;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gnu system pam) #:use-module (guix records) #:use-module (guix derivations) #:use-module (guix gexp) #:use-module (gnu services) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-11) #:use-module (srfi srfi-26) #:use-module ((guix utils) #:select (%current-system)) #:use-module (gnu packages linux) #:export (pam-service pam-service-name pam-service-account pam-service-auth pam-service-password pam-service-session pam-entry pam-entry-control pam-entry-module pam-entry-arguments pam-limits-entry pam-limits-entry-domain pam-limits-entry-type pam-limits-entry-item pam-limits-entry-value pam-limits-entry->string pam-services->directory unix-pam-service base-pam-services session-environment-service session-environment-service-type pam-root-service-type pam-root-service)) ;;; Commentary: ;;; ;;; Configuration of the pluggable authentication modules (PAM). ;;; ;;; Code: ;; PAM services (see ;; .) (define-record-type* pam-service make-pam-service pam-service? (name pam-service-name) ; string ;; The four "management groups". (account pam-service-account ; list of (default '())) (auth pam-service-auth (default '())) (password pam-service-password (default '())) (session pam-service-session (default '()))) (define-record-type* pam-entry make-pam-entry pam-entry? (control pam-entry-control) ; string (module pam-entry-module) ; file name (arguments pam-entry-arguments ; list of string-valued g-expressions (default '()))) ;; PAM limits entries are used by the pam_limits PAM module to set or override ;; limits on system resources for user sessions. The format is specified ;; here: http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html (define-record-type (make-pam-limits-entry domain type item value) pam-limits-entry? (domain pam-limits-entry-domain) ; string (type pam-limits-entry-type) ; symbol (item pam-limits-entry-item) ; symbol (value pam-limits-entry-value)) ; symbol or number (define (pam-limits-entry domain type item value) "Construct a pam-limits-entry ensuring that the provided values are valid." (define (valid? value) (case item ((priority) (number? value)) ((nice) (and (number? value) (>= value -20) (<= value 19))) (else (or (and (number? value) (>= value -1)) (member value '(unlimited infinity)))))) (define items (list 'core 'data 'fsize 'memlock 'nofile 'rss 'stack 'cpu 'nproc 'as 'maxlogins 'maxsyslogins 'priority 'locks 'sigpending 'msgqueue 'nice 'rtprio)) (when (not (member type '(hard soft both))) (error "invalid limit type" type)) (when (not (member item items)) (error "invalid limit item" item)) (when (not (valid? value)) (error "invalid limit value" value)) (make-pam-limits-entry domain type item value)) (define (pam-limits-entry->string entry) "Convert a pam-limits-entry record to a string." (match entry (($ domain type item value) (string-join (list domain (if (eq? type 'both) "-" (symbol->string type)) (symbol->string item) (cond ((symbol? value) (symbol->string value)) (else (number->string value)))) " ")))) (define (p