system: Add 'sudo' to the setuid programs, and handle /etc/sudoers.

* gnu/system.scm (<operating-system>)[groups]: Change default to just
  the 'root' group.
  [sudoers]: New field.
  (etc-directory): Add #:sudoers parameter.  Add 'sudoers' to the
  file union.
  (operating-system-etc-directory): Pass #:sudoers to 'etc-directory'.
  (%setuid-programs): Add 'sudo'.
  (%sudoers-specification): New variable.
* gnu/system/linux.scm (base-pam-services): Add 'sudo'.
* build-aux/hydra/demo-os.scm: Add 'groups' field; add 'guest' to the
  'wheel' group.
This commit is contained in:
Ludovic Courtès 2014-05-01 15:29:24 +02:00
parent b9100e2f11
commit 696893801c
3 changed files with 32 additions and 9 deletions

View file

@ -48,6 +48,15 @@
(uid 1000) (gid 100) (uid 1000) (gid 100)
(comment "Guest of GNU") (comment "Guest of GNU")
(home-directory "/home/guest")))) (home-directory "/home/guest"))))
(groups (list (user-group (name "root") (id 0))
(user-group
(name "wheel")
(id 1)
(members '("guest"))) ; allow 'guest' to use sudo
(user-group
(name "users")
(id 100)
(members '("guest")))))
(services (cons* (slim-service #:auto-login? #t (services (cons* (slim-service #:auto-login? #t
#:default-user "guest") #:default-user "guest")

View file

@ -85,11 +85,7 @@ (define-record-type* <operating-system> operating-system
(groups operating-system-groups ; list of user groups (groups operating-system-groups ; list of user groups
(default (list (user-group (default (list (user-group
(name "root") (name "root")
(id 0)) (id 0)))))
(user-group
(name "users")
(id 100)
(members '("guest"))))))
(packages operating-system-packages ; list of (PACKAGE OUTPUT...) (packages operating-system-packages ; list of (PACKAGE OUTPUT...)
(default (list coreutils ; or just PACKAGE (default (list coreutils ; or just PACKAGE
@ -111,8 +107,10 @@ (define-record-type* <operating-system> operating-system
(pam-services operating-system-pam-services ; list of PAM services (pam-services operating-system-pam-services ; list of PAM services
(default (base-pam-services))) (default (base-pam-services)))
(setuid-programs operating-system-setuid-programs (setuid-programs operating-system-setuid-programs
(default %setuid-programs))) ; list of string-valued gexps (default %setuid-programs)) ; list of string-valued gexps
(sudoers operating-system-sudoers ; /etc/sudoers contents
(default %sudoers-specification)))
;;; ;;;
@ -164,13 +162,15 @@ (define* (etc-directory #:key
(accounts '()) (accounts '())
(groups '()) (groups '())
(pam-services '()) (pam-services '())
(profile "/var/run/current-system/profile")) (profile "/var/run/current-system/profile")
(sudoers ""))
"Return a derivation that builds the static part of the /etc directory." "Return a derivation that builds the static part of the /etc directory."
(mlet* %store-monad (mlet* %store-monad
((passwd (passwd-file accounts)) ((passwd (passwd-file accounts))
(shadow (passwd-file accounts #:shadow? #t)) (shadow (passwd-file accounts #:shadow? #t))
(group (group-file groups)) (group (group-file groups))
(pam.d (pam-services->directory pam-services)) (pam.d (pam-services->directory pam-services))
(sudoers (text-file "sudoers" sudoers))
(login.defs (text-file "login.defs" "# Empty for now.\n")) (login.defs (text-file "login.defs" "# Empty for now.\n"))
(shells (text-file "shells" ; used by xterm and others (shells (text-file "shells" ; used by xterm and others
"\ "\
@ -215,7 +215,9 @@ (define* (etc-directory #:key
#$timezone)) #$timezone))
("passwd" ,#~#$passwd) ("passwd" ,#~#$passwd)
("shadow" ,#~#$shadow) ("shadow" ,#~#$shadow)
("group" ,#~#$group))))) ("group" ,#~#$group)
("sudoers" ,#~#$sudoers)))))
(define (operating-system-profile os) (define (operating-system-profile os)
"Return a derivation that builds the default profile of OS." "Return a derivation that builds the default profile of OS."
@ -254,6 +256,7 @@ (define (operating-system-etc-directory os)
#:pam-services pam-services #:pam-services pam-services
#:locale (operating-system-locale os) #:locale (operating-system-locale os)
#:timezone (operating-system-timezone os) #:timezone (operating-system-timezone os)
#:sudoers (operating-system-sudoers os)
#:profile profile-drv))) #:profile profile-drv)))
(define %setuid-programs (define %setuid-programs
@ -261,7 +264,16 @@ (define %setuid-programs
(let ((shadow (@ (gnu packages admin) shadow))) (let ((shadow (@ (gnu packages admin) shadow)))
(list #~(string-append #$shadow "/bin/passwd") (list #~(string-append #$shadow "/bin/passwd")
#~(string-append #$shadow "/bin/su") #~(string-append #$shadow "/bin/su")
#~(string-append #$inetutils "/bin/ping")))) #~(string-append #$inetutils "/bin/ping")
#~(string-append #$sudo "/bin/sudo"))))
(define %sudoers-specification
;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'
;; group can do anything. See
;; <http://www.sudo.ws/sudo/man/1.8.10/sudoers.man.html>.
;; TODO: Add a declarative API.
"root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL\n")
(define (operating-system-boot-script os) (define (operating-system-boot-script os)
"Return the boot script for OS---i.e., the code started by the initrd once "Return the boot script for OS---i.e., the code started by the initrd once

View file

@ -157,6 +157,8 @@ (define* (base-pam-services #:key allow-empty-passwords?)
(list %pam-other-services (list %pam-other-services
(unix-pam-service "su" #:allow-empty-passwords? allow-empty-passwords?) (unix-pam-service "su" #:allow-empty-passwords? allow-empty-passwords?)
(unix-pam-service "passwd" (unix-pam-service "passwd"
#:allow-empty-passwords? allow-empty-passwords?)
(unix-pam-service "sudo"
#:allow-empty-passwords? allow-empty-passwords?))) #:allow-empty-passwords? allow-empty-passwords?)))
;;; linux.scm ends here ;;; linux.scm ends here