;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gnu system pam) #:use-module (guix records) #:use-module (guix derivations) #:use-module (guix gexp) #:use-module (gnu services) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module
aboutsummaryrefslogtreecommitdiff
path: root/gnu/build/shepherd.scm
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2020-06-24 10:47:23 +0200
committerLudovic Courtès <ludo@gnu.org>2020-06-25 01:20:31 +0200
commitdb170ee9210431cdbb3716a6b9a26ca5b6d931ee (patch)
tree2a7c74ed55c44432e5f8efa977c37ab9f155ed3c /gnu/build/shepherd.scm
parent5adaf17bb0511ca6c65b81c714d14c40b70f1db9 (diff)
downloadguix-db170ee9210431cdbb3716a6b9a26ca5b6d931ee.tar.gz
guix-db170ee9210431cdbb3716a6b9a26ca5b6d931ee.zip
services: Add missing (ice-9 format) import.
These issues were reported by -Wformat, though they were harmless in practice because importing (ice-9 format) changes the global 'format' binding currently. * gnu/services/nix.scm: Import (ice-9 format). * gnu/services/web.scm: Likewise. * gnu/system/mapped-devices.scm: Likewise.
Diffstat (limited to 'gnu/build/shepherd.scm')
0 files changed, 0 insertions, 0 deletions
generated by cgit
ring-append #$output "/" name)))) ;; Since objects cannot be compared with ;; 'equal?' since they contain gexps, which contain ;; closures, use 'delete-duplicates' on the build-side ;; instead. See . (delete-duplicates '#$(zip names files))))) (computed-file "pam.d" builder))) (define %pam-other-services ;; The "other" PAM configuration, which denies everything (see ;; .) (let ((deny (pam-entry (control "required") (module "pam_deny.so")))) (pam-service (name "other") (account (list deny)) (auth (list deny)) (password (list deny)) (session (list deny))))) (define unix-pam-service (let ((unix (pam-entry (control "required") (module "pam_unix.so"))) (env (pam-entry ; to honor /etc/environment. (control "required") (module "pam_env.so")))) (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd) "Return a standard Unix-style PAM service for NAME. When ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is true, allow root to run the command without authentication. When MOTD is true, it should be a file-like object used as the message-of-the-day." ;; See . (let ((name* name)) (pam-service (name name*) (account (list unix)) (auth (append (if allow-root? (list (pam-entry (control "sufficient") (module "pam_rootok.so"))) '()) (list (if allow-empty-passwords? (pam-entry (control "required") (module "pam_unix.so") (arguments '("nullok"))) unix)))) (password (list (pam-entry (control "required") (module "pam_unix.so") ;; Store SHA-512 encrypted passwords in /etc/shadow. (arguments '("sha512" "shadow"))))) (session (if motd (list env unix (pam-entry (control "optional") (module "pam_motd.so") (arguments (list #~(string-append "motd=" #$motd))))) (list env unix)))))))) (define (rootok-pam-service command) "Return a PAM service for COMMAND such that 'root' does not need to authenticate to run COMMAND." (let ((unix (pam-entry (control "required") (module "pam_unix.so")))) (pam-service (name command) (account (list unix)) (auth (list (pam-entry (control "sufficient") (module "pam_rootok.so")))) (password (list unix)) (session (list unix))))) (define* (base-pam-services #:key allow-empty-passwords?) "Return the list of basic PAM services everyone would want." ;; TODO: Add other Shadow programs? (append (list %pam-other-services) ;; These programs are setuid-root. (map (cut unix-pam-service <> #:allow-empty-passwords? allow-empty-passwords?) '("passwd" "sudo")) ;; This is setuid-root, as well. Allow root to run "su" without ;; authenticating. (list (unix-pam-service "su" #:allow-empty-passwords? allow-empty-passwords? #:allow-root? #t)) ;; These programs are not setuid-root, and we want root to be able ;; to run them without having to authenticate (notably because ;; 'useradd' and 'groupadd' are run during system activation.) (map rootok-pam-service '("useradd" "userdel" "usermod" "groupadd" "groupdel" "groupmod")))) ;;; ;;; System-wide environment variables. ;;; (define (environment-variables->environment-file vars) "Return a file for pam_env(8) that contains environment variables VARS." (apply mixed-text-file "environment" (append-map (match-lambda ((key . value) (list key "=" value "\n"))) vars))) (define session-environment-service-type (service-type (name 'session-environment) (extensions (list (service-extension etc-service-type (lambda (vars) (list `("environment" ,(environment-variables->environment-file vars))))))) (compose concatenate) (extend append) (description "Populate @file{/etc/environment}, which is honored by @code{pam_env}, with the specified environment variables. The value of this service is a list of name/value pairs for environments variables, such as: @example '((\"TZ\" . \"Canada/Pacific\")) @end example\n"))) (define (session-environment-service vars) "Return a service that builds the @file{/etc/environment}, which can be read by PAM-aware applications to set environment variables for sessions. VARS should be an association list in which both the keys and the values are strings or string-valued gexps." (service session-environment-service-type vars)) ;;; ;;; PAM root service. ;;; ;; Overall PAM configuration: a list of services, plus a procedure that takes ;; one and returns a . The procedure is used to ;; implement cross-cutting concerns such as the use of the 'elogind.so' ;; session module that keeps track of logged-in users. (define-record-type* pam-configuration make-pam-configuration? pam-configuration? (services pam-configuration-services) ;list of (transform pam-configuration-transform)) ;procedure (define (/etc-entry config) "Return the /etc/pam.d entry corresponding to CONFIG." (match config (($ services transform) (let ((services (map transform services))) `(("pam.d" ,(pam-services->directory services))))))) (define (extend-configuration initial extensions) "Extend INITIAL with NEW." (let-values (((services procs) (partition pam-service? extensions))) (pam-configuration (services (append (pam-configuration-services initial) services)) (transform (apply compose (pam-configuration-transform initial) procs))))) (define pam-root-service-type (service-type (name 'pam) (extensions (list (service-extension etc-service-type /etc-entry))) ;; Arguments include as well as procedures. (compose concatenate) (extend extend-configuration))) (define* (pam-root-service base #:key (transform identity)) "The \"root\" PAM service, which collects instance and turns them into a /etc/pam.d directory, including the listed in BASE. TRANSFORM is a procedure that takes a and returns a . It can be used to implement cross-cutting concerns that affect all the PAM services." (service pam-root-service-type (pam-configuration (services base) (transform transform))))