Received: (at 63652-done) by debbugs.gnu.org; 4 Jun 2023 09:42:23 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 04 05:42:23 2023 Received: from localhost ([127.0.0.1]:45062 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1q5kFj-0004C5-6I for submit <at> debbugs.gnu.org; Sun, 04 Jun 2023 05:42:23 -0400 Received: from jpoiret.xyz ([206.189.101.64]:55644) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <dev@HIDDEN>) id 1q5kFh-0004Bx-2F for 63652-done <at> debbugs.gnu.org; Sun, 04 Jun 2023 05:42:21 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 156CE184F27; Sun, 4 Jun 2023 09:42:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1685871740; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=W36dmsVKacdlW6AO7P+mcEnJl6C4gJulaTpZnob5wkE=; b=n2jnzIQsJkxskaKVSij766VRkS0gDYCgzv6kidpEbFrVbw1KvTtt8Gj8M1cj8VQj1wlPQX VJn6U2CBMepzZsEwxj6uwwK0fQlipmT0pSx6eXfJvdfQFqVlHQ3PMcdl2tlmiYzETbVwL+ rEtTXWDy0Z19Zp59tkWREhHHI1cDCX+uy6Gl22PnLcQ+Y82YXDneAtZEC4CxWPfoH6G1+1 OI90FcS45i29Z2OUQTaAMpRgh1VMAX2uDjI9KGX5nvD8OMsFOn5f/1GcHLlx99bYZ3n8To 5teFH+KXqfI+oqwOgLz2TIwhsbcO9RtE3Km9vgMA8Ggjp7ksDqJ/qTCsWL13OQ== From: Josselin Poiret <dev@HIDDEN> To: muradm <mail@HIDDEN>, 63652-done <at> debbugs.gnu.org Subject: Re: [bug#63652] [PATCH] services: screen-locker-service-type: Configurable PAM and setuid. In-Reply-To: <84127ca20c41459b18200f39356f7964fa75f943.1684782409.git.mail@HIDDEN> References: <84127ca20c41459b18200f39356f7964fa75f943.1684782409.git.mail@HIDDEN> Date: Sun, 04 Jun 2023 11:42:18 +0200 Message-ID: <87a5xfef7p.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@HIDDEN smtp.mailfrom=dev@HIDDEN X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 63652-done X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 0.0 (/) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi muradm, muradm <mail@HIDDEN> writes: > screen-locker-service-type by default does both define PAM entry > and make program setuid binary. Normally both methods are > mutually exclusive, if binary has setuid set it does not really > needs PAM, otherway around also similar, if PAM is enabled > binary should not relay on setuid. > > Recent swaylock package now compiled with PAM support. When PAM > support is compiled in, swaylock rejects executing if binary is > also setuid program. > > This change turns screen-locker-configuration from strict > PAM AND setuid to more flexible PAM AND/OR setuid. Allowing > swaylock to be configured properly while supporting other > screen locker preferences. > > * gnu/services/xorg.scm (screen-locker-configuration): Switch from > define-record-type to define-configuration. > [using-pam?]: New field to control PAM entry existence. > [using-setuid?]: New field to control setuid binary existence. > (screen-locker-pam-services): Should not make unix-pam-service if > using-pam? is set to #f. > (screen-locker-setuid-programs): Should not make program setuid > program if using-setuid? is set to #f. > (screen-locker-generate-doc): Internal function to generate > configuration documentation. > (screen-locker-service): Adapt to new screen-locker-configuration. > * gnu/services/desktop.scm (desktop-services-for-system): Adapt to > new screen-locker-configuration. > * doc/guix.texi: Reflect new changes to screen-locker-configuration. Thanks! Tested and pushed as f4f5ee6ad6e2432f52e37c549211df8f1cdbb571 with the following changes: diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index b1ffa72c0e..b9f5f6b6a9 100644 =2D-- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -2147,7 +2147,10 @@ Xorg can be achieved by adding the following service to your @file{config.scm}: =20 @lisp =2D(screen-locker-service slock) +(service screen-locker-services-type + (screen-locker-configuration + (name "slock") + (program (file-append slock "/bin/slock")))) @end lisp =20 If you manually lock your screen, e.g. by directly calling slock when you = want to lock diff --git a/doc/guix.texi b/doc/guix.texi index 704bbd39d2..db37676e12 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -97,7 +97,7 @@ Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright{} 2021 Alice Brenon@* Copyright @copyright{} 2021, 2022 Josselin Poiret@* =2DCopyright @copyright{} 2021 muradm@* +Copyright @copyright{} 2021, 2023 muradm@* Copyright @copyright{} 2021, 2022 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* Copyright @copyright{} 2022 Remco van 't Veer@* @@ -22533,28 +22533,32 @@ X Window saver to the set of setuid programs and/or add a PAM entry for it. The value for this service is a @code{<screen-locker-configuration>} object. =20 =2DWhile default behavior is to setup both setuid program and PAM entry, =2Dthey are effectively mutually exclusive. Screen locker programs may =2Dprevent executing when PAM is configured, and @code{setuid} is set on =2Dexecutable. Then @code{using-setuid?} can be set to @code{#f}. +While the default behavior is to setup both a setuid program and PAM +entry, these two methods are redundant. Screen locker programs may not +execute when PAM is configured and @code{setuid} is set on their +executable. In this case, @code{using-setuid?} can be set to @code{#f}. =20 For example, to make XlockMore usable: =20 @lisp (service screen-locker-service-type (screen-locker-configuration =2D "xlock" (file-append xlockmore "/bin/xlock") #f)) + (name "xlock") + (program (file-append xlockmore "/bin/xlock")))) @end lisp =20 makes the good ol' XlockMore usable. =20 For example, swaylock fails to execute when compiled with PAM support =2Dand setuid enabled, then one can disable setuid: +and setuid enabled. One can thus disable setuid: =20 @lisp (service screen-locker-service-type (screen-locker-configuration =2D "swaylock" (file-append xlockmore "/bin/xlock") #f #t #f)) + (name "swaylock") + (program (file-append xlockmore "/bin/xlock")) + (using-pam? #t) + (using-setuid? #f))) @end lisp =20 @end defvar diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 639e99ff79..a63748b652 100644 =2D-- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1840,13 +1840,11 @@ (define* (desktop-services-for-system #:optional (service screen-locker-service-type (screen-locker-configuration (name "slock") =2D (program (file-append slock "/bin/slock")) =2D (allow-empty-password? #f))) + (program (file-append slock "/bin/slock")))) (service screen-locker-service-type (screen-locker-configuration (name "xlock") =2D (program (file-append xlock "/bin/xlock")) =2D (allow-empty-password? #f))) + (program (file-append xlockmore "/bin/xlock")))) =20 ;; Add udev rules for MTP devices so that non-root users can acce= ss ;; them. diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index b6c1636660..f8cf9f25b6 100644 =2D-- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -723,14 +723,6 @@ (define-configuration/no-serialization screen-locker-c= onfiguration (boolean #t) "Whether to setup program as setuid binary.")) =20 =2D(define-deprecated/public-alias =2D screen-locker =2D screen-locker-configuration) =2D =2D(define-deprecated/public-alias =2D screen-locker? =2D screen-locker-configuration?) =2D (define (screen-locker-pam-services config) (match-record config <screen-locker-configuration> (name allow-empty-password? using-pam?) =2D-=20 Josselin Poiret --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQHEBAEBCgAuFiEEOSSM2EHGPMM23K8vUF5AuRYXGooFAmR8XHoQHGRldkBqcG9p cmV0Lnh5egAKCRBQXkC5FhcainULDACbeWwVE9CIFVzUXGBxSdnwNW/hkJtlY2Fa Km1D3SZr7J8Q/FsPbpqc3DU9OTsE+0ZAEtk3b7fEJ08TWVi+p4U6CyfelhF7ZmYm Z1BAQpnl7enVSYTVnzaqwUpXfWmco91DfUaJ32UTNDWJRP8YQLoRmJBk5/mjeXip chlYSRuyW8zizjoM3KmxdEi7JrHbAmD+RkMLawUp2+YfnNONpie9p4/SWGM+Gaq7 mR+g4HkxZHDkTuTZWhBqg5z8e47qEDymUdMUlknznMMMLLro3VH+uFyHoPBg/hEc FX390ft43m+5qJUF+m7QUuxLDLevlTnQSZZfAydnMEXUgnGUIbsCABLU+HNkNmTA Hp2wIdanipJIVOICautBgmytPaD+3cAxnONZGyM4Xtni7MKBVPWQ+LnUzbfu9wPR 2sTJNUAgypG/os91zgbi7x6LRU8ofJqR1bKiGnH77x0xqt+TN9ND5Diukr5nqHpw 2qxYcD1y5e49Q4WPAlvxGFt0KgAsYjs= =UcFR -----END PGP SIGNATURE----- --=-=-=--
muradm <mail@HIDDEN>
:Josselin Poiret <dev@HIDDEN>
:Received: (at 63652) by debbugs.gnu.org; 28 May 2023 12:21:24 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun May 28 08:21:24 2023 Received: from localhost ([127.0.0.1]:53419 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1q3FOm-0008Tm-9g for submit <at> debbugs.gnu.org; Sun, 28 May 2023 08:21:24 -0400 Received: from mout.web.de ([212.227.15.3]:41113) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <jonathan.brielmaier@HIDDEN>) id 1q3FOj-0008TV-GJ for 63652 <at> debbugs.gnu.org; Sun, 28 May 2023 08:21:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=s29768273; t=1685276475; x=1685881275; i=jonathan.brielmaier@HIDDEN; bh=vzYesQ2riB7ekL482kuWpqw0gJkYvT/+Apa64okNoL8=; h=X-UI-Sender-Class:Date:To:From:Subject; b=TsEzxhzlHbiBxdqrXcniJrtpIzjCELibqWqKQEqPkzDZt/UqFOSmJ8HbIZjrJSgTbaaqvo1 3Izl6DNNRxYVQJN+qnwJ+O1J7iPUJxXlftuXnyYALCC/euNDzsH1D0eGgXx4JIZ1rH74EYqZW XsuYC5jFspA6/m/+lxBliBNTVhsK3JxSFxkz3dAjlikUvB4kJxOH13yxs18ElaUGvckf591QJ l5ZRYbrKF51tQZXskdV3onHQwwSStpsoeoOygg9iOofh5zOKpBUJ0xKw+UNomuc4k11+3zUIu 8WEmtDMvnxxIlTD6WwzAa6G5DOopP7Yjz48IEaoXNsWP020f9Drw== X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6 Received: from [192.168.178.23] ([77.190.49.225]) by smtp.web.de (mrweb005 [213.165.67.108]) with ESMTPSA (Nemesis) id 1MuVGA-1qKMbh1ofK-00rZEo for <63652 <at> debbugs.gnu.org>; Sun, 28 May 2023 14:21:15 +0200 Message-ID: <11f660b7-afff-99de-f11d-f6d9cae2342b@HIDDEN> Date: Sun, 28 May 2023 14:21:14 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 To: 63652 <at> debbugs.gnu.org Content-Language: de-DE, en-US From: Jonathan Brielmaier <jonathan.brielmaier@HIDDEN> Subject: [PATCH] services: screen-locker-service-type: Configurable PAM and setuid. Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:MGKM1BpnVV74l34XuylgAf3uMq30LkafhXORfzcmv4UrCPWeTnS Xg8jcG1XhOuHMJfFi5c8bmfj3Hcf6IM8EfruZeD2cUe28wJpkmlo0mX23tQokeQgRZw4o/5 krCnnJoolxG+GxGNCNeadsRtIuHScj947i5uz9aoF5bxKeZwBc/eCNL1DhZ1lVYlLXNhsK9 9HQblHsMJFJoFWJR16gJQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:L5R8cYqAX6w=;3jKSUuK8N5wwQy56xdcXULVX3pM zldzbnrNA8gM5lvHNTo8Jr8QLpNTzzuhhWApDMCv8Ir1sSHIgDJkEqJ6R9e+S76Z5HWkvNXyY Ik4/R4cpzfcUp9/r1j42XwinBCuy5cttPUbL4HVKwbgqYFdhCKhvKjdku4fLv0u8SsuLntYxU GfWRLI6EuMZV74xynBGaVzbx7uqrlPU62KKDj+zXmcYGXQzMJfylDunpeMVpMV151LVS1GTKt OJqIJTaRb70O+aLMBudrg6Lsc2YS1QQRPexDRY05GN3ToSkZ0xhNU5um/MyjqJ768Dn+g8d5C Dh6YX8HQ3kKAnf2jSd9hCZqrOH2oUTlYi/v798ScF8ZxzAEhA1FdhMqI0fG+1OJ6DRYwN7jbA dsoO4bPlpsuDrqk/tTDGE0Wc0Upw8EbdEOr7JkJzPjWeG1sU/Yb4SnFbGd/cfxy+C9aiARKzK Xj1U33Krm83kVkF59/hCm3KtXxj+AgJuYU/2RWGsxyyx5Ke7hLlgWrQCcA4VqBy/bug87S5Ew HVgtQwSxNJkM2MIdai6UiEM6TVoTu/pA0T0W+dv1iC5nYKvJH+mLGd8T4PtYl3e5D1K7W03xR aI2HbeeSyN1HcZ7OpDb9MmkKeHUtG6HKMlEqQrJjvelBnrbOI8IhljGZ9201bGvY0uS2X8VXH 5lcKDD+qoOc+s3j6vuow6Vf+PgWmmcenjF2AWeHGVOvk/mh3B/LOECUDeCjAC93P4q84Qvimy PGWwZjBeQnykPADD1Z8Ohu991K8g79iKFjlFg1mqnJHFaRGcuQPdEj8COQNgwp/GVJZ2Sr4LM YZRdxOAS8wiuSJyuRCNqMsQsje67g43CTi6xtsyCUtadzx7CEUqNjCRrg/cQ1DC4HmJlK8oen x87kxXcovkpL7FPEcifb7c75qiyZulfEZfd2/wOyH45hyhXb7mrq243spQKw7ch4xpLiRXmCN 49VehChZ8SWI1nGq2VYLQWfMAwI= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 63652 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi muradm, thanks for the patch, it sounds like a good idea to get swaylock working again :) https://issues.guix.gnu.org/63652#0-lineno47 While [the] default behaviour I find the service definition a bit hard to read. I would recommend something like: (service screen-locker-service-type (screen-locker-configuration (name "swaylock") (path (file-append xlockmore "/bin/xlock")) (allow-empty-password? #f) (using-pam? #t) (using-setuid? #f))) ~Jonathan
guix-patches@HIDDEN
:bug#63652
; Package guix-patches
.
Full text available.Received: (at submit) by debbugs.gnu.org; 22 May 2023 19:07:03 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 22 15:07:03 2023 Received: from localhost ([127.0.0.1]:36599 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1q1As2-0005ZF-MS for submit <at> debbugs.gnu.org; Mon, 22 May 2023 15:07:03 -0400 Received: from lists.gnu.org ([209.51.188.17]:33298) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <mail@HIDDEN>) id 1q1Arx-0005Yl-MG for submit <at> debbugs.gnu.org; Mon, 22 May 2023 15:07:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <mail@HIDDEN>) id 1q1Arx-0008AL-AM for guix-patches@HIDDEN; Mon, 22 May 2023 15:06:57 -0400 Received: from nomad-cl1.muradm.net ([139.162.159.157]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <mail@HIDDEN>) id 1q1Aru-0004Dg-Ug for guix-patches@HIDDEN; Mon, 22 May 2023 15:06:57 -0400 Received: from localhost ([127.0.0.1]:50804) by nomad-cl1.muradm.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <mail@HIDDEN>) id 1q1Arn-0003bC-0v for guix-patches@HIDDEN; Mon, 22 May 2023 19:06:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=muradm.net; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id:Date :Subject:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DAUYncLVfkse3j4l7XuL6/RKr40wyYriIW+TxRgNyzs=; b=j/LybjOGhcR5KtWaDQSL6Ag44G 8ZXzfUK/2oyArC0eava7xUF2vVktBArLKKgkij0GJfUlKaLfKReoDsCWWdMpUzPIc9DFZchIYgATV L+Xn+mIbtMOu+vtHFW/5F7oRaFcis5slP2+M2R9dMo327eBDITLr3DW6OTdgMrVfcHKSm1QV47g+I 8jV6f606XYcgR0JZRJ0Bn5hPPB5sj8RainCV5/ust2Cl1lYyOckQ5Z5gafjpXy4tncTmA6KaUOv1X QxULKfYZXVdAWkP8ipJJ3x5NzgWHo86hBXpCggqthEAdaDe3QFFuoU80Whc/6JzGzTjIq/noopYhk fnK/9MIrdEsZqxh4vi6XbbTl/Um3R+0zS46uwKVgiTcoWDzqs5/oz7qmsmjwWRIuVe6sTJj7k71gf TQa57EeHSaazbHixsiVGnHqHBkyPzlnMCQobJC9J1XJLPQuemBSlzxsddUr30nt4g+sNoUdN0hVDN ZyMcUqeF5EyNLZkADKDxAX9A; Received: from muradm by localhost with local (Exim 4.96) (envelope-from <mail@HIDDEN>) id 1q1Arr-0006tZ-0j for guix-patches@HIDDEN; Mon, 22 May 2023 22:06:51 +0300 From: muradm <mail@HIDDEN> To: guix-patches@HIDDEN Subject: [PATCH] services: screen-locker-service-type: Configurable PAM and setuid. Date: Mon, 22 May 2023 22:06:51 +0300 Message-Id: <84127ca20c41459b18200f39356f7964fa75f943.1684782409.git.mail@HIDDEN> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=139.162.159.157; envelope-from=mail@HIDDEN; helo=nomad-cl1.muradm.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.4 (--) screen-locker-service-type by default does both define PAM entry and make program setuid binary. Normally both methods are mutually exclusive, if binary has setuid set it does not really needs PAM, otherway around also similar, if PAM is enabled binary should not relay on setuid. Recent swaylock package now compiled with PAM support. When PAM support is compiled in, swaylock rejects executing if binary is also setuid program. This change turns screen-locker-configuration from strict PAM AND setuid to more flexible PAM AND/OR setuid. Allowing swaylock to be configured properly while supporting other screen locker preferences. * gnu/services/xorg.scm (screen-locker-configuration): Switch from define-record-type to define-configuration. [using-pam?]: New field to control PAM entry existence. [using-setuid?]: New field to control setuid binary existence. (screen-locker-pam-services): Should not make unix-pam-service if using-pam? is set to #f. (screen-locker-setuid-programs): Should not make program setuid program if using-setuid? is set to #f. (screen-locker-generate-doc): Internal function to generate configuration documentation. (screen-locker-service): Adapt to new screen-locker-configuration. * gnu/services/desktop.scm (desktop-services-for-system): Adapt to new screen-locker-configuration. * doc/guix.texi: Reflect new changes to screen-locker-configuration. --- doc/guix.texi | 32 +++++++++++++++++++---- gnu/services/desktop.scm | 8 ++++-- gnu/services/xorg.scm | 55 ++++++++++++++++++++++++++++------------ 3 files changed, 72 insertions(+), 23 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f4cca66d76..079afaeba5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -22474,9 +22474,14 @@ X Window @defvar screen-locker-service-type Type for a service that adds a package for a screen locker or screen -saver to the set of setuid programs and add a PAM entry for it. The +saver to the set of setuid programs and/or add a PAM entry for it. The value for this service is a @code{<screen-locker-configuration>} object. +While default behavior is to setup both setuid program and PAM entry, +they are effectively mutually exclusive. Screen locker programs may +prevent executing when PAM is configured, and @code{setuid} is set on +executable. Then @code{using-setuid?} can be set to @code{#f}. + For example, to make XlockMore usable: @lisp @@ -22486,25 +22491,42 @@ X Window @end lisp makes the good ol' XlockMore usable. + +For example, swaylock fails to execute when compiled with PAM support +and setuid enabled, then one can disable setuid: + +@lisp +(service screen-locker-service-type + (screen-locker-configuration + "swaylock" (file-append xlockmore "/bin/xlock") #f #t #f)) +@end lisp + @end defvar @deftp {Data Type} screen-locker-configuration -Data type representing the configuration of -@code{screen-locker-service-type}. +Available @code{screen-locker-configuration} fields are: @table @asis @item @code{name} (type: string) Name of the screen locker. -@item @code{program} (type: gexp) +@item @code{program} (type: file-like) Path to the executable for the screen locker as a G-Expression. -@item @code{allow-empty-password?} (type: boolean) +@item @code{allow-empty-password?} (default: @code{#f}) (type: boolean) Whether to allow empty passwords. +@item @code{using-pam?} (default: @code{#t}) (type: boolean) +Whether to setup PAM entry. + +@item @code{using-setuid?} (default: @code{#t}) (type: boolean) +Whether to setup program as setuid binary. + @end table + @end deftp + @node Printing Services @subsection Printing Services diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 64eac1117d..639e99ff79 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1839,10 +1839,14 @@ (define* (desktop-services-for-system #:optional ;; Screen lockers are a pretty useful thing and these are small. (service screen-locker-service-type (screen-locker-configuration - "slock" (file-append slock "/bin/slock") #f)) + (name "slock") + (program (file-append slock "/bin/slock")) + (allow-empty-password? #f))) (service screen-locker-service-type (screen-locker-configuration - "xlock" (file-append xlockmore "/bin/xlock") #f)) + (name "xlock") + (program (file-append xlock "/bin/xlock")) + (allow-empty-password? #f))) ;; Add udev rules for MTP devices so that non-root users can access ;; them. diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8b6080fd26..b6c1636660 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -13,6 +13,7 @@ ;;; Copyright © 2021 Josselin Poiret <josselin.poiret@HIDDEN> ;;; Copyright © 2022 Chris Marusich <cmmarusich@HIDDEN> ;;; Copyright © 2022 Maxim Cournoyer <maxim.cournoyer@HIDDEN> +;;; Copyright © 2023 muradm <mail@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -112,6 +113,8 @@ (define-module (gnu services xorg) screen-locker-configuration-name screen-locker-configuration-program screen-locker-configuration-allow-empty-password? + screen-locker-configuration-using-pam? + screen-locker-configuration-using-setuid? screen-locker-service-type screen-locker-service ; deprecated @@ -703,13 +706,22 @@ (define slim-service-type ;;; Screen lockers & co. ;;; -(define-record-type <screen-locker-configuration> - (screen-locker-configuration name program allow-empty-password?) - screen-locker-configuration? - (name screen-locker-configuration-name) ;string - (program screen-locker-configuration-program) ;gexp +(define-configuration/no-serialization screen-locker-configuration + (name + string + "Name of the screen locker.") + (program + file-like + "Path to the executable for the screen locker as a G-Expression.") (allow-empty-password? - screen-locker-configuration-allow-empty-password?)) ;Boolean + (boolean #f) + "Whether to allow empty passwords.") + (using-pam? + (boolean #t) + "Whether to setup PAM entry.") + (using-setuid? + (boolean #t) + "Whether to setup program as setuid binary.")) (define-deprecated/public-alias screen-locker @@ -719,14 +731,21 @@ (define-deprecated/public-alias screen-locker? screen-locker-configuration?) -(define screen-locker-pam-services - (match-lambda - (($ <screen-locker-configuration> name _ empty?) - (list (unix-pam-service name - #:allow-empty-passwords? empty?))))) +(define (screen-locker-pam-services config) + (match-record config <screen-locker-configuration> + (name allow-empty-password? using-pam?) + (if using-pam? + (list (unix-pam-service name + #:allow-empty-passwords? + allow-empty-password?)) + '()))) -(define screen-locker-setuid-programs - (compose list file-like->setuid-program screen-locker-configuration-program)) +(define (screen-locker-setuid-programs config) + (match-record config <screen-locker-configuration> + (name program using-setuid?) + (if using-setuid? + (list (file-like->setuid-program program)) + '()))) (define screen-locker-service-type (service-type (name 'screen-locker) @@ -740,6 +759,9 @@ (define screen-locker-service-type the graphical server by making it setuid-root, so it can authenticate users, and by creating a PAM service for it."))) +(define (screen-locker-generate-doc) + (configuration->documentation 'screen-locker-configuration)) + (define-deprecated (screen-locker-service package #:optional (program (package-name package)) @@ -755,9 +777,10 @@ (define-deprecated (screen-locker-service package makes the good ol' XlockMore usable." (service screen-locker-service-type - (screen-locker-configuration program - (file-append package "/bin/" program) - allow-empty-passwords?))) + (screen-locker-configuration + (name program) + (program (file-append package "/bin/" program)) + (allow-empty-password? allow-empty-passwords?)))) ;;; base-commit: dff1689bb37e5303868584d3f1d7a33cbcb7f51e -- 2.40.1
muradm <mail@HIDDEN>
:guix-patches@HIDDEN
.
Full text available.guix-patches@HIDDEN
:bug#63652
; Package guix-patches
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.