diff options
author | Ludovic Courtès <ludo@gnu.org> | 2014-07-11 14:02:44 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2014-07-11 23:20:48 +0200 |
commit | da417ffe3b3e06f1e1d8b0217b4b780026d7e3b9 (patch) | |
tree | e7c8360d74dbbb559c81641c2915c071cbc38319 /gnu | |
parent | f1096964735512beacde6ff178a6ada1a14b91d3 (diff) | |
download | guix-da417ffe3b3e06f1e1d8b0217b4b780026d7e3b9.tar guix-da417ffe3b3e06f1e1d8b0217b4b780026d7e3b9.tar.gz |
system: Allow root to use 'groupadd' & co. without authenticating.
This fixes a bug whereby, if #:allow-root-passwords was #f, 'groupadd'
would ask for a password. This is particularly problematic during
activation.
* gnu/system/linux.scm (rootok-pam-service): New procedure.
(base-pam-services): Use it for all the user* and group* commands.
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/system/linux.scm | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm index 5440f5852f..524ad01261 100644 --- a/gnu/system/linux.scm +++ b/gnu/system/linux.scm @@ -152,15 +152,36 @@ should be the name of a file used as the message-of-the-day." (list #~(string-append "motd=" #$motd))))) (list unix)))))))) +(define (rootok-pam-service command) + "Return a PAM service for COMMAND such that 'root' does not need to +authenticate to run COMMAND." + (let ((unix (pam-entry + (control "required") + (module "pam_unix.so")))) + (pam-service + (name command) + (account (list unix)) + (auth (list (pam-entry + (control "sufficient") + (module "pam_rootok.so")))) + (password (list unix)) + (session (list unix))))) + (define* (base-pam-services #:key allow-empty-passwords?) "Return the list of basic PAM services everyone would want." - (cons %pam-other-services - (map (cut unix-pam-service <> - #:allow-empty-passwords? allow-empty-passwords?) - '("su" "passwd" "sudo" - "useradd" "userdel" "usermod" - "groupadd" "groupdel" "groupmod" - ;; TODO: Add other Shadow programs? - )))) + ;; TODO: Add other Shadow programs? + (append (list %pam-other-services) + + ;; These programs are setuid-root. + (map (cut unix-pam-service <> + #:allow-empty-passwords? allow-empty-passwords?) + '("su" "passwd" "sudo")) + + ;; These programs are not setuid-root, and we want root to be able + ;; to run them without having to authenticate (notably because + ;; 'useradd' and 'groupadd' are run during system activation.) + (map rootok-pam-service + '("useradd" "userdel" "usermod" + "groupadd" "groupdel" "groupmod")))) ;;; linux.scm ends here |