services: Log-in services now require "pam_loginuid".

Fixes <https://bugs.gnu.org/35553>.
Reported by Bruno Haible <bruno@clisp.org>.

* gnu/services/base.scm (login-pam-service): Pass #:login-uid? #t to
'unix-pam-service'.
* gnu/services/ssh.scm (lsh-pam-services, openssh-pam-services):
Likewise.
* gnu/services/xorg.scm (slim-pam-service): Likewise.
(gdm-pam-service): Likewise for "gdm-autologin" and "gdm-password".
* gnu/tests/base.scm (run-basic-test)["getlogin on tty1"]: New test.
* gnu/tests/ssh.scm (run-ssh-test): Add #:test-getlogin? parameter.
["getlogin"]: New test.
(%test-dropbear): Pass #:test-getlogin? #f.
This commit is contained in:
Ludovic Courtès 2019-05-09 12:02:20 +02:00
parent af55ca481d
commit e6b1a2248f
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
5 changed files with 44 additions and 4 deletions

View file

@ -830,6 +830,7 @@ (define (login-pam-service config)
"Return the list of PAM service needed for CONF." "Return the list of PAM service needed for CONF."
;; Let 'login' be known to PAM. ;; Let 'login' be known to PAM.
(list (unix-pam-service "login" (list (unix-pam-service "login"
#:login-uid? #t
#:allow-empty-passwords? #:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config) (login-configuration-allow-empty-passwords? config)
#:motd #:motd

View file

@ -182,6 +182,7 @@ (define (lsh-pam-services config)
"Return a list of <pam-services> for lshd with CONFIG." "Return a list of <pam-services> for lshd with CONFIG."
(list (unix-pam-service (list (unix-pam-service
"lshd" "lshd"
#:login-uid? #t
#:allow-empty-passwords? #:allow-empty-passwords?
(lsh-configuration-allow-empty-passwords? config)))) (lsh-configuration-allow-empty-passwords? config))))
@ -506,6 +507,7 @@ (define (openssh-pam-services config)
"Return a list of <pam-services> for sshd with CONFIG." "Return a list of <pam-services> for sshd with CONFIG."
(list (unix-pam-service (list (unix-pam-service
"sshd" "sshd"
#:login-uid? #t
#:allow-empty-passwords? #:allow-empty-passwords?
(openssh-configuration-allow-empty-passwords? config)))) (openssh-configuration-allow-empty-passwords? config))))

View file

@ -501,6 +501,7 @@ (define (slim-pam-service config)
"Return a PAM service for @command{slim}." "Return a PAM service for @command{slim}."
(list (unix-pam-service (list (unix-pam-service
"slim" "slim"
#:login-uid? #t
#:allow-empty-passwords? #:allow-empty-passwords?
(slim-configuration-allow-empty-passwords? config)))) (slim-configuration-allow-empty-passwords? config))))
@ -830,7 +831,8 @@ (define (gdm-pam-service config)
"Return a PAM service for @command{gdm}." "Return a PAM service for @command{gdm}."
(list (list
(pam-service (pam-service
(inherit (unix-pam-service "gdm-autologin")) (inherit (unix-pam-service "gdm-autologin"
#:login-uid? #t))
(auth (list (pam-entry (auth (list (pam-entry
(control "[success=ok default=1]") (control "[success=ok default=1]")
(module (file-append (gdm-configuration-gdm config) (module (file-append (gdm-configuration-gdm config)
@ -844,6 +846,7 @@ (module "pam_permit.so")))))
(control "required") (control "required")
(module "pam_permit.so"))))) (module "pam_permit.so")))))
(unix-pam-service "gdm-password" (unix-pam-service "gdm-password"
#:login-uid? #t
#:allow-empty-passwords? #:allow-empty-passwords?
(gdm-configuration-allow-empty-passwords? config)))) (gdm-configuration-allow-empty-passwords? config))))

View file

@ -307,6 +307,18 @@ (define (user-owned? file)
(wait-for-file "/root/logged-in" marionette (wait-for-file "/root/logged-in" marionette
#:read 'get-string-all))) #:read 'get-string-all)))
(test-equal "getlogin on tty1"
"\"root\""
(begin
;; Assume we logged in in the previous test and type.
(marionette-type "guile -c '(write (getlogin))' > /root/login-id\n"
marionette)
;; It can take a while before the shell commands are executed.
(marionette-eval '(use-modules (rnrs io ports)) marionette)
(wait-for-file "/root/login-id" marionette
#:read 'get-string-all)))
;; There should be one utmpx entry for the user logged in on tty1. ;; There should be one utmpx entry for the user logged in on tty1.
(test-equal "utmpx entry" (test-equal "utmpx entry"
'(("root" "tty1" #f)) '(("root" "tty1" #f))

View file

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;; ;;;
@ -31,7 +31,8 @@ (define-module (gnu tests ssh)
#:export (%test-openssh #:export (%test-openssh
%test-dropbear)) %test-dropbear))
(define* (run-ssh-test name ssh-service pid-file #:key (sftp? #f)) (define* (run-ssh-test name ssh-service pid-file
#:key (sftp? #f) (test-getlogin? #t))
"Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE. "Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
SSH-SERVICE must be configured to listen on port 22 and to allow for root and SSH-SERVICE must be configured to listen on port 22 and to allow for root and
empty-password logins. empty-password logins.
@ -54,10 +55,12 @@ (define test
(use-modules (gnu build marionette) (use-modules (gnu build marionette)
(srfi srfi-26) (srfi srfi-26)
(srfi srfi-64) (srfi srfi-64)
(ice-9 textual-ports)
(ice-9 match) (ice-9 match)
(ssh session) (ssh session)
(ssh auth) (ssh auth)
(ssh channel) (ssh channel)
(ssh popen)
(ssh sftp)) (ssh sftp))
(define marionette (define marionette
@ -147,6 +150,20 @@ (define (call-with-connected-session/auth proc)
(and (zero? (channel-get-exit-status channel)) (and (zero? (channel-get-exit-status channel))
(wait-for-file "/root/witness" marionette)))))) (wait-for-file "/root/witness" marionette))))))
;; Check whether the 'getlogin' procedure returns the right thing.
(unless #$test-getlogin?
(test-skip 1))
(test-equal "getlogin"
'(0 "root")
(call-with-connected-session/auth
(lambda (session)
(let* ((pipe (open-remote-input-pipe
session
"guile -c '(display (getlogin))'"))
(output (get-string-all pipe))
(status (channel-get-exit-status pipe)))
(list status output)))))
;; Connect to the guest over SFTP. Make sure we can write and ;; Connect to the guest over SFTP. Make sure we can write and
;; read a file there. ;; read a file there.
(unless #$sftp? (unless #$sftp?
@ -217,4 +234,9 @@ (define %test-dropbear
(dropbear-configuration (dropbear-configuration
(root-login? #t) (root-login? #t)
(allow-empty-passwords? #t))) (allow-empty-passwords? #t)))
"/var/run/dropbear.pid")))) "/var/run/dropbear.pid"
;; XXX: Our Dropbear is not built with PAM support.
;; Even when it is, it seems to ignore the PAM
;; 'session' requirements.
#:test-getlogin? #f))))