From da417ffe3b3e06f1e1d8b0217b4b780026d7e3b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 11 Jul 2014 14:02:44 +0200
Subject: system: Allow root to use 'groupadd' & co. without authenticating.

This fixes a bug whereby, if #:allow-root-passwords was #f, 'groupadd'
would ask for a password.  This is particularly problematic during
activation.

* gnu/system/linux.scm (rootok-pam-service): New procedure.
  (base-pam-services): Use it for all the user* and group* commands.
---
 gnu/system/linux.scm | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

(limited to 'gnu')

diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm
index 5440f5852f..524ad01261 100644
--- a/gnu/system/linux.scm
+++ b/gnu/system/linux.scm
@@ -152,15 +152,36 @@ should be the name of a file used as the message-of-the-day."
                               (list #~(string-append "motd=" #$motd)))))
                       (list unix))))))))
 
+(define (rootok-pam-service command)
+  "Return a PAM service for COMMAND such that 'root' does not need to
+authenticate to run COMMAND."
+  (let ((unix (pam-entry
+               (control "required")
+               (module "pam_unix.so"))))
+    (pam-service
+     (name command)
+     (account (list unix))
+     (auth (list (pam-entry
+                  (control "sufficient")
+                  (module "pam_rootok.so"))))
+     (password (list unix))
+     (session (list unix)))))
+
 (define* (base-pam-services #:key allow-empty-passwords?)
   "Return the list of basic PAM services everyone would want."
-  (cons %pam-other-services
-        (map (cut unix-pam-service <>
-                  #:allow-empty-passwords? allow-empty-passwords?)
-             '("su" "passwd" "sudo"
-               "useradd" "userdel" "usermod"
-               "groupadd" "groupdel" "groupmod"
-               ;; TODO: Add other Shadow programs?
-               ))))
+  ;; TODO: Add other Shadow programs?
+  (append (list %pam-other-services)
+
+          ;; These programs are setuid-root.
+          (map (cut unix-pam-service <>
+                    #:allow-empty-passwords? allow-empty-passwords?)
+               '("su" "passwd" "sudo"))
+
+          ;; These programs are not setuid-root, and we want root to be able
+          ;; to run them without having to authenticate (notably because
+          ;; 'useradd' and 'groupadd' are run during system activation.)
+          (map rootok-pam-service
+               '("useradd" "userdel" "usermod"
+                 "groupadd" "groupdel" "groupmod"))))
 
 ;;; linux.scm ends here
-- 
cgit v1.2.3