9..a7470e1fcb 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019 Guillaume Le Vaillant <glv@HIDDEN>
;;; Copyright © 2023 Brian Cully <bjc@HIDDEN>
+;;; Copyright © 2023 Carlos Durán Domínguez <wurt@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -94,7 +95,8 @@ (define (pam-mount-pam-service config)
(define optional-pam-mount
(pam-entry
(control "optional")
- (module (file-append pam-mount "/lib/security/pam_mount.so"))))
+ (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
+
(list
(pam-extension
(transformer
@@ -103,10 +105,12 @@ (module (file-append pam-mount "/lib/security/pam_mount.so"))))
'("login" "greetd" "su" "slim" "gdm-password" "sddm"))
(pam-service
(inherit pam)
- (auth (append (pam-service-auth pam)
- (list optional-pam-mount)))
- (session (append (pam-service-session pam)
- (list optional-pam-mount))))
+ (auth (insert-before pam-gnupg-module?
+ (pam-service-auth pam)
+ (list optional-pam-mount)))
+ (session (insert-before pam-gnupg-module?
+ (pam-service-session pam)
+ (list optional-pam-mount))))
pam))))))
(define (extend-pam-mount-configuration initial extensions)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a035a92e25..445e45c5ef 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès <ludo@HIDDEN>
;;; Copyright © 2023 Josselin Poiret <dev@HIDDEN>
+;;; Copyright © 2023 Carlos Durán Domínguez <wurt@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,7 +65,9 @@ (define-module (gnu system pam)
pam-extension-shepherd-requirements
pam-root-service-type
- pam-root-service))
+ pam-root-service
+
+ pam-gnupg-module?))
;;; Commentary:
;;;
@@ -264,12 +267,12 @@ (module "pam_motd.so")
(control "required")
(module "pam_loginuid.so")))
'())
+ ,env ,unix
,@(if gnupg?
(list (pam-entry
(control "required")
(module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
- '())
- ,env ,unix))))))
+ '())))))))
(define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to
@@ -454,4 +457,8 @@ (define* (pam-root-service base #:key (transformers '()) (shepherd-requirements
(transformers transformers)
(shepherd-requirements shepherd-requirements))))
+(define (pam-gnupg-module? name)
+ "Return `#t' if NAME is the path to the pam-gnupg module, `#f' otherwise."
+ (equal? (pam-entry-module name)
+ (file-append pam-gnupg "/lib/security/pam_gnupg.so")))
--
2.41.0
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Carlos =?UTF-8?Q?Dur=C3=A1n_?= =?UTF-8?Q?Dom=C3=ADnguez?= <wurt@HIDDEN> Subject: bug#65538: Acknowledgement ([PATCH v2] services: greetd: Add pam-gnupg support.) Message-ID: <handler.65538.B.169297495923462.ack <at> debbugs.gnu.org> References: <20230825144806.6315-1-wurt@HIDDEN> X-Gnu-PR-Message: ack 65538 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 65538 <at> debbugs.gnu.org Date: Fri, 25 Aug 2023 14:50:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. As you requested using X-Debbugs-CC, your message was also forwarded to ( <paren@HIDDEN>, Christopher Baines <mail@HIDDEN>, Ludovic Cou= rt=C3=A8s <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Raghav Gurur= ajan <rg@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Simon = Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>, = jgart <jgart@HIDDEN> (after having been given a bug report number, if it did not have one). Your message has been sent to the package maintainer(s): guix-patches@HIDDEN If you wish to submit further information on this problem, please send it to 65538 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 65538: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D65538 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: [bug#65538] [PATCH v2] services: greetd: Add pam-gnupg support.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 05 Oct 2023 12:59:01 +0000
Resent-Message-ID: <handler.65538.B65538.16965106821242 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 65538
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Carlos =?UTF-8?Q?Dur=C3=A1n_?= =?UTF-8?Q?Dom=C3=ADnguez?= <wurt@HIDDEN>
Cc: Tobias Geerinckx-Rice <me@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, paren@HIDDEN, Christopher Baines <mail@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Raghav Gururajan <rg@HIDDEN>, jgart <jgart@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, 65538 <at> debbugs.gnu.org
Received: via spool by 65538-submit <at> debbugs.gnu.org id=B65538.16965106821242
(code B ref 65538); Thu, 05 Oct 2023 12:59:01 +0000
Received: (at 65538) by debbugs.gnu.org; 5 Oct 2023 12:58:02 +0000
Received: from localhost ([127.0.0.1]:46229 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1qoNvV-0000Js-Lz
for submit <at> debbugs.gnu.org; Thu, 05 Oct 2023 08:58:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40674)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1qoNvT-0000Ja-Po
for 65538 <at> debbugs.gnu.org; Thu, 05 Oct 2023 08:58:00 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
id 1qoNuy-0007Ov-G9; Thu, 05 Oct 2023 08:57:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
From; bh=wm7nXN4YgnatNt33CjYtomNzGZa0nfLWmgRKvLvZKPM=; b=QzM99N/4dgSEjLMFjj3B
b5L4RJ0ShaDKHyw3FWAUmrLL6Tz2QdbdwKfmOfAvuaslIAxjdzlyGs2UwdOS2c6Ka/RXUAln7/VCN
OP6ChM9CXUESMtHtPnmz6tCAp2BnP6WCFsO+GtSQSrnv2v6ugiq299cXJ97ZlDXokcUdMnOSxUIi1
QNB3Bh+gWpeokt1xfp+NHCVQL5mAt3uqZgtDYY5jvtHw/mlu12Epk//8n3CIMwL5rVNFruL+97cfv
a+jLcoo9bejYK00mv7ev/apnB7DsrPyeheyOxFxh3AByZnaDiOgEuWG74JZR+SPFAuWHefSJducJq
TnVaegn56n6zSQ==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <20230825144806.6315-1-wurt@HIDDEN> ("Carlos
=?UTF-8?Q?Dur=C3=A1n_?= =?UTF-8?Q?Dom=C3=ADnguez?="'s message of "Fri, 25 Aug 2023
16:48:03 +0200")
References: <20230825144806.6315-1-wurt@HIDDEN>
Date: Thu, 05 Oct 2023 14:57:09 +0200
Message-ID: <87il7l6xcq.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hello,
Carlos Dur=C3=A1n Dom=C3=ADnguez <wurt@HIDDEN> skribis:
> I retry to implement the pam-gnupg module for the greetd system service. =
It is A PAM module that hands over your login password to gpg-agent. I adde=
d de documentation and the insert-before procedure (maybe it needs a better=
name), to ensure that the pam-gnupg module will be loaded at the end.
>
> * doc/guix.texi: documentation about #:gnupg? option on (greetd-configura=
tion).
> * gnu/services.scm (insert-before): new procedure.
> * gnu/services/base.scm (greetd-configuration): new option #:gnupg?.
> * gnu/services/pam-mount.scm: ensure that pam mount module goes before pa=
m gnupg module.
> * gnu/system/pam.scm (pam-gnupg-module?): new procedure and ensure that p=
am gnupg module is at the end of (unix-pam-service).
Nice work!
A minor point: the commit log should normally lists all
changed/added/removed entities. You can use =E2=80=98git log=E2=80=99 to s=
ee examples,
but the committer will tweak it for you if needed (no big deal).
[...]
> +@item @code{gnupg?} (default: @code{#f})
> +If enabled, @code{pam-gnupg} will attempt to automatically unlock the
> +user's GPG keys with the login password via @code{gpg-agent}. The
> +keygrips of all keys to be unlocked should be written to
> +@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
> +--with-keygrip}. Presetting passphrases must be enabled by adding
> +@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
Perhaps you can add a cross-reference to the relevant part of the GnuPG
manual? (With @pxref or similar.)
> +(define (insert-before pred lst1 lst2)
> + "Return a list appending LST2 just before the first element on LST1 =
that
> + satisfy the predicate PRED."
> + (cond
> + ((null? lst1) lst2)
> + ((pred (car lst1)) (append lst2 lst1))
> + (else (cons (car lst1) (insert-before pred (cdr lst1) lst2)))))
I=E2=80=99d rather have it in (guix utils). Also, please use =E2=80=98matc=
h=E2=80=99 and avoid
car/cdr as per
<https://guix.gnu.org/manual/devel/en/html_node/Data-Types-and-Pattern-Matc=
hing.html>.
> (pam-service
> (inherit pam)
> - (auth (append (pam-service-auth pam)
> - (list optional-pam-mount)))
> - (session (append (pam-service-session pam)
> - (list optional-pam-mount))))
> + (auth (insert-before pam-gnupg-module?
> + (pam-service-auth pam)
> + (list optional-pam-mount)))
> + (session (insert-before pam-gnupg-module?
> + (pam-service-session pam)
> + (list optional-pam-mount))))
Could you add a comment explaining why this ordering is important?
> +(define (pam-gnupg-module? name)
> + "Return `#t' if NAME is the path to the pam-gnupg module, `#f' otherwi=
se."
> + (equal? (pam-entry-module name)
> + (file-append pam-gnupg "/lib/security/pam_gnupg.so")))
<package> records in general cannot be compared with =E2=80=98equal?=E2=80=
=99, so the
above procedure won=E2=80=99t work in the general case. (It wouldn=E2=80=
=99t work with
custom variants of the =E2=80=98pam-gnupg=E2=80=99 package, too.)
Can you think of another way we could check whether a <pam-entry>
corresponds to =E2=80=98pam-gnupg=E2=80=99?
Thanks,
Ludo=E2=80=99.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.