system: hurd: Add PAM support with shadow and sudo.

* gnu/system.scm (hurd-default-essential-services): Add
setuid-program-service-type.
* gnu/system/hurd.scm (%base-packages/hurd): Add shadow, sudo.
(%setuid-programs/hurd): New variable.
(%hurd-default-operating-system)[setuid-program]: Use it.
[pam-services, sudoers-file]: Remove overrides; enabling regular defaults.
* gnu/system/examples/bare-hurd.tmpl (%hurd-os)[users]: New field.
[services]: Do not disable PAM in SSH.

gnu/system.scm

@@ -634,6 +634,8 @@ (define (hurd-default-essential-services os)
                            (operating-system-file-systems os)))
           (pam-root-service (operating-system-pam-services os))
           (operating-system-etc-service os)
+          (service setuid-program-service-type
+                   (operating-system-setuid-programs os))
           (service profile-service-type (operating-system-packages os)))))
 
 (define* (operating-system-services os)

gnu/system/examples/bare-hurd.tmpl

@@ -40,15 +40,20 @@
                         %base-file-systems))
     (host-name "guixygnu")
     (timezone "Europe/Amsterdam")
+    (users (cons (user-account
+                  (name "guix")
+                  (comment "Anonymous Hurd Hacker")
+                  (group "users")
+                  (supplementary-groups '("wheel")))
+                 %base-user-accounts))
     (packages (cons openssh-sans-x %base-packages/hurd))
     (services (cons (service openssh-service-type
                              (openssh-configuration
                               (openssh openssh-sans-x)
-                              (use-pam? #f)
                               (port-number 2222)
                               (permit-root-login #t)
                               (allow-empty-passwords? #t)
                               (password-authentication? #t)))
-               %base-services/hurd))))
+                    %base-services/hurd))))
 
 %hurd-os

gnu/system/hurd.scm

@@ -42,7 +42,8 @@ (define-module (gnu system hurd)
   #:export (%base-packages/hurd
             %base-services/hurd
             %hurd-default-operating-system
-            %hurd-default-operating-system-kernel))
+            %hurd-default-operating-system-kernel
+            %setuid-programs/hurd))
 
 ;;; Commentary:
 ;;;
@@ -62,7 +63,7 @@ (define %hurd-default-operating-system-kernel
 (define %base-packages/hurd
   (list hurd bash coreutils file findutils grep sed
         guile-3.0 guile-colorized guile-readline
-        net-base inetutils less shepherd which))
+        net-base inetutils less shadow shepherd sudo which))
 
 (define %base-services/hurd
   (list (service hurd-console-service-type
@@ -86,6 +87,17 @@ (define %base-services/hurd
                  `(("/bin/sh" ,(file-append bash "/bin/sh"))
                    ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))))
 
+(define %setuid-programs/hurd
+  ;; Default set of setuid-root programs.
+  (list (file-append shadow "/bin/passwd")
+        (file-append shadow "/bin/sg")
+        (file-append shadow "/bin/su")
+        (file-append shadow "/bin/newgrp")
+        (file-append shadow "/bin/newuidmap")
+        (file-append shadow "/bin/newgidmap")
+        (file-append sudo "/bin/sudo")
+        (file-append sudo "/bin/sudoedit")))
+
 (define %hurd-default-operating-system
   (operating-system
     (kernel %hurd-default-operating-system-kernel)
@@ -103,6 +115,4 @@ (define %hurd-default-operating-system
     (timezone "GNUrope")
     (name-service-switch #f)
     (essential-services (hurd-default-essential-services this-operating-system))
-    (pam-services '())
+    (setuid-programs %setuid-programs/hurd)))
-    (setuid-programs '())
-    (sudoers-file #f)))