GNU bug report logs -
#63955
[PATCH 0/5] Add pam-gnupg support for Greetd
Previous Next
Reported by: wurt <at> wurtshell.com
Date: Thu, 8 Jun 2023 04:31:03 UTC
Severity: normal
Tags: patch
Done: Carlos Durán Domínguez <wurt <at> wurtshell.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 63955 in the body.
You can then email your comments to 63955 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#63955; Package
guix-patches.
(Thu, 08 Jun 2023 04:31:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
wurt <at> wurtshell.com:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 08 Jun 2023 04:31:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi!
This series of patches permits to pass your login password to gpg-agent, starting the daemon at login. The needed PAM modules need to come after all PAM modules including pam-mount. So I change a gnu/services/pam-mount.scm to ensure this requisite. Maybe pam-gnupg should be an independent service that transforms all PAM login files (greetd, slim, login, gdm, etc) at the end, but I think that unix-pam-service has the #:gnupg? argument for a reason, so I did not change it.
I create a new function on guix/utils.scm that insert a list right before the first element that verify a predicate, maybe is wrong to create a new utility procedure or naming insert-before instead of append-before. I am a newbie using Guile and Guix, so I am probably making mistakes.
Carlos Durán Domínguez (5):
utils: Add insert-before.
system: pam: Add pam-gnupg-module?.
services: pam-mount: Fix pam-gnupg incompatibility.
services: greetd: Add pam-gnupg support.
system: pam: Fix unix pam module order.
doc/guix.texi | 9 +++++++
gnu/services/base.scm | 48 ++++++++++++++++++++++----------------
gnu/services/pam-mount.scm | 12 ++++++----
gnu/system/pam.scm | 14 ++++++++---
guix/utils.scm | 18 +++++++++++++-
5 files changed, 73 insertions(+), 28 deletions(-)
base-commit: e8f9fb3e03ea8fee0e13f13706a6b16414f74a7b
--
2.40.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#63955; Package
guix-patches.
(Thu, 08 Jun 2023 15:18:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 63955 <at> debbugs.gnu.org (full text, mbox):
From: Carlos Durán Domínguez <wurt <at> wurtshell.com>
---
gnu/system/pam.scm | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a035a92e25..7198815ad6 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2023 Josselin Poiret <dev <at> jpoiret.xyz>
+;;; Copyright © 2023 Carlos Durán Domínguez <wurt <at> wurtshell.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,7 +65,9 @@ (define-module (gnu system pam)
pam-extension-shepherd-requirements
pam-root-service-type
- pam-root-service))
+ pam-root-service
+
+ pam-gnupg-module?))
;;; Commentary:
;;;
@@ -454,4 +457,9 @@ (define* (pam-root-service base #:key (transformers '()) (shepherd-requirements
(transformers transformers)
(shepherd-requirements shepherd-requirements))))
+(define (pam-gnupg-module? name)
+ "Return `#t' if NAME is the path to the pam-gnupg module, `#f' otherwise."
+ (equal? (pam-entry-module name)
+ (file-append pam-gnupg "/lib/security/pam_gnupg.so")))
+
--
2.40.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#63955; Package
guix-patches.
(Thu, 08 Jun 2023 15:18:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 63955 <at> debbugs.gnu.org (full text, mbox):
From: Carlos Durán Domínguez <wurt <at> wurtshell.com>
---
guix/utils.scm | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/guix/utils.scm b/guix/utils.scm
index b9657df292..5773b55116 100644
--- a/guix/utils.scm
+++ b/guix/utils.scm
@@ -17,6 +17,7 @@
;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
;;; Copyright © 2022 Antero Mejr <antero <at> mailbox.org>
;;; Copyright © 2023 Philip McGrath <philip <at> philipmcgrath.com>
+;;; Copyright © 2023 Carlos Durán Domínguez <wurt <at> wurtshell.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -149,7 +150,9 @@ (define-module (guix utils)
string-distance
string-closest
- pretty-print-table))
+ pretty-print-table
+
+ insert-before))
�
;;;
@@ -1128,6 +1131,19 @@ (define* (string-closest trial tests #:key (threshold 3))
#f +inf.0
tests)))
+�
+;;;
+;;; List modification.
+;;;
+
+(define (insert-before pred lst1 lst2)
+ "Return a list appending LST2 just before the first element on LST1 that
+ satisfy the predicate PRED."
+ (cond
+ ((null? lst1) lst2)
+ ((pred (car lst1)) (append lst2 lst1))
+ (else (cons (car lst1) (insert-before pred (cdr lst1) lst2)))))
+
�
;;;
;;; Prettified output.
--
2.40.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#63955; Package
guix-patches.
(Thu, 08 Jun 2023 15:18:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 63955 <at> debbugs.gnu.org (full text, mbox):
From: Carlos Durán Domínguez <wurt <at> wurtshell.com>
---
gnu/services/pam-mount.scm | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/gnu/services/pam-mount.scm b/gnu/services/pam-mount.scm
index 21c34ddd61..1900c44a86 100644
--- a/gnu/services/pam-mount.scm
+++ b/gnu/services/pam-mount.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019 Guillaume Le Vaillant <glv <at> posteo.net>
+;;; Copyright © 2023 Carlos Durán Domínguez <wurt <at> wurtshell.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -17,6 +18,7 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services pam-mount)
+ #:use-module (guix utils)
#:use-module (gnu packages admin)
#:use-module (gnu services)
#:use-module (gnu services configuration)
@@ -96,10 +98,12 @@ (module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
'("login" "greetd" "su" "slim" "gdm-password" "sddm"))
(pam-service
(inherit pam)
- (auth (append (pam-service-auth pam)
- (list optional-pam-mount)))
- (session (append (pam-service-session pam)
- (list optional-pam-mount))))
+ (auth (insert-before pam-gnupg-module?
+ (pam-service-auth pam)
+ (list optional-pam-mount)))
+ (session (insert-before pam-gnupg-module?
+ (pam-service-session pam)
+ (list optional-pam-mount))))
pam))))))
(define pam-mount-service-type
--
2.40.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#63955; Package
guix-patches.
(Thu, 08 Jun 2023 15:18:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 63955 <at> debbugs.gnu.org (full text, mbox):
From: Carlos Durán Domínguez <wurt <at> wurtshell.com>
---
doc/guix.texi | 9 ++++++++
gnu/services/base.scm | 48 +++++++++++++++++++++++++------------------
2 files changed, 37 insertions(+), 20 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 01f4e0105f..fe3ae7f2df 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -116,6 +116,7 @@ Copyright @copyright{} 2022 Antero Mejr@*
Copyright @copyright{} 2023 Karl Hallsby@*
Copyright @copyright{} 2023 Nathaniel Nicandro@*
Copyright @copyright{} 2023 Tanguy Le Carrour@*
+Copyright @copyright{} 2023 Carlos Durán Domínguez@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -19373,6 +19374,14 @@ A file-like object containing the ``message of the day''.
Allow empty passwords by default so that first-time users can log in when
the 'root' account has just been created.
+@item @code{gnupg?} (default: @code{#f})
+If enabled, @code{pam-gnupg} will attempt to automatically unlock the
+user's GPG keys with the login password via @code{gpg-agent}. The
+keygrips of all keys to be unlocked should be written to
+@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
+--with-keygrip}. Presetting passphrases must be enabled by adding
+@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
+
@item @code{terminals} (default: @code{'()})
List of @code{greetd-terminal-configuration} per terminal for which
@code{greetd} should be started.
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index c5b06b57e8..4e93ee4991 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -21,6 +21,7 @@
;;; Copyright © 2022 Justin Veilleux <terramorpha <at> cock.li>
;;; Copyright © 2022 ( <paren <at> disroot.org>
;;; Copyright © 2023 Bruno Victal <mirai <at> makinata.eu>
+;;; Copyright © 2023 Carlos Durán Domínguez <wurt <at> wurtshell.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -38,6 +39,7 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services base)
+ #:use-module (guix utils)
#:use-module (guix store)
#:use-module (guix deprecation)
#:autoload (guix diagnostics) (warning formatted-message &fix-hint)
@@ -3221,6 +3223,7 @@ (define-record-type* <greetd-configuration>
greetd-configuration?
(motd greetd-motd (default %default-motd))
(allow-empty-passwords? greetd-allow-empty-passwords? (default #t))
+ (gnupg? greetd-gnupg? (default #f))
(terminals greetd-terminals (default '()))
(greeter-supplementary-groups greetd-greeter-supplementary-groups (default '())))
@@ -3259,26 +3262,31 @@ (define optional-pam-mount
(control "optional")
(module #~(string-append #$greetd-pam-mount "/lib/security/pam_mount.so"))
(arguments '("disable_interactive"))))
-
- (list
- (unix-pam-service "greetd"
- #:login-uid? #t
- #:allow-empty-passwords?
- (greetd-allow-empty-passwords? config)
- #:motd
- (greetd-motd config))
- (pam-extension
- (transformer
- (lambda (pam)
- (if (member (pam-service-name pam)
- '("login" "greetd" "su" "slim" "gdm-password"))
- (pam-service
- (inherit pam)
- (auth (append (pam-service-auth pam)
- (list optional-pam-mount)))
- (session (append (pam-service-session pam)
- (list optional-pam-mount))))
- pam))))))
+ (define (optional-pam-mount-transformer pam)
+ (if (member (pam-service-name pam)
+ '("login" "greetd" "su" "slim" "gdm-password"))
+ (pam-service
+ (inherit pam)
+ ;; SLiM could have pam-gnupg module, and pam-mount must be before it.
+ (auth (insert-before pam-gnupg-module?
+ (pam-service-auth pam)
+ (list optional-pam-mount)))
+ (session (insert-before pam-gnupg-module?
+ (pam-service-session pam)
+ (list optional-pam-mount))))
+ pam))
+
+ (list (unix-pam-service "greetd"
+ #:login-uid? #t
+ #:allow-empty-passwords?
+ (greetd-allow-empty-passwords? config)
+ #:gnupg?
+ (greetd-gnupg? config)
+ #:motd
+ (greetd-motd config))
+ (pam-extension
+ (transformer
+ optional-pam-mount-transformer))))
(define (greetd-shepherd-services config)
(map
--
2.40.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#63955; Package
guix-patches.
(Thu, 08 Jun 2023 15:18:03 GMT)
Full text and
rfc822 format available.
Message #20 received at 63955 <at> debbugs.gnu.org (full text, mbox):
From: Carlos Durán Domínguez <wurt <at> wurtshell.com>
---
gnu/system/pam.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 7198815ad6..5db195b72e 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -267,12 +267,12 @@ (module "pam_motd.so")
(control "required")
(module "pam_loginuid.so")))
'())
+ ,env ,unix
,@(if gnupg?
(list (pam-entry
(control "required")
(module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
- '())
- ,env ,unix))))))
+ '())))))))
(define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to
--
2.40.1
Reply sent
to
Carlos Durán Domínguez <wurt <at> wurtshell.com>:
You have taken responsibility.
(Thu, 31 Aug 2023 07:45:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
wurt <at> wurtshell.com:
bug acknowledged by developer.
(Thu, 31 Aug 2023 07:45:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 63955-done <at> debbugs.gnu.org (full text, mbox):
Continue on https://issues.guix.gnu.org/65538. I sent a second version
of this patch, but not on this thread… sorry.
--
Carlos Durán Domínguez
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 28 Sep 2023 11:24:13 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 225 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.