summary refs log tree commit diff
path: root/gnu/system/linux.scm
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2014-07-11 14:02:44 +0200
committerLudovic Courtès <ludo@gnu.org>2014-07-11 23:20:48 +0200
commitda417ffe3b3e06f1e1d8b0217b4b780026d7e3b9 (patch)
treee7c8360d74dbbb559c81641c2915c071cbc38319 /gnu/system/linux.scm
parentf1096964735512beacde6ff178a6ada1a14b91d3 (diff)
downloadguix-da417ffe3b3e06f1e1d8b0217b4b780026d7e3b9.tar.gz
system: Allow root to use 'groupadd' & co. without authenticating.
This fixes a bug whereby, if #:allow-root-passwords was #f, 'groupadd'
would ask for a password.  This is particularly problematic during
activation.

* gnu/system/linux.scm (rootok-pam-service): New procedure.
  (base-pam-services): Use it for all the user* and group* commands.
Diffstat (limited to 'gnu/system/linux.scm')
-rw-r--r--gnu/system/linux.scm37
1 files changed, 29 insertions, 8 deletions
diff --git a/gnu/system/linux.scm b/gnu/system/linux.scm
index 5440f5852f..524ad01261 100644
--- a/gnu/system/linux.scm
+++ b/gnu/system/linux.scm
@@ -152,15 +152,36 @@ should be the name of a file used as the message-of-the-day."
                               (list #~(string-append "motd=" #$motd)))))
                       (list unix))))))))
 
+(define (rootok-pam-service command)
+  "Return a PAM service for COMMAND such that 'root' does not need to
+authenticate to run COMMAND."
+  (let ((unix (pam-entry
+               (control "required")
+               (module "pam_unix.so"))))
+    (pam-service
+     (name command)
+     (account (list unix))
+     (auth (list (pam-entry
+                  (control "sufficient")
+                  (module "pam_rootok.so"))))
+     (password (list unix))
+     (session (list unix)))))
+
 (define* (base-pam-services #:key allow-empty-passwords?)
   "Return the list of basic PAM services everyone would want."
-  (cons %pam-other-services
-        (map (cut unix-pam-service <>
-                  #:allow-empty-passwords? allow-empty-passwords?)
-             '("su" "passwd" "sudo"
-               "useradd" "userdel" "usermod"
-               "groupadd" "groupdel" "groupmod"
-               ;; TODO: Add other Shadow programs?
-               ))))
+  ;; TODO: Add other Shadow programs?
+  (append (list %pam-other-services)
+
+          ;; These programs are setuid-root.
+          (map (cut unix-pam-service <>
+                    #:allow-empty-passwords? allow-empty-passwords?)
+               '("su" "passwd" "sudo"))
+
+          ;; These programs are not setuid-root, and we want root to be able
+          ;; to run them without having to authenticate (notably because
+          ;; 'useradd' and 'groupadd' are run during system activation.)
+          (map rootok-pam-service
+               '("useradd" "userdel" "usermod"
+                 "groupadd" "groupdel" "groupmod"))))
 
 ;;; linux.scm ends here