diff options
author | Ricardo Wurmus <rekado@elephly.net> | 2017-05-08 12:21:02 +0200 |
---|---|---|
committer | Ricardo Wurmus <rekado@elephly.net> | 2017-05-08 23:11:01 +0200 |
commit | e586257b550918fefaab3970f2c314d6285f54ab (patch) | |
tree | df99895dcb045694c197ad623e0077c9c0f3a030 | |
parent | f000828575d6fe16e774162051d29b9ed025414d (diff) | |
download | guix-e586257b550918fefaab3970f2c314d6285f54ab.tar guix-e586257b550918fefaab3970f2c314d6285f54ab.tar.gz |
system: Allow root to run "su" without password.
* gnu/system/pam.scm (unix-pam-service): Add pam-entry for "pam_rootok.so" to
auth field when ALLOW-ROOT? is #T.
(base-pam-services): Allow root to run "su" without authentication.
-rw-r--r-- | gnu/system/pam.scm | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index 4546c1a73a..eedf933946 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -204,21 +204,27 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE." (env (pam-entry ; to honor /etc/environment. (control "required") (module "pam_env.so")))) - (lambda* (name #:key allow-empty-passwords? motd) + (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd) "Return a standard Unix-style PAM service for NAME. When -ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When MOTD is true, it -should be a file-like object used as the message-of-the-day." +ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is +true, allow root to run the command without authentication. When MOTD is +true, it should be a file-like object used as the message-of-the-day." ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>. (let ((name* name)) (pam-service (name name*) (account (list unix)) - (auth (list (if allow-empty-passwords? - (pam-entry - (control "required") - (module "pam_unix.so") - (arguments '("nullok"))) - unix))) + (auth (append (if allow-root? + (list (pam-entry + (control "sufficient") + (module "pam_rootok.so"))) + '()) + (list (if allow-empty-passwords? + (pam-entry + (control "required") + (module "pam_unix.so") + (arguments '("nullok"))) + unix)))) (password (list (pam-entry (control "required") (module "pam_unix.so") @@ -256,7 +262,12 @@ authenticate to run COMMAND." ;; These programs are setuid-root. (map (cut unix-pam-service <> #:allow-empty-passwords? allow-empty-passwords?) - '("su" "passwd" "sudo")) + '("passwd" "sudo")) + ;; This is setuid-root, as well. Allow root to run "su" without + ;; authenticating. + (list (unix-pam-service "su" + #:allow-empty-passwords? allow-empty-passwords? + #:allow-root? #t)) ;; These programs are not setuid-root, and we want root to be able ;; to run them without having to authenticate (notably because |