GNU logs - #51785, boring messages

Message sent to guix-patches@HIDDEN:

Subject: [bug#51785] pam-gnupg
Resent-From: Nicolas Graves <ngraves@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 12 Nov 2021 09:17:01 +0000
Resent-Message-ID: <handler.51785.B.163670857821786 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 51785 <at> debbugs.gnu.org
User-agent: mu4e 1.6.9; emacs 28.0.50
From: Nicolas Graves <ngraves@HIDDEN>
Date: Fri, 12 Nov 2021 08:45:09 +0100
Message-ID: <87czn53ijd.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=178.33.111.247; envelope-from=ngraves@HIDDEN;
 helo=4.mo583.mail-out.ovh.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
 RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Mailman-Approved-At: Fri, 12 Nov 2021 04:16:15 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

--=-=-=
Content-Type: text/plain


Hi !

I'm still discovering / experimenting with guix thanks to the videos of
David Wilson. Sorry if it's not the appropriate place to discuss this.

I'm trying to add pam-gnupg without having a graphical login manager.
I figured out it should really be as simple as the few lines I added in
the attached patch, since the feature has already been implemented for a
few graphical login managers.

It has been done here : https://issues.guix.gnu.org/47364

So I'm trying to test the patch, have downloaded guix source code, added
it in a new branch, updated my channels, used guix shell for setting the
environment, but now I get the following error when I try to pull to
test my version :

guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
'origin/keyring'

The patch is straightforward, might not need much testing, but if
needed, I would be glad to received some smart advice :)

Thanks in advance, thanks for the outstanding work on Guix !

Nicolas


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Adding-gnupg-to-pam-login-service.patch

From d8d3d8d7614d443dea805b46589f9b16f8558de2 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@HIDDEN>
Date: Fri, 12 Nov 2021 00:39:13 +0100
Subject: [PATCH] Adding gnupg to pam-login-service.

---
 gnu/services/base.scm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..887213c52e 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -743,7 +743,9 @@ (define-record-type* <login-configuration>
   ;; Allow empty passwords by default so that first-time users can log in when
   ;; the 'root' account has just been created.
   (allow-empty-passwords? login-configuration-allow-empty-passwords?
-                          (default #t)))               ;Boolean
+                          (default #t)) ;Boolean
+  (gnupg? login-configuration-gnupg?
+          (default #f))) ;Boolean
 
 (define (login-pam-service config)
   "Return the list of PAM service needed for CONF."
@@ -753,7 +755,8 @@ (define (login-pam-service config)
                           #:allow-empty-passwords?
                           (login-configuration-allow-empty-passwords? config)
                           #:motd
-                          (login-configuration-motd config))))
+                          (login-configuration-motd config)
+                          #:gnupg? (login-configuration-gnupg? config))))
 
 (define login-service-type
   (service-type (name 'login)
-- 
2.33.1


--=-=-=--

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Nicolas Graves <ngraves@HIDDEN>
Subject: bug#51785: Acknowledgement (pam-gnupg)
Message-ID: <handler.51785.B.163670857821786.ack <at> debbugs.gnu.org>
References: <87czn53ijd.fsf@HIDDEN>
X-Gnu-PR-Message: ack 51785
X-Gnu-PR-Package: guix-patches
Reply-To: 51785 <at> debbugs.gnu.org
Date: Fri, 12 Nov 2021 09:17:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 51785 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
51785: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D51785
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to guix-patches@HIDDEN:

Subject: [bug#51785] pam-gnupg
Resent-From: Tobias Geerinckx-Rice <me@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 12 Nov 2021 12:53:02 +0000
Resent-Message-ID: <handler.51785.B51785.163672152828587 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Nicolas Graves <ngraves@HIDDEN>
Cc: 51785 <at> debbugs.gnu.org
MIME-Version: 1.0
Date: Fri, 12 Nov 2021 13:51:59 +0100
From: Tobias Geerinckx-Rice <me@HIDDEN>
In-Reply-To: <87czn53ijd.fsf@HIDDEN>
References: <87czn53ijd.fsf@HIDDEN>
Message-ID: <35313aaf61a42f0c333cab6b300e6bc0@HIDDEN>
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Nicolas,

On 2021-11-12 8:45, Nicolas Graves via Guix-patches via wrote:
> So I'm trying to test the patch, have downloaded guix source code, 
> added
> it in a new branch, updated my channels, used guix shell for setting 
> the
> environment, but now I get the following error when I try to pull to
> test my version :
> 
> guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
> 'origin/keyring'

Guix authentication code expects a local 'keyring' branch, similar to 
how you currently have a local 'master' branch tracking the upstream 
'master' branch (which by default is called 'origin/master').

If you haven't changed the default 'origin' name you should be able to 
simply

   $ git checkout origin/keyring # creates local tracking branch as side 
effect
   $ git checkout master # to 'switch back'

and be on your merry way.  Replace 'origin/' if you have.

(This is from memory; apologies for possible typos/thinkos.)

Kind regards,

T G-R

Sent from a Web browser.  Excuse or enjoy my brevity.

Message sent to guix-patches@HIDDEN:

Subject: [bug#51785] pam-gnupg
References: <87czn53ijd.fsf@HIDDEN>
In-Reply-To: <87czn53ijd.fsf@HIDDEN>
Resent-From: Nicolas Graves <ngraves@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 13 Nov 2021 22:50:02 +0000
Resent-Message-ID: <handler.51785.B51785.163684376222017 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 51785 <at> debbugs.gnu.org
Cc: Josselin Poiret <dev@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>
User-agent: mu4e 1.6.9; emacs 28.0.50
From: Nicolas Graves <ngraves@HIDDEN>
Date: Sat, 13 Nov 2021 21:11:58 +0100
Message-ID: <87tugfdax1.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

--=-=-=
Content-Type: text/plain


Thanks for your answers Josselin and Tobias,

(For the record, I just pinned all the commits from other channels in my
channels.scm and pulled guix with guix pull --allow-downgrades
--disable-authentication)

I finally managed to get the pam module to work but it eventually raised
more questions than expected.

Basically now the module starts well, but my shepherd service gpg-agent
doesn't (I guess because pam starts it, and that shepherd can't take
over). It's fine for the purpose I was installing pam-gnupg for (having
direct access to password-store passwords after login), but hinders the
rest of related activities (e.g. signing commits).

Above this question, I was wondering about the order of pam-modules
startup. A look at the manual pages and the examples for modules show a
clear hierarchy for at least a few modules (pam_unix > pam_loginuid >
pam_elogind > pam_gnupg for instance), which is not respected in guix's
implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix).

Although it seems to work, is it normal / purposeful / without
consequences ?

If no, as a solution, maybe implementing a hierarchy might help. For
instance, something like :
1) Base modules (pam_unix, pam_env, pam_loginuid)
2) Modules added elsewhere with pam-root-service (pam_elogind, graphical
login managers modules)
3) Other modules (pam_gnupg, pam_motd...)

The last question I have is about the configuration of pam_gnupg. On the
official repo (https://github.com/cruegge/pam-gnupg), it seems that
there is a recommended configuration (e.g. setting the priority as
optional), which is once again not respected in the actual
configuration. I did add the few lines to address this (but is there a
reason why that is not the case ?)

I'm willing to help make these changes if useful and on the right track,
but I don't have much experience with guile.
Cheers,

Nicolas



--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0001-PATCH-gnu-add-pam-gnupg-to-login-service.patch
Content-Transfer-Encoding: quoted-printable
Content-Description: pam-gnupg-1

From dce83f5aeb2e7468a3d457f3d59c8851ac11a897 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@HIDDEN>
Date: Sat, 13 Nov 2021 13:11:54 +0100
Subject: [PATCH 1/3] [PATCH] gnu : add pam-gnupg to login service

---
 gnu/services/base.scm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..b95fd9a4ff 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -16,6 +16,7 @@
 ;;; Copyright =C2=A9 2021 qblade <qblade@HIDDEN>
 ;;; Copyright =C2=A9 2021 Hui Lu <luhuins@HIDDEN>
 ;;; Copyright =C2=A9 2021 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+;;; Copyright =C2=A9 2021 Nicolas Graves <ngraves@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -743,7 +744,9 @@ (define-record-type* <login-configuration>
   ;; Allow empty passwords by default so that first-time users can log in =
when
   ;; the 'root' account has just been created.
   (allow-empty-passwords? login-configuration-allow-empty-passwords?
-                          (default #t)))               ;Boolean
+                          (default #t)) ;Boolean
+  (gnupg? login-configuration-gnupg?
+          (default #f))) ;Boolean
=20
 (define (login-pam-service config)
   "Return the list of PAM service needed for CONF."
@@ -753,7 +756,8 @@ (define (login-pam-service config)
                           #:allow-empty-passwords?
                           (login-configuration-allow-empty-passwords? conf=
ig)
                           #:motd
-                          (login-configuration-motd config))))
+                          (login-configuration-motd config)
+                          #:gnupg? (login-configuration-gnupg? config))))
=20
 (define login-service-type
   (service-type (name 'login)
--=20
2.33.1


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0002-Trying-to-fix-pam-gnupg-configuration.patch
Content-Description: pam-gnupg-2

From 525d70b93b6c6b78a3ced92f72e264b4be1ed3de Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@HIDDEN>
Date: Sat, 13 Nov 2021 20:09:02 +0100
Subject: [PATCH 2/3] Trying to fix pam-gnupg configuration.

---
 gnu/system/pam.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a31daada59..d6d02e59f5 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -235,8 +235,9 @@ (module "pam_unix.so")
                                unix))
                      (if gnupg?
                          (list (pam-entry
-                                (control "required")
-                                (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+                                (control "optional")
+                                (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
+                                (arguments '("store-only"))))
                          '())))
        (password (list (pam-entry
                         (control "required")
@@ -255,12 +256,13 @@ (module "pam_motd.so")
                                (control "required")
                                (module "pam_loginuid.so")))
                         '())
+                  ,env ,unix
                   ,@(if gnupg?
                         (list (pam-entry
-                               (control "required")
+                               (control "optional")
                                (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
                         '())
-                  ,env ,unix))))))
+                  ))))))
 
 (define (rootok-pam-service command)
   "Return a PAM service for COMMAND such that 'root' does not need to
-- 
2.33.1


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0003-Moving-parts-of-pam-configuration-for-better-complia.patch
Content-Description: pam-gnupg-3

From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@HIDDEN>
Date: Sat, 13 Nov 2021 21:48:16 +0100
Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance.

---
 gnu/system/pam.scm | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index d6d02e59f5..0f0b09e347 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -244,19 +244,19 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
                         (module "pam_unix.so")
                         ;; Store SHA-512 encrypted passwords in /etc/shadow.
                         (arguments '("sha512" "shadow")))))
-       (session `(,@(if motd
+       (session `(,env ,unix
+                  ,@(if login-uid?
+                        (list (pam-entry       ;to fill in /proc/self/loginuid
+                               (control "required")
+                               (module "pam_loginuid.so")))
+                        '())
+                  ,@(if motd
                         (list (pam-entry
                                (control "optional")
                                (module "pam_motd.so")
                                (arguments
                                 (list #~(string-append "motd=" #$motd)))))
                         '())
-                  ,@(if login-uid?
-                        (list (pam-entry       ;to fill in /proc/self/loginuid
-                               (control "required")
-                               (module "pam_loginuid.so")))
-                        '())
-                  ,env ,unix
                   ,@(if gnupg?
                         (list (pam-entry
                                (control "optional")
-- 
2.33.1


--=-=-=--

Message received at control <at> debbugs.gnu.org:

Received: (at control) by debbugs.gnu.org; 14 Apr 2024 19:37:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Apr 14 15:37:24 2024
Received: from localhost ([127.0.0.1]:36194 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rw5fH-0006js-Jj
	for submit <at> debbugs.gnu.org; Sun, 14 Apr 2024 15:37:24 -0400
Received: from 10.mo582.mail-out.ovh.net ([87.98.157.236]:41191)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1rw5fD-0006ih-Pw
 for control <at> debbugs.gnu.org; Sun, 14 Apr 2024 15:37:21 -0400
Received: from director2.ghost.mail-out.ovh.net (unknown [10.108.17.189])
 by mo582.mail-out.ovh.net (Postfix) with ESMTP id 4VHgYG2PMyz1Frx
 for <control <at> debbugs.gnu.org>; Sun, 14 Apr 2024 19:37:06 +0000 (UTC)
Received: from ghost-submission-6684bf9d7b-sjjzp (unknown [10.110.96.188])
 by director2.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 26E191FD63
 for <control <at> debbugs.gnu.org>; Sun, 14 Apr 2024 19:37:06 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.97])
 by ghost-submission-6684bf9d7b-sjjzp with ESMTPSA
 id axH4BmIwHGZtYAMAhv0MgA (envelope-from <ngraves@HIDDEN>)
 for <control <at> debbugs.gnu.org>; Sun, 14 Apr 2024 19:37:06 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-97G002fb49a640-f5c0-442b-b033-e37ef4d7440b,
 82F3351341C811DE7EAC1B0F473E4B8A459F10AD) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 81.67.146.208
From: Nicolas Graves <ngraves@HIDDEN>
To: control <at> debbugs.gnu.org
Subject: control message for bug #51785
Date: Sun, 14 Apr 2024 21:37:05 +0200
Message-ID: <87h6g3hh26.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 3486349062269887077
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvledrudeiledgudegudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhephffvufffkfggtgesthdtredttddttdenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpeeujeelieeljeffhfelteejtdeljeehveduffelvefgudefkeehgfdvvdevgeevfeenucfkphepuddvjedrtddrtddruddpkedurdeijedrudegiedrvddtkedpfeejrdehledrudegvddrleejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopegtohhnthhrohhlseguvggssghughhsrdhgnhhurdhorhhgpdfovfetjfhoshhtpehmohehkedvpdhmohguvgepshhmthhpohhuth
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

close 51785 
quit

Last modified: Sun, 14 Apr 2024 19:45:03 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.