diff options
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/linux.scm | 3 | ||||
| -rw-r--r-- | gnu/packages/patches/linux-pam-unix_chkpwd.patch | 9 | ||||
| -rw-r--r-- | gnu/system/pam.scm | 10 |
4 files changed, 20 insertions, 3 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index dceaa53145..59c1b21cd6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1433,6 +1433,7 @@ dist_patch_DATA = \ %D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \ %D%/packages/patches/linux-libre-arm64-generic-pinebook-lcd.patch \ %D%/packages/patches/linux-pam-no-setfsuid.patch \ + %D%/packages/patches/linux-pam-unix_chkpwd.patch \ %D%/packages/patches/linuxdcpp-openssl-1.1.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/lirc-reproducible-build.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 94eff5d5c8..c9e6ab12c2 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -1596,7 +1596,8 @@ which need to be installed separately.") (sha256 (base32 "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790")) - (patches (search-patches "linux-pam-no-setfsuid.patch")))) + (patches (search-patches "linux-pam-unix_chkpwd.patch" + "linux-pam-no-setfsuid.patch")))) (build-system gnu-build-system) (native-inputs diff --git a/gnu/packages/patches/linux-pam-unix_chkpwd.patch b/gnu/packages/patches/linux-pam-unix_chkpwd.patch new file mode 100644 index 0000000000..0e865ff18c --- /dev/null +++ b/gnu/packages/patches/linux-pam-unix_chkpwd.patch @@ -0,0 +1,9 @@ +unix_chkpwd is designed to have a suid bit, but it's not possible to set it +for files in the store. This patch tells unix_pam.so to look for +unix_chkpwd in setuid program directory on Guix System. + +--- a/modules/pam_unix/Makefile.in ++++ b/modules/pam_unix/Makefile.in +@@ -651,1 +651,1 @@ +- -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ ++ -DCHKPWD_HELPER=\"/run/setuid-programs/unix_chkpwd\" \ diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index 2574e019f1..b635681642 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -21,6 +21,7 @@ #:use-module (guix derivations) #:use-module (guix gexp) #:use-module (gnu services) + #:use-module (gnu system setuid) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) @@ -375,8 +376,13 @@ strings or string-valued gexps." (define pam-root-service-type (service-type (name 'pam) - (extensions (list (service-extension etc-service-type - /etc-entry))) + (extensions + (list (service-extension + setuid-program-service-type + (lambda (_) + (list (file-like->setuid-program + (file-append linux-pam "/sbin/unix_chkpwd"))))) + (service-extension etc-service-type /etc-entry))) ;; Arguments include <pam-service> as well as procedures. (compose concatenate) |