[jackhill/guix/guix.git] / gnu / system / pam.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu system pam)
  #:use-module (guix records)
  #:use-module (guix derivations)
  #:use-module (guix gexp)
  #:use-module (gnu services)
  #:use-module (ice-9 match)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-11)
  #:use-module (srfi srfi-26)
  #:use-module ((guix utils) #:select (%current-system))
  #:export (pam-service
            pam-service-name
            pam-service-account
            pam-service-auth
            pam-service-password
            pam-service-session

            pam-entry
            pam-entry-control
            pam-entry-module
            pam-entry-arguments

            pam-services->directory
            unix-pam-service
            base-pam-services

            pam-root-service-type
            pam-root-service))

;;; Commentary:
;;;
;;; Configuration of the pluggable authentication modules (PAM).
;;;
;;; Code:

;; PAM services (see
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html>.)
(define-record-type* <pam-service> pam-service
  make-pam-service
  pam-service?
  (name       pam-service-name)                   ; string

  ;; The four "management groups".
  (account    pam-service-account                 ; list of <pam-entry>
              (default '()))
  (auth       pam-service-auth
              (default '()))
  (password   pam-service-password
              (default '()))
  (session    pam-service-session
              (default '())))

(define-record-type* <pam-entry> pam-entry
  make-pam-entry
  pam-entry?
  (control    pam-entry-control)         ; string
  (module     pam-entry-module)          ; file name
  (arguments  pam-entry-arguments        ; list of string-valued g-expressions
              (default '())))

(define (pam-service->configuration service)
  "Return the derivation building the configuration file for SERVICE, to be
dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
  (define (entry->gexp type entry)
    (match entry
      (($ <pam-entry> control module (arguments ...))
       #~(format #t "~a ~a ~a ~a~%"
                 #$type #$control #$module
                 (string-join (list #$@arguments))))))

  (match service
    (($ <pam-service> name account auth password session)
     (define builder
       #~(begin
           (with-output-to-file #$output
             (lambda ()
               #$@(append (map (cut entry->gexp "account" <>) account)
                          (map (cut entry->gexp "auth" <>) auth)
                          (map (cut entry->gexp "password" <>) password)
                          (map (cut entry->gexp "session" <>) session))
               #t))))

     (computed-file name builder))))

(define (pam-services->directory services)
  "Return the derivation to build the configuration directory to be used as
/etc/pam.d for SERVICES."
  (let ((names (map pam-service-name services))
        (files (map pam-service->configuration services)))
    (define builder
      #~(begin
          (use-modules (ice-9 match)
                       (srfi srfi-1))

          (mkdir #$output)
          (for-each (match-lambda
                      ((name file)
                       (symlink file (string-append #$output "/" name))))

                    ;; Since <pam-service> objects cannot be compared with
                    ;; 'equal?' since they contain gexps, which contain
                    ;; closures, use 'delete-duplicates' on the build-side
                    ;; instead.  See <http://bugs.gnu.org/20037>.
                    (delete-duplicates '#$(zip names files)))))

    (computed-file "pam.d" builder)))

(define %pam-other-services
  ;; The "other" PAM configuration, which denies everything (see
  ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
  (let ((deny (pam-entry
               (control "required")
               (module "pam_deny.so"))))
    (pam-service
     (name "other")
     (account (list deny))
     (auth (list deny))
     (password (list deny))
     (session (list deny)))))

(define unix-pam-service
  (let ((unix (pam-entry
               (control "required")
               (module "pam_unix.so")))
        (env  (pam-entry ; to honor /etc/environment.
               (control "required")
               (module "pam_env.so"))))
    (lambda* (name #:key allow-empty-passwords? motd)
      "Return a standard Unix-style PAM service for NAME.  When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When MOTD is true, it
should be a file-like object used as the message-of-the-day."
      ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
      (let ((name* name))
        (pam-service
         (name name*)
         (account (list unix))
         (auth (list (if allow-empty-passwords?
                         (pam-entry
                          (control "required")
                          (module "pam_unix.so")
                          (arguments '("nullok")))
                         unix)))
         (password (list (pam-entry
                          (control "required")
                          (module "pam_unix.so")
                          ;; Store SHA-512 encrypted passwords in /etc/shadow.
                          (arguments '("sha512" "shadow")))))
         (session (if motd
                      (list env unix
                            (pam-entry
                             (control "optional")
                             (module "pam_motd.so")
                             (arguments
                              (list #~(string-append "motd=" #$motd)))))
                      (list env unix))))))))

(define (rootok-pam-service command)
  "Return a PAM service for COMMAND such that 'root' does not need to
authenticate to run COMMAND."
  (let ((unix (pam-entry
               (control "required")
               (module "pam_unix.so"))))
    (pam-service
     (name command)
     (account (list unix))
     (auth (list (pam-entry
                  (control "sufficient")
                  (module "pam_rootok.so"))))
     (password (list unix))
     (session (list unix)))))

(define* (base-pam-services #:key allow-empty-passwords?)
  "Return the list of basic PAM services everyone would want."
  ;; TODO: Add other Shadow programs?
  (append (list %pam-other-services)

          ;; These programs are setuid-root.
          (map (cut unix-pam-service <>
                    #:allow-empty-passwords? allow-empty-passwords?)
               '("su" "passwd" "sudo"))

          ;; These programs are not setuid-root, and we want root to be able
          ;; to run them without having to authenticate (notably because
          ;; 'useradd' and 'groupadd' are run during system activation.)
          (map rootok-pam-service
               '("useradd" "userdel" "usermod"
                 "groupadd" "groupdel" "groupmod"))))

\f
;;;
;;; PAM root service.
;;;

;; Overall PAM configuration: a list of services, plus a procedure that takes
;; one <pam-service> and returns a <pam-service>.  The procedure is used to
;; implement cross-cutting concerns such as the use of the 'elogind.so'
;; session module that keeps track of logged-in users.
(define-record-type* <pam-configuration>
  pam-configuration make-pam-configuration? pam-configuration?
  (services  pam-configuration-services)          ;list of <pam-service>
  (transform pam-configuration-transform))        ;procedure

(define (/etc-entry config)
  "Return the /etc/pam.d entry corresponding to CONFIG."
  (match config
    (($ <pam-configuration> services transform)
     (let ((services (map transform services)))
       `(("pam.d" ,(pam-services->directory services)))))))

(define (extend-configuration initial extensions)
  "Extend INITIAL with NEW."
  (let-values (((services procs)
                (partition pam-service? extensions)))
    (pam-configuration
     (services (append (pam-configuration-services initial)
                       services))
     (transform (apply compose
                       (pam-configuration-transform initial)
                       procs)))))

(define pam-root-service-type
  (service-type (name 'pam)
                (extensions (list (service-extension etc-service-type
                                                     /etc-entry)))

                ;; Arguments include <pam-service> as well as procedures.
                (compose concatenate)
                (extend extend-configuration)))

(define* (pam-root-service base #:key (transform identity))
  "The \"root\" PAM service, which collects <pam-service> instance and turns
them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
TRANSFORM is a procedure that takes a <pam-service> and returns a
<pam-service>.  It can be used to implement cross-cutting concerns that affect
all the PAM services."
  (service pam-root-service-type
           (pam-configuration (services base)
                              (transform transform))))

;;; linux.scm ends here
Commit	Line	Data
0ded70f3	1	;;; GNU Guix --- Functional package management for GNU
d7bce31c	2	;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
0ded70f3 LC	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
6e828634	19	(define-module (gnu system pam)
0ded70f3 LC	20	#:use-module (guix records)
0ded70f3 LC	21	#:use-module (guix derivations)
b5f4e686	22	#:use-module (guix gexp)
0adfe95a	23	#:use-module (gnu services)
0ded70f3 LC	24	#:use-module (ice-9 match)
0ded70f3 LC	25	#:use-module (srfi srfi-1)
12c00bca	26	#:use-module (srfi srfi-11)
0ded70f3 LC	27	#:use-module (srfi srfi-26)
	28	#:use-module ((guix utils) #:select (%current-system))
	29	#:export (pam-service
d7bce31c LC	30	pam-service-name
	31	pam-service-account
	32	pam-service-auth
	33	pam-service-password
	34	pam-service-session
	35
0ded70f3	36	pam-entry
d7bce31c LC	37	pam-entry-control
	38	pam-entry-module
	39	pam-entry-arguments
	40
0ded70f3	41	pam-services->directory
09e028f4	42	unix-pam-service
0adfe95a LC	43	base-pam-services
	44
	45	pam-root-service-type
	46	pam-root-service))
0ded70f3 LC	47
	48	;;; Commentary:
	49	;;;
6e828634	50	;;; Configuration of the pluggable authentication modules (PAM).
0ded70f3 LC	51	;;;
	52	;;; Code:
	53
	54	;; PAM services (see
	55	;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html>.)
	56	(define-record-type* <pam-service> pam-service
	57	make-pam-service
	58	pam-service?
	59	(name pam-service-name) ; string
	60
	61	;; The four "management groups".
	62	(account pam-service-account ; list of <pam-entry>
	63	(default '()))
	64	(auth pam-service-auth
	65	(default '()))
	66	(password pam-service-password
	67	(default '()))
	68	(session pam-service-session
	69	(default '())))
	70
	71	(define-record-type* <pam-entry> pam-entry
	72	make-pam-entry
	73	pam-entry?
b5f4e686 LC	74	(control pam-entry-control) ; string
	75	(module pam-entry-module) ; file name
	76	(arguments pam-entry-arguments ; list of string-valued g-expressions
0ded70f3 LC	77	(default '())))
	78
	79	(define (pam-service->configuration service)
b5f4e686 LC	80	"Return the derivation building the configuration file for SERVICE, to be
	81	dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
	82	(define (entry->gexp type entry)
0ded70f3 LC	83	(match entry
0ded70f3 LC	84	(($ <pam-entry> control module (arguments ...))
b5f4e686 LC	85	#~(format #t "~a ~a ~a ~a~%"
	86	#$type #$control #$module
	87	(string-join (list #$@arguments))))))
0ded70f3 LC	88
	89	(match service
	90	(($ <pam-service> name account auth password session)
b5f4e686 LC	91	(define builder
	92	#~(begin
	93	(with-output-to-file #$output
	94	(lambda ()
	95	#$@(append (map (cut entry->gexp "account" <>) account)
	96	(map (cut entry->gexp "auth" <>) auth)
	97	(map (cut entry->gexp "password" <>) password)
	98	(map (cut entry->gexp "session" <>) session))
	99	#t))))
	100
23afe939	101	(computed-file name builder))))
0ded70f3	102
d9f0a237	103	(define (pam-services->directory services)
0ded70f3 LC	104	"Return the derivation to build the configuration directory to be used as
0ded70f3 LC	105	/etc/pam.d for SERVICES."
23afe939 LC	106	(let ((names (map pam-service-name services))
23afe939 LC	107	(files (map pam-service->configuration services)))
0ded70f3	108	(define builder
b5f4e686	109	#~(begin
11dddd8a LC	110	(use-modules (ice-9 match)
11dddd8a LC	111	(srfi srfi-1))
0ded70f3	112
b5f4e686 LC	113	(mkdir #$output)
b5f4e686 LC	114	(for-each (match-lambda
0adfe95a LC	115	((name file)
0adfe95a LC	116	(symlink file (string-append #$output "/" name))))
11dddd8a LC	117
	118	;; Since <pam-service> objects cannot be compared with
	119	;; 'equal?' since they contain gexps, which contain
	120	;; closures, use 'delete-duplicates' on the build-side
	121	;; instead. See <http://bugs.gnu.org/20037>.
	122	(delete-duplicates '#$(zip names files)))))
0ded70f3	123
23afe939	124	(computed-file "pam.d" builder)))
0ded70f3 LC	125
	126	(define %pam-other-services
	127	;; The "other" PAM configuration, which denies everything (see
	128	;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
	129	(let ((deny (pam-entry
	130	(control "required")
	131	(module "pam_deny.so"))))
	132	(pam-service
	133	(name "other")
	134	(account (list deny))
	135	(auth (list deny))
	136	(password (list deny))
	137	(session (list deny)))))
	138
	139	(define unix-pam-service
	140	(let ((unix (pam-entry
	141	(control "required")
af9908ff SB	142	(module "pam_unix.so")))
	143	(env (pam-entry ; to honor /etc/environment.
	144	(control "required")
	145	(module "pam_env.so"))))
43a27798	146	(lambda* (name #:key allow-empty-passwords? motd)
0ded70f3	147	"Return a standard Unix-style PAM service for NAME. When
43a27798	148	ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When MOTD is true, it
ce8a6dfc	149	should be a file-like object used as the message-of-the-day."
0ded70f3 LC	150	;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
	151	(let ((name* name))
	152	(pam-service
	153	(name name*)
	154	(account (list unix))
	155	(auth (list (if allow-empty-passwords?
	156	(pam-entry
	157	(control "required")
	158	(module "pam_unix.so")
	159	(arguments '("nullok")))
	160	unix)))
9297065a SB	161	(password (list (pam-entry
	162	(control "required")
	163	(module "pam_unix.so")
	164	;; Store SHA-512 encrypted passwords in /etc/shadow.
	165	(arguments '("sha512" "shadow")))))
43a27798	166	(session (if motd
af9908ff	167	(list env unix
43a27798 LC	168	(pam-entry
	169	(control "optional")
	170	(module "pam_motd.so")
b5f4e686 LC	171	(arguments
b5f4e686 LC	172	(list #~(string-append "motd=" #$motd)))))
af9908ff	173	(list env unix))))))))
0ded70f3	174
da417ffe LC	175	(define (rootok-pam-service command)
	176	"Return a PAM service for COMMAND such that 'root' does not need to
	177	authenticate to run COMMAND."
	178	(let ((unix (pam-entry
	179	(control "required")
	180	(module "pam_unix.so"))))
	181	(pam-service
	182	(name command)
	183	(account (list unix))
	184	(auth (list (pam-entry
	185	(control "sufficient")
	186	(module "pam_rootok.so"))))
	187	(password (list unix))
	188	(session (list unix)))))
	189
09e028f4 LC	190	(define* (base-pam-services #:key allow-empty-passwords?)
09e028f4 LC	191	"Return the list of basic PAM services everyone would want."
da417ffe LC	192	;; TODO: Add other Shadow programs?
	193	(append (list %pam-other-services)
	194
	195	;; These programs are setuid-root.
	196	(map (cut unix-pam-service <>
	197	#:allow-empty-passwords? allow-empty-passwords?)
6726282b	198	'("su" "passwd" "sudo"))
da417ffe LC	199
	200	;; These programs are not setuid-root, and we want root to be able
	201	;; to run them without having to authenticate (notably because
	202	;; 'useradd' and 'groupadd' are run during system activation.)
	203	(map rootok-pam-service
	204	'("useradd" "userdel" "usermod"
	205	"groupadd" "groupdel" "groupmod"))))
09e028f4	206
0adfe95a LC	207	\f
	208	;;;
	209	;;; PAM root service.
	210	;;;
	211
12c00bca LC	212	;; Overall PAM configuration: a list of services, plus a procedure that takes
	213	;; one <pam-service> and returns a <pam-service>. The procedure is used to
	214	;; implement cross-cutting concerns such as the use of the 'elogind.so'
	215	;; session module that keeps track of logged-in users.
	216	(define-record-type* <pam-configuration>
	217	pam-configuration make-pam-configuration? pam-configuration?
	218	(services pam-configuration-services) ;list of <pam-service>
	219	(transform pam-configuration-transform)) ;procedure
	220
	221	(define (/etc-entry config)
	222	"Return the /etc/pam.d entry corresponding to CONFIG."
	223	(match config
	224	(($ <pam-configuration> services transform)
	225	(let ((services (map transform services)))
	226	`(("pam.d" ,(pam-services->directory services)))))))
	227
	228	(define (extend-configuration initial extensions)
	229	"Extend INITIAL with NEW."
	230	(let-values (((services procs)
	231	(partition pam-service? extensions)))
	232	(pam-configuration
	233	(services (append (pam-configuration-services initial)
	234	services))
	235	(transform (apply compose
	236	(pam-configuration-transform initial)
	237	procs)))))
0adfe95a LC	238
	239	(define pam-root-service-type
	240	(service-type (name 'pam)
	241	(extensions (list (service-extension etc-service-type
	242	/etc-entry)))
12c00bca LC	243
12c00bca LC	244	;; Arguments include <pam-service> as well as procedures.
0adfe95a	245	(compose concatenate)
12c00bca	246	(extend extend-configuration)))
0adfe95a	247
12c00bca	248	(define* (pam-root-service base #:key (transform identity))
0adfe95a	249	"The \"root\" PAM service, which collects <pam-service> instance and turns
12c00bca LC	250	them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
	251	TRANSFORM is a procedure that takes a <pam-service> and returns a
	252	<pam-service>. It can be used to implement cross-cutting concerns that affect
	253	all the PAM services."
	254	(service pam-root-service-type
	255	(pam-configuration (services base)
	256	(transform transform))))
0adfe95a	257
0ded70f3	258	;;; linux.scm ends here