GNU bug report logs - #33916
[PATCH 0/4] Make GDM usable

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33916 in the body.
You can then email your comments to 33916 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Timothy Sample <samplet <at> ngyro.com>
To: guix-patches <at> gnu.org
Subject: [PATCH 0/4] Make GDM usable
Date: Sat, 29 Dec 2018 21:37:29 -0500

Hi Guix,

This patch series tweaks a few things in the GDM package and service so
that it kinda works.  That is to say, I have started using it as my DM,
and I have not pulled all of my hair out yet.  :)

I will start a different thread on guix-devel about what problems there
are and what is left to be done.  These patches are simple, and I want
to avoid complicating their review with open-ended questions.

The only tricky patch is the third one that deletes the “allow-root?”
configuration option.  When set, this option allows logging in to any
account *without* a password.  I don't think that was the intention, and
I don't think that feature is useful, so I removed it.  I couldn’t find
a similar setup in the example PAM config files shipped with GDM,
either.  My guess is that the option was intended to allow or disallow
root logins, but that is definitely not what it does.


-- Tim

Message #8 received at 33916 <at> debbugs.gnu.org (full text, mbox):

From: Timothy Sample <samplet <at> ngyro.com>
To: 33916 <at> debbugs.gnu.org
Cc: Timothy Sample <samplet <at> ngyro.com>
Subject: [PATCH 1/4] gnu: gdm: Pass XDG_DATA_DIRS into session environment.
Date: Sat, 29 Dec 2018 21:42:01 -0500

* gnu/packages/gnome.scm (gdm)[arguments]: Update the pre-configure
phase so that GDM preserves the XDG_DATA_DIRS variable when setting up
the session environment.
---
 gnu/packages/gnome.scm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 415398eee..da12a2987 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -32,6 +32,7 @@
 ;;; Copyright © 2018 Jovany Leandro G.C <bit4bit <at> riseup.net>
 ;;; Copyright © 2018 Vasile Dumitrascu <va511e <at> yahoo.com>
 ;;; Copyright © 2018 Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
+;;; Copyright © 2018 Timothy Sample <samplet <at> ngyro.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -5399,6 +5400,11 @@ libxml2.")
                 ;; are met (provided GNOME is installed of course).
                 "gdm_session_set_environment_variable (self, \"XDG_CONFIG_DIRS\",\n"
                 "    \"/run/current-system/profile/etc/xdg\");\n"
+                ;; The session bus (which GDM will initialize from the this
+                ;; session environment) needs to know where to find the system
+                ;; service files.
+                "gdm_session_set_environment_variable (self, \"XDG_DATA_DIRS\",\n"
+                "    \"/run/current-system/profile/share\");\n"
                 )))
             ;; Look for custom GDM conf in /run/current-system.
             (substitute* '("common/gdm-settings-desktop-backend.c")
-- 
2.20.1

Message #11 received at 33916 <at> debbugs.gnu.org (full text, mbox):

From: Timothy Sample <samplet <at> ngyro.com>
To: 33916 <at> debbugs.gnu.org
Cc: Timothy Sample <samplet <at> ngyro.com>
Subject: [PATCH 2/4] gnu: gdm: Change locale settings file.
Date: Sat, 29 Dec 2018 21:42:02 -0500

* gnu/packages/gnome.scm (gdm)[arguments]: Set the '--with-lang-file'
configure flag to '/etc/environment'.
---
 gnu/packages/gnome.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index da12a2987..5fec15b5d 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -5338,6 +5338,10 @@ libxml2.")
          ;; script. It provides a generic one if --enable-gdm-xsession is set.
          "--enable-gdm-xsession"
 
+         ;; Use '/etc/environment' for locale settings instead of the
+         ;; systemd-specific '/etc/locale.conf'.
+         "--with-lang-file=/etc/environment"
+
          "--localstatedir=/var"
          ,(string-append "--with-default-path="
                          (string-join '("/run/setuid-programs"
-- 
2.20.1

Message #14 received at 33916 <at> debbugs.gnu.org (full text, mbox):

From: Timothy Sample <samplet <at> ngyro.com>
To: 33916 <at> debbugs.gnu.org
Cc: Timothy Sample <samplet <at> ngyro.com>
Subject: [PATCH 3/4] services: gdm: Remove 'allow-root?' option.
Date: Sat, 29 Dec 2018 21:42:03 -0500

This option results in allowing all login attempts without asking for
credentials.  The name is confusing, but rather than rename it, we will
remove it, since it seems like a feature that no one would want.

* gnu/services/xorg.scm (<gdm-configuration>): Remove 'allow-root?'.
(gdm-pam-service): Do not use 'gdm-configuration-allow-root?'.
---
 gnu/services/xorg.scm | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index ea8433af3..48aa8f68c 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2017 Andy Wingo <wingo <at> igalia.com>
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo <at> gnu.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong <at> gmail.com>
+;;; Copyright © 2018 Timothy Sample <samplet <at> ngyro.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -625,7 +626,6 @@ makes the good ol' XlockMore usable."
   gdm-configuration?
   (gdm gdm-configuration-gdm (default gdm))
   (allow-empty-passwords? gdm-configuration-allow-empty-passwords? (default #t))
-  (allow-root? gdm-configuration-allow-root? (default #t))
   (auto-login? gdm-configuration-auto-login? (default #f))
   (default-user gdm-configuration-default-user (default #f))
   (x-server gdm-configuration-x-server))
@@ -680,10 +680,9 @@ makes the good ol' XlockMore usable."
     (auth (list (pam-entry
                  (control "required")
                  (module "pam_permit.so")))))
-   (unix-pam-service
-    "gdm-password"
-    #:allow-empty-passwords? (gdm-configuration-allow-empty-passwords? config)
-    #:allow-root? (gdm-configuration-allow-root? config))))
+   (unix-pam-service "gdm-password"
+                     #:allow-empty-passwords?
+                     (gdm-configuration-allow-empty-passwords? config))))
 
 (define (gdm-shepherd-service config)
   (list (shepherd-service
-- 
2.20.1

Message #17 received at 33916 <at> debbugs.gnu.org (full text, mbox):

From: Timothy Sample <samplet <at> ngyro.com>
To: 33916 <at> debbugs.gnu.org
Cc: Timothy Sample <samplet <at> ngyro.com>
Subject: [PATCH 4/4] services: gdm: Enable auto-start.
Date: Sat, 29 Dec 2018 21:42:04 -0500

GDM is now reliable enough to run automatically.

* gnu/services/xorg.scm (gdm-shepherd-service): Do not set 'auto-start?'
to '#f'.
---
 gnu/services/xorg.scm | 2 --
 1 file changed, 2 deletions(-)

diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 48aa8f68c..b3c24746d 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -689,8 +689,6 @@ makes the good ol' XlockMore usable."
          (documentation "Xorg display server (GDM)")
          (provision '(xorg-server))
          (requirement '(dbus-system user-processes host-name udev))
-         ;; While this service isn't working properly, turn off auto-start.
-         (auto-start? #f)
          (start #~(lambda ()
                     (fork+exec-command
                      (list #$(file-append (gdm-configuration-gdm config)
-- 
2.20.1

Message #22 received at 33916-done <at> debbugs.gnu.org (full text, mbox):

From: Danny Milosavljevic <dannym <at> scratchpost.org>
To: Timothy Sample <samplet <at> ngyro.com>
Cc: 33916-done <at> debbugs.gnu.org
Subject: Re: [bug#33916] [PATCH 0/4] Make GDM usable
Date: Sun, 30 Dec 2018 10:30:46 +0100

[Message part 1 (text/plain, inline)]

Hi Timothy,

thanks!

I've pushed this series to master as:

92deb5cc920fcc7617302986180f1abee5fd2b26
89c8656200a21485fd50fe4d277792d7d56c63e0
de409e82261eb147b6614aef8731d795ca664ef0
48c8d067d4ded776939cda6f9c63c25b38ba77fc

I've taken a look at gnu/system/pam.scm where unix-pam-service is defined,
and it just does "auth sufficient pam_rootok.so".  This means that root
will be allowed to log in without password (which is what is documented
there, too).

But how come it (or gdm) then allows any user?

Fedora does it differently:

See https://fedoraproject.org/wiki/Enabling_Root_User_For_GNOME_Display_Manager

> auth required pam_succeed_if.so user != root quiet

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 33916-done <at> debbugs.gnu.org (full text, mbox):

From: Timothy Sample <samplet <at> ngyro.com>
To: Danny Milosavljevic <dannym <at> scratchpost.org>
Cc: 33916-done <at> debbugs.gnu.org
Subject: Re: [bug#33916] [PATCH 0/4] Make GDM usable
Date: Sun, 30 Dec 2018 09:42:23 -0500

Hi Danny,

Danny Milosavljevic <dannym <at> scratchpost.org> writes:

> Hi Timothy,
>
> thanks!
>
> I've pushed this series to master as:
>
> 92deb5cc920fcc7617302986180f1abee5fd2b26
> 89c8656200a21485fd50fe4d277792d7d56c63e0
> de409e82261eb147b6614aef8731d795ca664ef0
> 48c8d067d4ded776939cda6f9c63c25b38ba77fc

Thank you!

> I've taken a look at gnu/system/pam.scm where unix-pam-service is defined,
> and it just does "auth sufficient pam_rootok.so".  This means that root
> will be allowed to log in without password (which is what is documented
> there, too).
>
> But how come it (or gdm) then allows any user?

More specifically, it means that root is authorized to perform whatever
action PAM is being asked about without providing a password.  In this
case, “root” is GDM itself, and the action is “log in as so-and-so”.
Hence, PAM says, “sure thing, root, log in as whoever you like!”

The part I’m not certain about is why GDM is running as root.  My
current understanding is that it is running with effective UID gdm and
real UID root.  I remember reading in the docs that “pam_rootok.so” only
cares about real UID [1].

> Fedora does it differently:
>
> See https://fedoraproject.org/wiki/Enabling_Root_User_For_GNOME_Display_Manager
>
>> auth required pam_succeed_if.so user != root quiet

That looks better.  That would be easy to add if people find it useful.
(I wouldn’t bother with it, but if Fedora does it, then it must be
popular enough.)


[1] http://www.linux-pam.org/Linux-PAM-html/sag-pam_rootok.html


-- Tim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.