From 671e6a81804f264ddcdd6fe7579644404da079b8 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 31 Dec 2021 17:45:12 +0100 Subject: system: Allow 'chfn' to change the user's full name. Fixes . Reported by Jacob First . * gnu/build/accounts.scm (allocate-passwd): Add comment as to why 'real-name' is taken from PREVIOUS. Add (not system?) to the condition. * gnu/system.scm (operating-system-etc-service) : Add "CHFN_RESTRICT". * gnu/system.scm (%setuid-programs): Add "chfn". * gnu/system/pam.scm (base-pam-services): Add "chfn". * doc/guix.texi (User Accounts): Document it. --- gnu/build/accounts.scm | 8 ++++++-- gnu/system.scm | 8 +++++++- gnu/system/pam.scm | 4 ++-- 3 files changed, 15 insertions(+), 5 deletions(-) (limited to 'gnu') diff --git a/gnu/build/accounts.scm b/gnu/build/accounts.scm index f60d68d9b3..1247fc640c 100644 --- a/gnu/build/accounts.scm +++ b/gnu/build/accounts.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2019 Ludovic Courtès +;;; Copyright © 2019, 2021 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -490,7 +490,11 @@ (define (group-id name) (uid id) (directory directory) (gid (if (number? group) group (group-id group))) - (real-name (if previous + + ;; Users might change their name to something + ;; other than what the sysadmin chose, with + ;; 'chfn'. Thus consider it "stateful". + (real-name (if (and previous (not system?)) (password-entry-real-name previous) real-name)) diff --git a/gnu/system.scm b/gnu/system.scm index 088c62ddde..cc925de16f 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -913,7 +913,12 @@ (define* (operating-system-etc-service os) "/run/current-system/profile/sbin\n" "ENV_SUPATH /run/setuid-programs:" "/run/current-system/profile/bin:" - "/run/current-system/profile/sbin\n"))) + "/run/current-system/profile/sbin\n" + + "\n" + "# Allow 'chfn' to change the full name,\n" + "# room number, and so on.\n" + "CHFN_RESTRICT frwh\n"))) (hurd (operating-system-hurd os)) (issue (plain-file "issue" (operating-system-issue os))) @@ -1158,6 +1163,7 @@ (define %setuid-programs (let ((shadow (@ (gnu packages admin) shadow))) (map file-like->setuid-program (list (file-append shadow "/bin/passwd") + (file-append shadow "/bin/chfn") (file-append shadow "/bin/sg") (file-append shadow "/bin/su") (file-append shadow "/bin/newgrp") diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index a31daada59..2574e019f1 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès +;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -285,7 +285,7 @@ (define* (base-pam-services #:key allow-empty-passwords?) ;; These programs are setuid-root. (map (cut unix-pam-service <> #:allow-empty-passwords? allow-empty-passwords?) - '("passwd" "sudo")) + '("passwd" "chfn" "sudo")) ;; This is setuid-root, as well. Allow root to run "su" without ;; authenticating. (list (unix-pam-service "su" -- cgit v1.2.3