diff options
| -rw-r--r-- | doc/guix-cookbook.texi | 5 | ||||
| -rw-r--r-- | doc/guix.texi | 40 | ||||
| -rw-r--r-- | gnu/services/desktop.scm | 6 | ||||
| -rw-r--r-- | gnu/services/xorg.scm | 65 |
4 files changed, 81 insertions, 35 deletions
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index b1ffa72c0e..b9f5f6b6a9 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -2147,7 +2147,10 @@ be made setuid-root so it can authenticate users, and it needs a PAM service. Th can be achieved by adding the following service to your @file{config.scm}: @lisp -(screen-locker-service slock) +(service screen-locker-services-type + (screen-locker-configuration + (name "slock") + (program (file-append slock "/bin/slock")))) @end lisp If you manually lock your screen, e.g. by directly calling slock when you want to lock diff --git a/doc/guix.texi b/doc/guix.texi index 7f8d8d66e9..db37676e12 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -97,7 +97,7 @@ Copyright @copyright{} 2021 Hui Lu@* Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright{} 2021 Alice Brenon@* Copyright @copyright{} 2021, 2022 Josselin Poiret@* -Copyright @copyright{} 2021 muradm@* +Copyright @copyright{} 2021, 2023 muradm@* Copyright @copyright{} 2021, 2022 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* Copyright @copyright{} 2022 Remco van 't Veer@* @@ -22530,37 +22530,63 @@ Usually the X server is started by a login manager. @defvar screen-locker-service-type Type for a service that adds a package for a screen locker or screen -saver to the set of setuid programs and add a PAM entry for it. The +saver to the set of setuid programs and/or add a PAM entry for it. The value for this service is a @code{<screen-locker-configuration>} object. +While the default behavior is to setup both a setuid program and PAM +entry, these two methods are redundant. Screen locker programs may not +execute when PAM is configured and @code{setuid} is set on their +executable. In this case, @code{using-setuid?} can be set to @code{#f}. + For example, to make XlockMore usable: @lisp (service screen-locker-service-type (screen-locker-configuration - "xlock" (file-append xlockmore "/bin/xlock") #f)) + (name "xlock") + (program (file-append xlockmore "/bin/xlock")))) @end lisp makes the good ol' XlockMore usable. + +For example, swaylock fails to execute when compiled with PAM support +and setuid enabled. One can thus disable setuid: + +@lisp +(service screen-locker-service-type + (screen-locker-configuration + (name "swaylock") + (program (file-append xlockmore "/bin/xlock")) + (using-pam? #t) + (using-setuid? #f))) +@end lisp + @end defvar @deftp {Data Type} screen-locker-configuration -Data type representing the configuration of -@code{screen-locker-service-type}. +Available @code{screen-locker-configuration} fields are: @table @asis @item @code{name} (type: string) Name of the screen locker. -@item @code{program} (type: gexp) +@item @code{program} (type: file-like) Path to the executable for the screen locker as a G-Expression. -@item @code{allow-empty-password?} (type: boolean) +@item @code{allow-empty-password?} (default: @code{#f}) (type: boolean) Whether to allow empty passwords. +@item @code{using-pam?} (default: @code{#t}) (type: boolean) +Whether to setup PAM entry. + +@item @code{using-setuid?} (default: @code{#t}) (type: boolean) +Whether to setup program as setuid binary. + @end table + @end deftp + @node Printing Services @subsection Printing Services diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index 64eac1117d..a63748b652 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -1839,10 +1839,12 @@ applications needing access to be root.") ;; Screen lockers are a pretty useful thing and these are small. (service screen-locker-service-type (screen-locker-configuration - "slock" (file-append slock "/bin/slock") #f)) + (name "slock") + (program (file-append slock "/bin/slock")))) (service screen-locker-service-type (screen-locker-configuration - "xlock" (file-append xlockmore "/bin/xlock") #f)) + (name "xlock") + (program (file-append xlockmore "/bin/xlock")))) ;; Add udev rules for MTP devices so that non-root users can access ;; them. diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8b6080fd26..f8cf9f25b6 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -13,6 +13,7 @@ ;;; Copyright © 2021 Josselin Poiret <josselin.poiret@protonmail.ch> ;;; Copyright © 2022 Chris Marusich <cmmarusich@gmail.com> ;;; Copyright © 2022 Maxim Cournoyer <maxim.cournoyer@gmail.com> +;;; Copyright © 2023 muradm <mail@muradm.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -112,6 +113,8 @@ screen-locker-configuration-name screen-locker-configuration-program screen-locker-configuration-allow-empty-password? + screen-locker-configuration-using-pam? + screen-locker-configuration-using-setuid? screen-locker-service-type screen-locker-service ; deprecated @@ -703,30 +706,38 @@ reboot_cmd " shepherd "/sbin/reboot\n" ;;; Screen lockers & co. ;;; -(define-record-type <screen-locker-configuration> - (screen-locker-configuration name program allow-empty-password?) - screen-locker-configuration? - (name screen-locker-configuration-name) ;string - (program screen-locker-configuration-program) ;gexp +(define-configuration/no-serialization screen-locker-configuration + (name + string + "Name of the screen locker.") + (program + file-like + "Path to the executable for the screen locker as a G-Expression.") (allow-empty-password? - screen-locker-configuration-allow-empty-password?)) ;Boolean - -(define-deprecated/public-alias - screen-locker - screen-locker-configuration) - -(define-deprecated/public-alias - screen-locker? - screen-locker-configuration?) - -(define screen-locker-pam-services - (match-lambda - (($ <screen-locker-configuration> name _ empty?) - (list (unix-pam-service name - #:allow-empty-passwords? empty?))))) + (boolean #f) + "Whether to allow empty passwords.") + (using-pam? + (boolean #t) + "Whether to setup PAM entry.") + (using-setuid? + (boolean #t) + "Whether to setup program as setuid binary.")) + +(define (screen-locker-pam-services config) + (match-record config <screen-locker-configuration> + (name allow-empty-password? using-pam?) + (if using-pam? + (list (unix-pam-service name + #:allow-empty-passwords? + allow-empty-password?)) + '()))) -(define screen-locker-setuid-programs - (compose list file-like->setuid-program screen-locker-configuration-program)) +(define (screen-locker-setuid-programs config) + (match-record config <screen-locker-configuration> + (name program using-setuid?) + (if using-setuid? + (list (file-like->setuid-program program)) + '()))) (define screen-locker-service-type (service-type (name 'screen-locker) @@ -740,6 +751,9 @@ reboot_cmd " shepherd "/sbin/reboot\n" the graphical server by making it setuid-root, so it can authenticate users, and by creating a PAM service for it."))) +(define (screen-locker-generate-doc) + (configuration->documentation 'screen-locker-configuration)) + (define-deprecated (screen-locker-service package #:optional (program (package-name package)) @@ -755,9 +769,10 @@ for it. For example: makes the good ol' XlockMore usable." (service screen-locker-service-type - (screen-locker-configuration program - (file-append package "/bin/" program) - allow-empty-passwords?))) + (screen-locker-configuration + (name program) + (program (file-append package "/bin/" program)) + (allow-empty-password? allow-empty-passwords?)))) ;;; |