summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi5
-rw-r--r--gnu/build/accounts.scm8
-rw-r--r--gnu/system.scm8
-rw-r--r--gnu/system/pam.scm4
4 files changed, 20 insertions, 5 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index ebfcfee7f7..354eead02b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15387,6 +15387,11 @@ account is created.
 @item @code{comment} (default: @code{""})
 A comment about the account, such as the account owner's full name.
 
+Note that, for non-system accounts, users are free to change their real
+name as it appears in @file{/etc/passwd} using the @command{chfn}
+command.  When they do, their choice prevails over the system
+administrator's choice; reconfiguring does @emph{not} change their name.
+
 @item @code{home-directory}
 This is the name of the home directory for the account.
 
diff --git a/gnu/build/accounts.scm b/gnu/build/accounts.scm
index f60d68d9b3..1247fc640c 100644
--- a/gnu/build/accounts.scm
+++ b/gnu/build/accounts.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2019, 2021 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -490,7 +490,11 @@ new UIDs."
                                (uid id)
                                (directory directory)
                                (gid (if (number? group) group (group-id group)))
-                               (real-name (if previous
+
+                               ;; Users might change their name to something
+                               ;; other than what the sysadmin chose, with
+                               ;; 'chfn'.  Thus consider it "stateful".
+                               (real-name (if (and previous (not system?))
                                               (password-entry-real-name previous)
                                               real-name))
 
diff --git a/gnu/system.scm b/gnu/system.scm
index 088c62ddde..cc925de16f 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -913,7 +913,12 @@ the /etc directory."
                         "/run/current-system/profile/sbin\n"
                         "ENV_SUPATH  /run/setuid-programs:"
                         "/run/current-system/profile/bin:"
-                        "/run/current-system/profile/sbin\n")))
+                        "/run/current-system/profile/sbin\n"
+
+                        "\n"
+                        "# Allow 'chfn' to change the full name,\n"
+                        "# room number, and so on.\n"
+                        "CHFN_RESTRICT   frwh\n")))
 
          (hurd       (operating-system-hurd os))
          (issue      (plain-file "issue" (operating-system-issue os)))
@@ -1158,6 +1163,7 @@ deprecated; use 'setuid-program' instead~%"))
   (let ((shadow (@ (gnu packages admin) shadow)))
     (map file-like->setuid-program
          (list (file-append shadow "/bin/passwd")
+               (file-append shadow "/bin/chfn")
                (file-append shadow "/bin/sg")
                (file-append shadow "/bin/su")
                (file-append shadow "/bin/newgrp")
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a31daada59..2574e019f1 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -285,7 +285,7 @@ authenticate to run COMMAND."
           ;; These programs are setuid-root.
           (map (cut unix-pam-service <>
                     #:allow-empty-passwords? allow-empty-passwords?)
-               '("passwd" "sudo"))
+               '("passwd" "chfn" "sudo"))
           ;; This is setuid-root, as well.  Allow root to run "su" without
           ;; authenticating.
           (list (unix-pam-service "su"