mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-25 20:19:18 -05:00
services: Log-in services now require "pam_loginuid".
Fixes <https://bugs.gnu.org/35553>. Reported by Bruno Haible <bruno@clisp.org>. * gnu/services/base.scm (login-pam-service): Pass #:login-uid? #t to 'unix-pam-service'. * gnu/services/ssh.scm (lsh-pam-services, openssh-pam-services): Likewise. * gnu/services/xorg.scm (slim-pam-service): Likewise. (gdm-pam-service): Likewise for "gdm-autologin" and "gdm-password". * gnu/tests/base.scm (run-basic-test)["getlogin on tty1"]: New test. * gnu/tests/ssh.scm (run-ssh-test): Add #:test-getlogin? parameter. ["getlogin"]: New test. (%test-dropbear): Pass #:test-getlogin? #f.
This commit is contained in:
parent
af55ca481d
commit
e6b1a2248f
5 changed files with 44 additions and 4 deletions
|
@ -830,6 +830,7 @@ (define (login-pam-service config)
|
||||||
"Return the list of PAM service needed for CONF."
|
"Return the list of PAM service needed for CONF."
|
||||||
;; Let 'login' be known to PAM.
|
;; Let 'login' be known to PAM.
|
||||||
(list (unix-pam-service "login"
|
(list (unix-pam-service "login"
|
||||||
|
#:login-uid? #t
|
||||||
#:allow-empty-passwords?
|
#:allow-empty-passwords?
|
||||||
(login-configuration-allow-empty-passwords? config)
|
(login-configuration-allow-empty-passwords? config)
|
||||||
#:motd
|
#:motd
|
||||||
|
|
|
@ -182,6 +182,7 @@ (define (lsh-pam-services config)
|
||||||
"Return a list of <pam-services> for lshd with CONFIG."
|
"Return a list of <pam-services> for lshd with CONFIG."
|
||||||
(list (unix-pam-service
|
(list (unix-pam-service
|
||||||
"lshd"
|
"lshd"
|
||||||
|
#:login-uid? #t
|
||||||
#:allow-empty-passwords?
|
#:allow-empty-passwords?
|
||||||
(lsh-configuration-allow-empty-passwords? config))))
|
(lsh-configuration-allow-empty-passwords? config))))
|
||||||
|
|
||||||
|
@ -506,6 +507,7 @@ (define (openssh-pam-services config)
|
||||||
"Return a list of <pam-services> for sshd with CONFIG."
|
"Return a list of <pam-services> for sshd with CONFIG."
|
||||||
(list (unix-pam-service
|
(list (unix-pam-service
|
||||||
"sshd"
|
"sshd"
|
||||||
|
#:login-uid? #t
|
||||||
#:allow-empty-passwords?
|
#:allow-empty-passwords?
|
||||||
(openssh-configuration-allow-empty-passwords? config))))
|
(openssh-configuration-allow-empty-passwords? config))))
|
||||||
|
|
||||||
|
|
|
@ -501,6 +501,7 @@ (define (slim-pam-service config)
|
||||||
"Return a PAM service for @command{slim}."
|
"Return a PAM service for @command{slim}."
|
||||||
(list (unix-pam-service
|
(list (unix-pam-service
|
||||||
"slim"
|
"slim"
|
||||||
|
#:login-uid? #t
|
||||||
#:allow-empty-passwords?
|
#:allow-empty-passwords?
|
||||||
(slim-configuration-allow-empty-passwords? config))))
|
(slim-configuration-allow-empty-passwords? config))))
|
||||||
|
|
||||||
|
@ -830,7 +831,8 @@ (define (gdm-pam-service config)
|
||||||
"Return a PAM service for @command{gdm}."
|
"Return a PAM service for @command{gdm}."
|
||||||
(list
|
(list
|
||||||
(pam-service
|
(pam-service
|
||||||
(inherit (unix-pam-service "gdm-autologin"))
|
(inherit (unix-pam-service "gdm-autologin"
|
||||||
|
#:login-uid? #t))
|
||||||
(auth (list (pam-entry
|
(auth (list (pam-entry
|
||||||
(control "[success=ok default=1]")
|
(control "[success=ok default=1]")
|
||||||
(module (file-append (gdm-configuration-gdm config)
|
(module (file-append (gdm-configuration-gdm config)
|
||||||
|
@ -844,6 +846,7 @@ (module "pam_permit.so")))))
|
||||||
(control "required")
|
(control "required")
|
||||||
(module "pam_permit.so")))))
|
(module "pam_permit.so")))))
|
||||||
(unix-pam-service "gdm-password"
|
(unix-pam-service "gdm-password"
|
||||||
|
#:login-uid? #t
|
||||||
#:allow-empty-passwords?
|
#:allow-empty-passwords?
|
||||||
(gdm-configuration-allow-empty-passwords? config))))
|
(gdm-configuration-allow-empty-passwords? config))))
|
||||||
|
|
||||||
|
|
|
@ -307,6 +307,18 @@ (define (user-owned? file)
|
||||||
(wait-for-file "/root/logged-in" marionette
|
(wait-for-file "/root/logged-in" marionette
|
||||||
#:read 'get-string-all)))
|
#:read 'get-string-all)))
|
||||||
|
|
||||||
|
(test-equal "getlogin on tty1"
|
||||||
|
"\"root\""
|
||||||
|
(begin
|
||||||
|
;; Assume we logged in in the previous test and type.
|
||||||
|
(marionette-type "guile -c '(write (getlogin))' > /root/login-id\n"
|
||||||
|
marionette)
|
||||||
|
|
||||||
|
;; It can take a while before the shell commands are executed.
|
||||||
|
(marionette-eval '(use-modules (rnrs io ports)) marionette)
|
||||||
|
(wait-for-file "/root/login-id" marionette
|
||||||
|
#:read 'get-string-all)))
|
||||||
|
|
||||||
;; There should be one utmpx entry for the user logged in on tty1.
|
;; There should be one utmpx entry for the user logged in on tty1.
|
||||||
(test-equal "utmpx entry"
|
(test-equal "utmpx entry"
|
||||||
'(("root" "tty1" #f))
|
'(("root" "tty1" #f))
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
;;; GNU Guix --- Functional package management for GNU
|
;;; GNU Guix --- Functional package management for GNU
|
||||||
;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
|
;;; Copyright © 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
|
||||||
;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
|
;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
|
||||||
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
|
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
|
||||||
;;;
|
;;;
|
||||||
|
@ -31,7 +31,8 @@ (define-module (gnu tests ssh)
|
||||||
#:export (%test-openssh
|
#:export (%test-openssh
|
||||||
%test-dropbear))
|
%test-dropbear))
|
||||||
|
|
||||||
(define* (run-ssh-test name ssh-service pid-file #:key (sftp? #f))
|
(define* (run-ssh-test name ssh-service pid-file
|
||||||
|
#:key (sftp? #f) (test-getlogin? #t))
|
||||||
"Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
|
"Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
|
||||||
SSH-SERVICE must be configured to listen on port 22 and to allow for root and
|
SSH-SERVICE must be configured to listen on port 22 and to allow for root and
|
||||||
empty-password logins.
|
empty-password logins.
|
||||||
|
@ -54,10 +55,12 @@ (define test
|
||||||
(use-modules (gnu build marionette)
|
(use-modules (gnu build marionette)
|
||||||
(srfi srfi-26)
|
(srfi srfi-26)
|
||||||
(srfi srfi-64)
|
(srfi srfi-64)
|
||||||
|
(ice-9 textual-ports)
|
||||||
(ice-9 match)
|
(ice-9 match)
|
||||||
(ssh session)
|
(ssh session)
|
||||||
(ssh auth)
|
(ssh auth)
|
||||||
(ssh channel)
|
(ssh channel)
|
||||||
|
(ssh popen)
|
||||||
(ssh sftp))
|
(ssh sftp))
|
||||||
|
|
||||||
(define marionette
|
(define marionette
|
||||||
|
@ -147,6 +150,20 @@ (define (call-with-connected-session/auth proc)
|
||||||
(and (zero? (channel-get-exit-status channel))
|
(and (zero? (channel-get-exit-status channel))
|
||||||
(wait-for-file "/root/witness" marionette))))))
|
(wait-for-file "/root/witness" marionette))))))
|
||||||
|
|
||||||
|
;; Check whether the 'getlogin' procedure returns the right thing.
|
||||||
|
(unless #$test-getlogin?
|
||||||
|
(test-skip 1))
|
||||||
|
(test-equal "getlogin"
|
||||||
|
'(0 "root")
|
||||||
|
(call-with-connected-session/auth
|
||||||
|
(lambda (session)
|
||||||
|
(let* ((pipe (open-remote-input-pipe
|
||||||
|
session
|
||||||
|
"guile -c '(display (getlogin))'"))
|
||||||
|
(output (get-string-all pipe))
|
||||||
|
(status (channel-get-exit-status pipe)))
|
||||||
|
(list status output)))))
|
||||||
|
|
||||||
;; Connect to the guest over SFTP. Make sure we can write and
|
;; Connect to the guest over SFTP. Make sure we can write and
|
||||||
;; read a file there.
|
;; read a file there.
|
||||||
(unless #$sftp?
|
(unless #$sftp?
|
||||||
|
@ -217,4 +234,9 @@ (define %test-dropbear
|
||||||
(dropbear-configuration
|
(dropbear-configuration
|
||||||
(root-login? #t)
|
(root-login? #t)
|
||||||
(allow-empty-passwords? #t)))
|
(allow-empty-passwords? #t)))
|
||||||
"/var/run/dropbear.pid"))))
|
"/var/run/dropbear.pid"
|
||||||
|
|
||||||
|
;; XXX: Our Dropbear is not built with PAM support.
|
||||||
|
;; Even when it is, it seems to ignore the PAM
|
||||||
|
;; 'session' requirements.
|
||||||
|
#:test-getlogin? #f))))
|
||||||
|
|
Loading…
Reference in a new issue