summary refs log tree commit diff
path: root/gnu/system/pam.scm
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2015-12-12 11:42:12 +0100
committerLudovic Courtès <ludo@gnu.org>2015-12-12 11:48:46 +0100
commite82e55e58c67b0215e768c4612ca542bc670f633 (patch)
tree856c4512fa1fbde59c1d9845c5a763ef8c4a14b4 /gnu/system/pam.scm
parent98bd851ee891ca4a84e061fe1e78ba78c292b096 (diff)
parente35dff973375266db253747140ddf25084ecddc2 (diff)
downloadguix-e82e55e58c67b0215e768c4612ca542bc670f633.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/system/pam.scm')
-rw-r--r--gnu/system/pam.scm216
1 files changed, 216 insertions, 0 deletions
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
new file mode 100644
index 0000000000..99d94a1a81
--- /dev/null
+++ b/gnu/system/pam.scm
@@ -0,0 +1,216 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu system pam)
+  #:use-module (guix records)
+  #:use-module (guix derivations)
+  #:use-module (guix gexp)
+  #:use-module (gnu services)
+  #:use-module (ice-9 match)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26)
+  #:use-module ((guix utils) #:select (%current-system))
+  #:export (pam-service
+            pam-entry
+            pam-services->directory
+            unix-pam-service
+            base-pam-services
+
+            pam-root-service-type
+            pam-root-service))
+
+;;; Commentary:
+;;;
+;;; Configuration of the pluggable authentication modules (PAM).
+;;;
+;;; Code:
+
+;; PAM services (see
+;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html>.)
+(define-record-type* <pam-service> pam-service
+  make-pam-service
+  pam-service?
+  (name       pam-service-name)                   ; string
+
+  ;; The four "management groups".
+  (account    pam-service-account                 ; list of <pam-entry>
+              (default '()))
+  (auth       pam-service-auth
+              (default '()))
+  (password   pam-service-password
+              (default '()))
+  (session    pam-service-session
+              (default '())))
+
+(define-record-type* <pam-entry> pam-entry
+  make-pam-entry
+  pam-entry?
+  (control    pam-entry-control)         ; string
+  (module     pam-entry-module)          ; file name
+  (arguments  pam-entry-arguments        ; list of string-valued g-expressions
+              (default '())))
+
+(define (pam-service->configuration service)
+  "Return the derivation building the configuration file for SERVICE, to be
+dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
+  (define (entry->gexp type entry)
+    (match entry
+      (($ <pam-entry> control module (arguments ...))
+       #~(format #t "~a ~a ~a ~a~%"
+                 #$type #$control #$module
+                 (string-join (list #$@arguments))))))
+
+  (match service
+    (($ <pam-service> name account auth password session)
+     (define builder
+       #~(begin
+           (with-output-to-file #$output
+             (lambda ()
+               #$@(append (map (cut entry->gexp "account" <>) account)
+                          (map (cut entry->gexp "auth" <>) auth)
+                          (map (cut entry->gexp "password" <>) password)
+                          (map (cut entry->gexp "session" <>) session))
+               #t))))
+
+     (computed-file name builder))))
+
+(define (pam-services->directory services)
+  "Return the derivation to build the configuration directory to be used as
+/etc/pam.d for SERVICES."
+  (let ((names (map pam-service-name services))
+        (files (map pam-service->configuration services)))
+    (define builder
+      #~(begin
+          (use-modules (ice-9 match)
+                       (srfi srfi-1))
+
+          (mkdir #$output)
+          (for-each (match-lambda
+                      ((name file)
+                       (symlink file (string-append #$output "/" name))))
+
+                    ;; Since <pam-service> objects cannot be compared with
+                    ;; 'equal?' since they contain gexps, which contain
+                    ;; closures, use 'delete-duplicates' on the build-side
+                    ;; instead.  See <http://bugs.gnu.org/20037>.
+                    (delete-duplicates '#$(zip names files)))))
+
+    (computed-file "pam.d" builder)))
+
+(define %pam-other-services
+  ;; The "other" PAM configuration, which denies everything (see
+  ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
+  (let ((deny (pam-entry
+               (control "required")
+               (module "pam_deny.so"))))
+    (pam-service
+     (name "other")
+     (account (list deny))
+     (auth (list deny))
+     (password (list deny))
+     (session (list deny)))))
+
+(define unix-pam-service
+  (let ((unix (pam-entry
+               (control "required")
+               (module "pam_unix.so")))
+        (env  (pam-entry ; to honor /etc/environment.
+               (control "required")
+               (module "pam_env.so"))))
+    (lambda* (name #:key allow-empty-passwords? motd)
+      "Return a standard Unix-style PAM service for NAME.  When
+ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When MOTD is true, it
+should be a file-like object used as the message-of-the-day."
+      ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
+      (let ((name* name))
+        (pam-service
+         (name name*)
+         (account (list unix))
+         (auth (list (if allow-empty-passwords?
+                         (pam-entry
+                          (control "required")
+                          (module "pam_unix.so")
+                          (arguments '("nullok")))
+                         unix)))
+         (password (list (pam-entry
+                          (control "required")
+                          (module "pam_unix.so")
+                          ;; Store SHA-512 encrypted passwords in /etc/shadow.
+                          (arguments '("sha512" "shadow")))))
+         (session (if motd
+                      (list env unix
+                            (pam-entry
+                             (control "optional")
+                             (module "pam_motd.so")
+                             (arguments
+                              (list #~(string-append "motd=" #$motd)))))
+                      (list env unix))))))))
+
+(define (rootok-pam-service command)
+  "Return a PAM service for COMMAND such that 'root' does not need to
+authenticate to run COMMAND."
+  (let ((unix (pam-entry
+               (control "required")
+               (module "pam_unix.so"))))
+    (pam-service
+     (name command)
+     (account (list unix))
+     (auth (list (pam-entry
+                  (control "sufficient")
+                  (module "pam_rootok.so"))))
+     (password (list unix))
+     (session (list unix)))))
+
+(define* (base-pam-services #:key allow-empty-passwords?)
+  "Return the list of basic PAM services everyone would want."
+  ;; TODO: Add other Shadow programs?
+  (append (list %pam-other-services)
+
+          ;; These programs are setuid-root.
+          (map (cut unix-pam-service <>
+                    #:allow-empty-passwords? allow-empty-passwords?)
+               '("su" "passwd" "sudo"))
+
+          ;; These programs are not setuid-root, and we want root to be able
+          ;; to run them without having to authenticate (notably because
+          ;; 'useradd' and 'groupadd' are run during system activation.)
+          (map rootok-pam-service
+               '("useradd" "userdel" "usermod"
+                 "groupadd" "groupdel" "groupmod"))))
+
+
+;;;
+;;; PAM root service.
+;;;
+
+(define (/etc-entry services)
+  `(("pam.d" ,(pam-services->directory services))))
+
+(define pam-root-service-type
+  (service-type (name 'pam)
+                (extensions (list (service-extension etc-service-type
+                                                     /etc-entry)))
+                (compose concatenate)
+                (extend append)))
+
+(define (pam-root-service base)
+  "The \"root\" PAM service, which collects <pam-service> instance and turns
+them into a /etc/pam.d directory, including the <pam-service> listed in BASE."
+  (service pam-root-service-type base))
+
+;;; linux.scm ends here