diff options
| author | muradm <mail@muradm.net> | 2023-05-22 22:06:51 +0300 |
|---|---|---|
| committer | Josselin Poiret <dev@jpoiret.xyz> | 2023-06-04 10:33:55 +0200 |
| commit | f4f5ee6ad6e2432f52e37c549211df8f1cdbb571 (patch) | |
| tree | baf0dbfeb3ec16e4001ad8001dc190ebd42b0e0d /doc/guix.texi | |
| parent | 65bce4d9f9302bc798717d73548bbe5ceb802151 (diff) | |
| download | guix-f4f5ee6ad6e2432f52e37c549211df8f1cdbb571.tar.gz | |
services: screen-locker-service-type: Configurable PAM and setuid.
screen-locker-service-type by default does both define PAM entry and make program setuid binary. Normally both methods are mutually exclusive, if binary has setuid set it does not really needs PAM, otherway around also similar, if PAM is enabled binary should not relay on setuid. Recent swaylock package now compiled with PAM support. When PAM support is compiled in, swaylock rejects executing if binary is also setuid program. This change turns screen-locker-configuration from strict PAM AND setuid to more flexible PAM AND/OR setuid. Allowing swaylock to be configured properly while supporting other screen locker preferences. * gnu/services/xorg.scm (screen-locker-configuration): Switch from define-record-type to define-configuration. [using-pam?]: New field to control PAM entry existence. [using-setuid?]: New field to control setuid binary existence. (screen-locker-pam-services): Should not make unix-pam-service if using-pam? is set to #f. (screen-locker-setuid-programs): Should not make program setuid program if using-setuid? is set to #f. (screen-locker-generate-doc): Internal function to generate configuration documentation. (screen-locker-service): Adapt to new screen-locker-configuration. * gnu/services/desktop.scm (desktop-services-for-system): Adapt to new screen-locker-configuration. * doc/guix.texi: Reflect new changes to screen-locker-configuration. Signed-off-by: Josselin Poiret <dev@jpoiret.xyz>
Diffstat (limited to 'doc/guix.texi')
| -rw-r--r-- | doc/guix.texi | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 7f8d8d66e9..db37676e12 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -97,7 +97,7 @@ Copyright @copyright{} 2021 Hui Lu@* Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright{} 2021 Alice Brenon@* Copyright @copyright{} 2021, 2022 Josselin Poiret@* -Copyright @copyright{} 2021 muradm@* +Copyright @copyright{} 2021, 2023 muradm@* Copyright @copyright{} 2021, 2022 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* Copyright @copyright{} 2022 Remco van 't Veer@* @@ -22530,37 +22530,63 @@ Usually the X server is started by a login manager. @defvar screen-locker-service-type Type for a service that adds a package for a screen locker or screen -saver to the set of setuid programs and add a PAM entry for it. The +saver to the set of setuid programs and/or add a PAM entry for it. The value for this service is a @code{<screen-locker-configuration>} object. +While the default behavior is to setup both a setuid program and PAM +entry, these two methods are redundant. Screen locker programs may not +execute when PAM is configured and @code{setuid} is set on their +executable. In this case, @code{using-setuid?} can be set to @code{#f}. + For example, to make XlockMore usable: @lisp (service screen-locker-service-type (screen-locker-configuration - "xlock" (file-append xlockmore "/bin/xlock") #f)) + (name "xlock") + (program (file-append xlockmore "/bin/xlock")))) @end lisp makes the good ol' XlockMore usable. + +For example, swaylock fails to execute when compiled with PAM support +and setuid enabled. One can thus disable setuid: + +@lisp +(service screen-locker-service-type + (screen-locker-configuration + (name "swaylock") + (program (file-append xlockmore "/bin/xlock")) + (using-pam? #t) + (using-setuid? #f))) +@end lisp + @end defvar @deftp {Data Type} screen-locker-configuration -Data type representing the configuration of -@code{screen-locker-service-type}. +Available @code{screen-locker-configuration} fields are: @table @asis @item @code{name} (type: string) Name of the screen locker. -@item @code{program} (type: gexp) +@item @code{program} (type: file-like) Path to the executable for the screen locker as a G-Expression. -@item @code{allow-empty-password?} (type: boolean) +@item @code{allow-empty-password?} (default: @code{#f}) (type: boolean) Whether to allow empty passwords. +@item @code{using-pam?} (default: @code{#t}) (type: boolean) +Whether to setup PAM entry. + +@item @code{using-setuid?} (default: @code{#t}) (type: boolean) +Whether to setup program as setuid binary. + @end table + @end deftp + @node Printing Services @subsection Printing Services |