aboutsummaryrefslogtreecommitdiff
path: root/gnu/system/linux.scm
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/system/linux.scm')
-rw-r--r--gnu/system/linux.scm214
1 files changed, 0 insertions, 214 deletions
diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm
deleted file mode 100644
index 487d379e65..0000000000
--- a/gnu/system/linux.scm
+++ /dev/null
@@ -1,214 +0,0 @@
-;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
-;;;
-;;; This file is part of GNU Guix.
-;;;
-;;; GNU Guix is free software; you can redistribute it and/or modify it
-;;; under the terms of the GNU General Public License as published by
-;;; the Free Software Foundation; either version 3 of the License, or (at
-;;; your option) any later version.
-;;;
-;;; GNU Guix is distributed in the hope that it will be useful, but
-;;; WITHOUT ANY WARRANTY; without even the implied warranty of
-;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-;;; GNU General Public License for more details.
-;;;
-;;; You should have received a copy of the GNU General Public License
-;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
-
-(define-module (gnu system linux)
- #:use-module (guix records)
- #:use-module (guix derivations)
- #:use-module (guix gexp)
- #:use-module (gnu services)
- #:use-module (ice-9 match)
- #:use-module (srfi srfi-1)
- #:use-module (srfi srfi-26)
- #:use-module ((guix utils) #:select (%current-system))
- #:export (pam-service
- pam-entry
- pam-services->directory
- unix-pam-service
- base-pam-services
-
- pam-root-service-type
- pam-root-service))
-
-;;; Commentary:
-;;;
-;;; Configuration of Linux-related things, including pluggable authentication
-;;; modules (PAM).
-;;;
-;;; Code:
-
-;; PAM services (see
-;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html>.)
-(define-record-type* <pam-service> pam-service
- make-pam-service
- pam-service?
- (name pam-service-name) ; string
-
- ;; The four "management groups".
- (account pam-service-account ; list of <pam-entry>
- (default '()))
- (auth pam-service-auth
- (default '()))
- (password pam-service-password
- (default '()))
- (session pam-service-session
- (default '())))
-
-(define-record-type* <pam-entry> pam-entry
- make-pam-entry
- pam-entry?
- (control pam-entry-control) ; string
- (module pam-entry-module) ; file name
- (arguments pam-entry-arguments ; list of string-valued g-expressions
- (default '())))
-
-(define (pam-service->configuration service)
- "Return the derivation building the configuration file for SERVICE, to be
-dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
- (define (entry->gexp type entry)
- (match entry
- (($ <pam-entry> control module (arguments ...))
- #~(format #t "~a ~a ~a ~a~%"
- #$type #$control #$module
- (string-join (list #$@arguments))))))
-
- (match service
- (($ <pam-service> name account auth password session)
- (define builder
- #~(begin
- (with-output-to-file #$output
- (lambda ()
- #$@(append (map (cut entry->gexp "account" <>) account)
- (map (cut entry->gexp "auth" <>) auth)
- (map (cut entry->gexp "password" <>) password)
- (map (cut entry->gexp "session" <>) session))
- #t))))
-
- (computed-file name builder))))
-
-(define (pam-services->directory services)
- "Return the derivation to build the configuration directory to be used as
-/etc/pam.d for SERVICES."
- (let ((names (map pam-service-name services))
- (files (map pam-service->configuration services)))
- (define builder
- #~(begin
- (use-modules (ice-9 match)
- (srfi srfi-1))
-
- (mkdir #$output)
- (for-each (match-lambda
- ((name file)
- (symlink file (string-append #$output "/" name))))
-
- ;; Since <pam-service> objects cannot be compared with
- ;; 'equal?' since they contain gexps, which contain
- ;; closures, use 'delete-duplicates' on the build-side
- ;; instead. See <http://bugs.gnu.org/20037>.
- (delete-duplicates '#$(zip names files)))))
-
- (computed-file "pam.d" builder)))
-
-(define %pam-other-services
- ;; The "other" PAM configuration, which denies everything (see
- ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
- (let ((deny (pam-entry
- (control "required")
- (module "pam_deny.so"))))
- (pam-service
- (name "other")
- (account (list deny))
- (auth (list deny))
- (password (list deny))
- (session (list deny)))))
-
-(define unix-pam-service
- (let ((unix (pam-entry
- (control "required")
- (module "pam_unix.so"))))
- (lambda* (name #:key allow-empty-passwords? motd)
- "Return a standard Unix-style PAM service for NAME. When
-ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When MOTD is true, it
-should be a file-like object used as the message-of-the-day."
- ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
- (let ((name* name))
- (pam-service
- (name name*)
- (account (list unix))
- (auth (list (if allow-empty-passwords?
- (pam-entry
- (control "required")
- (module "pam_unix.so")
- (arguments '("nullok")))
- unix)))
- (password (list (pam-entry
- (control "required")
- (module "pam_unix.so")
- ;; Store SHA-512 encrypted passwords in /etc/shadow.
- (arguments '("sha512" "shadow")))))
- (session (if motd
- (list unix
- (pam-entry
- (control "optional")
- (module "pam_motd.so")
- (arguments
- (list #~(string-append "motd=" #$motd)))))
- (list unix))))))))
-
-(define (rootok-pam-service command)
- "Return a PAM service for COMMAND such that 'root' does not need to
-authenticate to run COMMAND."
- (let ((unix (pam-entry
- (control "required")
- (module "pam_unix.so"))))
- (pam-service
- (name command)
- (account (list unix))
- (auth (list (pam-entry
- (control "sufficient")
- (module "pam_rootok.so"))))
- (password (list unix))
- (session (list unix)))))
-
-(define* (base-pam-services #:key allow-empty-passwords?)
- "Return the list of basic PAM services everyone would want."
- ;; TODO: Add other Shadow programs?
- (append (list %pam-other-services)
-
- ;; These programs are setuid-root.
- (map (cut unix-pam-service <>
- #:allow-empty-passwords? allow-empty-passwords?)
- '("su" "passwd" "sudo"))
-
- ;; These programs are not setuid-root, and we want root to be able
- ;; to run them without having to authenticate (notably because
- ;; 'useradd' and 'groupadd' are run during system activation.)
- (map rootok-pam-service
- '("useradd" "userdel" "usermod"
- "groupadd" "groupdel" "groupmod"))))
-
-
-;;;
-;;; PAM root service.
-;;;
-
-(define (/etc-entry services)
- `(("pam.d" ,(pam-services->directory services))))
-
-(define pam-root-service-type
- (service-type (name 'pam)
- (extensions (list (service-extension etc-service-type
- /etc-entry)))
- (compose concatenate)
- (extend append)))
-
-(define (pam-root-service base)
- "The \"root\" PAM service, which collects <pam-service> instance and turns
-them into a /etc/pam.d directory, including the <pam-service> listed in BASE."
- (service pam-root-service-type base))
-
-;;; linux.scm ends here