[jackhill/guix/guix.git] / gnu / system / pam.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu system pam)
  #:use-module (guix records)
  #:use-module (guix derivations)
  #:use-module (guix gexp)
  #:use-module (gnu services)
  #:use-module (ice-9 match)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-9)
  #:use-module (srfi srfi-11)
  #:use-module (srfi srfi-26)
  #:use-module ((guix utils) #:select (%current-system))
  #:export (pam-service
            pam-service-name
            pam-service-account
            pam-service-auth
            pam-service-password
            pam-service-session

            pam-entry
            pam-entry-control
            pam-entry-module
            pam-entry-arguments

            pam-limits-entry
            pam-limits-entry-domain
            pam-limits-entry-type
            pam-limits-entry-item
            pam-limits-entry-value
            pam-limits-entry->string

            pam-services->directory
            unix-pam-service
            base-pam-services

            session-environment-service
            session-environment-service-type

            pam-root-service-type
            pam-root-service))

;;; Commentary:
;;;
;;; Configuration of the pluggable authentication modules (PAM).
;;;
;;; Code:

;; PAM services (see
;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html>.)
(define-record-type* <pam-service> pam-service
  make-pam-service
  pam-service?
  (name       pam-service-name)                   ; string

  ;; The four "management groups".
  (account    pam-service-account                 ; list of <pam-entry>
              (default '()))
  (auth       pam-service-auth
              (default '()))
  (password   pam-service-password
              (default '()))
  (session    pam-service-session
              (default '())))

(define-record-type* <pam-entry> pam-entry
  make-pam-entry
  pam-entry?
  (control    pam-entry-control)         ; string
  (module     pam-entry-module)          ; file name
  (arguments  pam-entry-arguments        ; list of string-valued g-expressions
              (default '())))

;; PAM limits entries are used by the pam_limits PAM module to set or override
;; limits on system resources for user sessions.  The format is specified
;; here: http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html
(define-record-type <pam-limits-entry>
  (make-pam-limits-entry domain type item value)
  pam-limits-entry?
  (domain     pam-limits-entry-domain)   ; string
  (type       pam-limits-entry-type)     ; symbol
  (item       pam-limits-entry-item)     ; symbol
  (value      pam-limits-entry-value))   ; symbol or number

(define (pam-limits-entry domain type item value)
  "Construct a pam-limits-entry ensuring that the provided values are valid."
  (define (valid? value)
    (case item
      ((priority) (number? value))
      ((nice)     (and (number? value)
                       (>= value -20)
                       (<= value 19)))
      (else       (or (and (number? value)
                           (>= value -1))
                      (member value '(unlimited infinity))))))
  (define items
    (list 'core      'data       'fsize
          'memlock   'nofile     'rss
          'stack     'cpu        'nproc
          'as        'maxlogins  'maxsyslogins
          'priority  'locks      'sigpending
          'msgqueue  'nice       'rtprio))
  (when (not (member type '(hard soft both)))
    (error "invalid limit type" type))
  (when (not (member item items))
    (error "invalid limit item" item))
  (when (not (valid? value))
    (error "invalid limit value" value))
  (make-pam-limits-entry domain type item value))

(define (pam-limits-entry->string entry)
  "Convert a pam-limits-entry record to a string."
  (match entry
    (($ <pam-limits-entry> domain type item value)
     (string-join (list domain
                        (if (eq? type 'both)
                            "-"
                            (symbol->string type))
                        (symbol->string item)
                        (cond
                         ((symbol? value)
                          (symbol->string value))
                         (else
                          (number->string value))))
                  "	"))))

(define (pam-service->configuration service)
  "Return the derivation building the configuration file for SERVICE, to be
dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
  (define (entry->gexp type entry)
    (match entry
      (($ <pam-entry> control module (arguments ...))
       #~(format #t "~a ~a ~a ~a~%"
                 #$type #$control #$module
                 (string-join (list #$@arguments))))))

  (match service
    (($ <pam-service> name account auth password session)
     (define builder
       #~(begin
           (with-output-to-file #$output
             (lambda ()
               #$@(append (map (cut entry->gexp "account" <>) account)
                          (map (cut entry->gexp "auth" <>) auth)
                          (map (cut entry->gexp "password" <>) password)
                          (map (cut entry->gexp "session" <>) session))
               #t))))

     (computed-file name builder))))

(define (pam-services->directory services)
  "Return the derivation to build the configuration directory to be used as
/etc/pam.d for SERVICES."
  (let ((names (map pam-service-name services))
        (files (map pam-service->configuration services)))
    (define builder
      #~(begin
          (use-modules (ice-9 match)
                       (srfi srfi-1))

          (mkdir #$output)
          (for-each (match-lambda
                      ((name file)
                       (symlink file (string-append #$output "/" name))))

                    ;; Since <pam-service> objects cannot be compared with
                    ;; 'equal?' since they contain gexps, which contain
                    ;; closures, use 'delete-duplicates' on the build-side
                    ;; instead.  See <http://bugs.gnu.org/20037>.
                    (delete-duplicates '#$(zip names files)))))

    (computed-file "pam.d" builder)))

(define %pam-other-services
  ;; The "other" PAM configuration, which denies everything (see
  ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
  (let ((deny (pam-entry
               (control "required")
               (module "pam_deny.so"))))
    (pam-service
     (name "other")
     (account (list deny))
     (auth (list deny))
     (password (list deny))
     (session (list deny)))))

(define unix-pam-service
  (let ((unix (pam-entry
               (control "required")
               (module "pam_unix.so")))
        (env  (pam-entry ; to honor /etc/environment.
               (control "required")
               (module "pam_env.so"))))
    (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
                   login-uid?)
      "Return a standard Unix-style PAM service for NAME.  When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When ALLOW-ROOT? is
true, allow root to run the command without authentication.  When MOTD is
true, it should be a file-like object used as the message-of-the-day.
When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
/proc/self/loginuid, which the libc 'getlogin' function relies on."
      ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
      (pam-service
       (name name)
       (account (list unix))
       (auth (append (if allow-root?
                         (list (pam-entry
                                (control "sufficient")
                                (module "pam_rootok.so")))
                         '())
                     (list (if allow-empty-passwords?
                               (pam-entry
                                (control "required")
                                (module "pam_unix.so")
                                (arguments '("nullok")))
                               unix))))
       (password (list (pam-entry
                        (control "required")
                        (module "pam_unix.so")
                        ;; Store SHA-512 encrypted passwords in /etc/shadow.
                        (arguments '("sha512" "shadow")))))
       (session `(,@(if motd
                        (list (pam-entry
                               (control "optional")
                               (module "pam_motd.so")
                               (arguments
                                (list #~(string-append "motd=" #$motd)))))
                        '())
                  ,@(if login-uid?
                        (list (pam-entry       ;to fill in /proc/self/loginuid
                               (control "required")
                               (module "pam_loginuid.so")))
                        '())
                  ,env ,unix))))))

(define (rootok-pam-service command)
  "Return a PAM service for COMMAND such that 'root' does not need to
authenticate to run COMMAND."
  (let ((unix (pam-entry
               (control "required")
               (module "pam_unix.so"))))
    (pam-service
     (name command)
     (account (list unix))
     (auth (list (pam-entry
                  (control "sufficient")
                  (module "pam_rootok.so"))))
     (password (list unix))
     (session (list unix)))))

(define* (base-pam-services #:key allow-empty-passwords?)
  "Return the list of basic PAM services everyone would want."
  ;; TODO: Add other Shadow programs?
  (append (list %pam-other-services)

          ;; These programs are setuid-root.
          (map (cut unix-pam-service <>
                    #:allow-empty-passwords? allow-empty-passwords?)
               '("passwd" "sudo"))
          ;; This is setuid-root, as well.  Allow root to run "su" without
          ;; authenticating.
          (list (unix-pam-service "su"
                                  #:allow-empty-passwords? allow-empty-passwords?
                                  #:allow-root? #t))

          ;; These programs are not setuid-root, and we want root to be able
          ;; to run them without having to authenticate (notably because
          ;; 'useradd' and 'groupadd' are run during system activation.)
          (map rootok-pam-service
               '("useradd" "userdel" "usermod"
                 "groupadd" "groupdel" "groupmod"))))

\f
;;;
;;; System-wide environment variables.
;;;

(define (environment-variables->environment-file vars)
  "Return a file for pam_env(8) that contains environment variables VARS."
  (apply mixed-text-file "environment"
         (append-map (match-lambda
                       ((key . value)
                        (list key "=" value "\n")))
                     vars)))

(define session-environment-service-type
  (service-type
   (name 'session-environment)
   (extensions
    (list (service-extension
           etc-service-type
           (lambda (vars)
             (list `("environment"
                     ,(environment-variables->environment-file vars)))))))
   (compose concatenate)
   (extend append)
   (description
    "Populate @file{/etc/environment}, which is honored by @code{pam_env},
with the specified environment variables.  The value of this service is a list
of name/value pairs for environments variables, such as:

@example
'((\"TZ\" . \"Canada/Pacific\"))
@end example\n")))

(define (session-environment-service vars)
  "Return a service that builds the @file{/etc/environment}, which can be read
by PAM-aware applications to set environment variables for sessions.

VARS should be an association list in which both the keys and the values are
strings or string-valued gexps."
  (service session-environment-service-type vars))


\f
;;;
;;; PAM root service.
;;;

;; Overall PAM configuration: a list of services, plus a procedure that takes
;; one <pam-service> and returns a <pam-service>.  The procedure is used to
;; implement cross-cutting concerns such as the use of the 'elogind.so'
;; session module that keeps track of logged-in users.
(define-record-type* <pam-configuration>
  pam-configuration make-pam-configuration? pam-configuration?
  (services  pam-configuration-services)          ;list of <pam-service>
  (transform pam-configuration-transform))        ;procedure

(define (/etc-entry config)
  "Return the /etc/pam.d entry corresponding to CONFIG."
  (match config
    (($ <pam-configuration> services transform)
     (let ((services (map transform services)))
       `(("pam.d" ,(pam-services->directory services)))))))

(define (extend-configuration initial extensions)
  "Extend INITIAL with NEW."
  (let-values (((services procs)
                (partition pam-service? extensions)))
    (pam-configuration
     (services (append (pam-configuration-services initial)
                       services))
     (transform (apply compose
                       (pam-configuration-transform initial)
                       procs)))))

(define pam-root-service-type
  (service-type (name 'pam)
                (extensions (list (service-extension etc-service-type
                                                     /etc-entry)))

                ;; Arguments include <pam-service> as well as procedures.
                (compose concatenate)
                (extend extend-configuration)
                (description
                 "Configure the Pluggable Authentication Modules (PAM) for all
the specified @dfn{PAM services}.  Each PAM service corresponds to a program,
such as @command{login} or @command{sshd}, and specifies for instance how the
program may authenticate users or what it should do when opening a new
session.")))

(define* (pam-root-service base #:key (transform identity))
  "The \"root\" PAM service, which collects <pam-service> instance and turns
them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
TRANSFORM is a procedure that takes a <pam-service> and returns a
<pam-service>.  It can be used to implement cross-cutting concerns that affect
all the PAM services."
  (service pam-root-service-type
           (pam-configuration (services base)
                              (transform transform))))
Commit	Line	Data
0ded70f3	1	;;; GNU Guix --- Functional package management for GNU
dd0804c6	2	;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
0ded70f3 LC	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
6e828634	19	(define-module (gnu system pam)
0ded70f3 LC	20	#:use-module (guix records)
0ded70f3 LC	21	#:use-module (guix derivations)
b5f4e686	22	#:use-module (guix gexp)
0adfe95a	23	#:use-module (gnu services)
0ded70f3 LC	24	#:use-module (ice-9 match)
0ded70f3 LC	25	#:use-module (srfi srfi-1)
909147e4	26	#:use-module (srfi srfi-9)
12c00bca	27	#:use-module (srfi srfi-11)
0ded70f3 LC	28	#:use-module (srfi srfi-26)
	29	#:use-module ((guix utils) #:select (%current-system))
	30	#:export (pam-service
d7bce31c LC	31	pam-service-name
	32	pam-service-account
	33	pam-service-auth
	34	pam-service-password
	35	pam-service-session
	36
0ded70f3	37	pam-entry
d7bce31c LC	38	pam-entry-control
	39	pam-entry-module
	40	pam-entry-arguments
	41
909147e4 RW	42	pam-limits-entry
	43	pam-limits-entry-domain
	44	pam-limits-entry-type
	45	pam-limits-entry-item
	46	pam-limits-entry-value
	47	pam-limits-entry->string
	48
0ded70f3	49	pam-services->directory
09e028f4	50	unix-pam-service
0adfe95a LC	51	base-pam-services
0adfe95a LC	52
fbc31dc1 LC	53	session-environment-service
	54	session-environment-service-type
	55
0adfe95a LC	56	pam-root-service-type
0adfe95a LC	57	pam-root-service))
0ded70f3 LC	58
	59	;;; Commentary:
	60	;;;
6e828634	61	;;; Configuration of the pluggable authentication modules (PAM).
0ded70f3 LC	62	;;;
	63	;;; Code:
	64
	65	;; PAM services (see
	66	;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html>.)
	67	(define-record-type* <pam-service> pam-service
	68	make-pam-service
	69	pam-service?
	70	(name pam-service-name) ; string
	71
	72	;; The four "management groups".
	73	(account pam-service-account ; list of <pam-entry>
	74	(default '()))
	75	(auth pam-service-auth
	76	(default '()))
	77	(password pam-service-password
	78	(default '()))
	79	(session pam-service-session
	80	(default '())))
	81
	82	(define-record-type* <pam-entry> pam-entry
	83	make-pam-entry
	84	pam-entry?
b5f4e686 LC	85	(control pam-entry-control) ; string
	86	(module pam-entry-module) ; file name
	87	(arguments pam-entry-arguments ; list of string-valued g-expressions
0ded70f3 LC	88	(default '())))
0ded70f3 LC	89
909147e4 RW	90	;; PAM limits entries are used by the pam_limits PAM module to set or override
	91	;; limits on system resources for user sessions. The format is specified
	92	;; here: http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html
	93	(define-record-type <pam-limits-entry>
	94	(make-pam-limits-entry domain type item value)
	95	pam-limits-entry?
	96	(domain pam-limits-entry-domain) ; string
	97	(type pam-limits-entry-type) ; symbol
	98	(item pam-limits-entry-item) ; symbol
	99	(value pam-limits-entry-value)) ; symbol or number
	100
	101	(define (pam-limits-entry domain type item value)
	102	"Construct a pam-limits-entry ensuring that the provided values are valid."
	103	(define (valid? value)
	104	(case item
	105	((priority) (number? value))
	106	((nice) (and (number? value)
	107	(>= value -20)
	108	(<= value 19)))
	109	(else (or (and (number? value)
	110	(>= value -1))
	111	(member value '(unlimited infinity))))))
	112	(define items
	113	(list 'core 'data 'fsize
	114	'memlock 'nofile 'rss
	115	'stack 'cpu 'nproc
	116	'as 'maxlogins 'maxsyslogins
	117	'priority 'locks 'sigpending
	118	'msgqueue 'nice 'rtprio))
	119	(when (not (member type '(hard soft both)))
	120	(error "invalid limit type" type))
	121	(when (not (member item items))
	122	(error "invalid limit item" item))
	123	(when (not (valid? value))
	124	(error "invalid limit value" value))
	125	(make-pam-limits-entry domain type item value))
	126
	127	(define (pam-limits-entry->string entry)
	128	"Convert a pam-limits-entry record to a string."
	129	(match entry
	130	(($ <pam-limits-entry> domain type item value)
	131	(string-join (list domain
	132	(if (eq? type 'both)
	133	"-"
	134	(symbol->string type))
	135	(symbol->string item)
	136	(cond
	137	((symbol? value)
	138	(symbol->string value))
	139	(else
	140	(number->string value))))
	141	" "))))
	142
0ded70f3	143	(define (pam-service->configuration service)
b5f4e686 LC	144	"Return the derivation building the configuration file for SERVICE, to be
	145	dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
	146	(define (entry->gexp type entry)
0ded70f3 LC	147	(match entry
0ded70f3 LC	148	(($ <pam-entry> control module (arguments ...))
b5f4e686 LC	149	#~(format #t "~a ~a ~a ~a~%"
	150	#$type #$control #$module
	151	(string-join (list #$@arguments))))))
0ded70f3 LC	152
	153	(match service
	154	(($ <pam-service> name account auth password session)
b5f4e686 LC	155	(define builder
	156	#~(begin
	157	(with-output-to-file #$output
	158	(lambda ()
	159	#$@(append (map (cut entry->gexp "account" <>) account)
	160	(map (cut entry->gexp "auth" <>) auth)
	161	(map (cut entry->gexp "password" <>) password)
	162	(map (cut entry->gexp "session" <>) session))
	163	#t))))
	164
23afe939	165	(computed-file name builder))))
0ded70f3	166
d9f0a237	167	(define (pam-services->directory services)
0ded70f3 LC	168	"Return the derivation to build the configuration directory to be used as
0ded70f3 LC	169	/etc/pam.d for SERVICES."
23afe939 LC	170	(let ((names (map pam-service-name services))
23afe939 LC	171	(files (map pam-service->configuration services)))
0ded70f3	172	(define builder
b5f4e686	173	#~(begin
11dddd8a LC	174	(use-modules (ice-9 match)
11dddd8a LC	175	(srfi srfi-1))
0ded70f3	176
b5f4e686 LC	177	(mkdir #$output)
b5f4e686 LC	178	(for-each (match-lambda
0adfe95a LC	179	((name file)
0adfe95a LC	180	(symlink file (string-append #$output "/" name))))
11dddd8a LC	181
	182	;; Since <pam-service> objects cannot be compared with
	183	;; 'equal?' since they contain gexps, which contain
	184	;; closures, use 'delete-duplicates' on the build-side
	185	;; instead. See <http://bugs.gnu.org/20037>.
	186	(delete-duplicates '#$(zip names files)))))
0ded70f3	187
23afe939	188	(computed-file "pam.d" builder)))
0ded70f3 LC	189
	190	(define %pam-other-services
	191	;; The "other" PAM configuration, which denies everything (see
	192	;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
	193	(let ((deny (pam-entry
	194	(control "required")
	195	(module "pam_deny.so"))))
	196	(pam-service
	197	(name "other")
	198	(account (list deny))
	199	(auth (list deny))
	200	(password (list deny))
	201	(session (list deny)))))
	202
	203	(define unix-pam-service
	204	(let ((unix (pam-entry
	205	(control "required")
af9908ff SB	206	(module "pam_unix.so")))
	207	(env (pam-entry ; to honor /etc/environment.
	208	(control "required")
	209	(module "pam_env.so"))))
af55ca48 LC	210	(lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
af55ca48 LC	211	login-uid?)
0ded70f3	212	"Return a standard Unix-style PAM service for NAME. When
e586257b RW	213	ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
e586257b RW	214	true, allow root to run the command without authentication. When MOTD is
af55ca48 LC	215	true, it should be a file-like object used as the message-of-the-day.
	216	When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
	217	/proc/self/loginuid, which the libc 'getlogin' function relies on."
0ded70f3	218	;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
af55ca48 LC	219	(pam-service
	220	(name name)
	221	(account (list unix))
	222	(auth (append (if allow-root?
	223	(list (pam-entry
	224	(control "sufficient")
	225	(module "pam_rootok.so")))
	226	'())
	227	(list (if allow-empty-passwords?
	228	(pam-entry
	229	(control "required")
	230	(module "pam_unix.so")
	231	(arguments '("nullok")))
	232	unix))))
	233	(password (list (pam-entry
	234	(control "required")
	235	(module "pam_unix.so")
	236	;; Store SHA-512 encrypted passwords in /etc/shadow.
	237	(arguments '("sha512" "shadow")))))
	238	(session `(,@(if motd
	239	(list (pam-entry
	240	(control "optional")
	241	(module "pam_motd.so")
	242	(arguments
	243	(list #~(string-append "motd=" #$motd)))))
	244	'())
	245	,@(if login-uid?
	246	(list (pam-entry ;to fill in /proc/self/loginuid
	247	(control "required")
	248	(module "pam_loginuid.so")))
	249	'())
	250	,env ,unix))))))
0ded70f3	251
da417ffe LC	252	(define (rootok-pam-service command)
	253	"Return a PAM service for COMMAND such that 'root' does not need to
	254	authenticate to run COMMAND."
	255	(let ((unix (pam-entry
	256	(control "required")
	257	(module "pam_unix.so"))))
	258	(pam-service
	259	(name command)
	260	(account (list unix))
	261	(auth (list (pam-entry
	262	(control "sufficient")
	263	(module "pam_rootok.so"))))
	264	(password (list unix))
	265	(session (list unix)))))
	266
09e028f4 LC	267	(define* (base-pam-services #:key allow-empty-passwords?)
09e028f4 LC	268	"Return the list of basic PAM services everyone would want."
da417ffe LC	269	;; TODO: Add other Shadow programs?
	270	(append (list %pam-other-services)
	271
	272	;; These programs are setuid-root.
	273	(map (cut unix-pam-service <>
	274	#:allow-empty-passwords? allow-empty-passwords?)
e586257b RW	275	'("passwd" "sudo"))
	276	;; This is setuid-root, as well. Allow root to run "su" without
	277	;; authenticating.
	278	(list (unix-pam-service "su"
	279	#:allow-empty-passwords? allow-empty-passwords?
	280	#:allow-root? #t))
da417ffe LC	281
	282	;; These programs are not setuid-root, and we want root to be able
	283	;; to run them without having to authenticate (notably because
	284	;; 'useradd' and 'groupadd' are run during system activation.)
	285	(map rootok-pam-service
	286	'("useradd" "userdel" "usermod"
	287	"groupadd" "groupdel" "groupmod"))))
09e028f4	288
0adfe95a	289	\f
fbc31dc1 LC	290	;;;
	291	;;; System-wide environment variables.
	292	;;;
	293
	294	(define (environment-variables->environment-file vars)
	295	"Return a file for pam_env(8) that contains environment variables VARS."
	296	(apply mixed-text-file "environment"
	297	(append-map (match-lambda
	298	((key . value)
	299	(list key "=" value "\n")))
	300	vars)))
	301
	302	(define session-environment-service-type
	303	(service-type
	304	(name 'session-environment)
	305	(extensions
	306	(list (service-extension
	307	etc-service-type
	308	(lambda (vars)
	309	(list `("environment"
	310	,(environment-variables->environment-file vars)))))))
	311	(compose concatenate)
	312	(extend append)
	313	(description
	314	"Populate @file{/etc/environment}, which is honored by @code{pam_env},
	315	with the specified environment variables. The value of this service is a list
	316	of name/value pairs for environments variables, such as:
	317
	318	@example
	319	'((\"TZ\" . \"Canada/Pacific\"))
	320	@end example\n")))
	321
	322	(define (session-environment-service vars)
	323	"Return a service that builds the @file{/etc/environment}, which can be read
	324	by PAM-aware applications to set environment variables for sessions.
	325
	326	VARS should be an association list in which both the keys and the values are
	327	strings or string-valued gexps."
	328	(service session-environment-service-type vars))
	329
	330
	331	\f
0adfe95a LC	332	;;;
	333	;;; PAM root service.
	334	;;;
	335
12c00bca LC	336	;; Overall PAM configuration: a list of services, plus a procedure that takes
	337	;; one <pam-service> and returns a <pam-service>. The procedure is used to
	338	;; implement cross-cutting concerns such as the use of the 'elogind.so'
	339	;; session module that keeps track of logged-in users.
	340	(define-record-type* <pam-configuration>
	341	pam-configuration make-pam-configuration? pam-configuration?
	342	(services pam-configuration-services) ;list of <pam-service>
	343	(transform pam-configuration-transform)) ;procedure
	344
	345	(define (/etc-entry config)
	346	"Return the /etc/pam.d entry corresponding to CONFIG."
	347	(match config
	348	(($ <pam-configuration> services transform)
	349	(let ((services (map transform services)))
	350	`(("pam.d" ,(pam-services->directory services)))))))
	351
	352	(define (extend-configuration initial extensions)
	353	"Extend INITIAL with NEW."
	354	(let-values (((services procs)
	355	(partition pam-service? extensions)))
	356	(pam-configuration
	357	(services (append (pam-configuration-services initial)
	358	services))
	359	(transform (apply compose
	360	(pam-configuration-transform initial)
	361	procs)))))
0adfe95a LC	362
	363	(define pam-root-service-type
	364	(service-type (name 'pam)
	365	(extensions (list (service-extension etc-service-type
	366	/etc-entry)))
12c00bca LC	367
12c00bca LC	368	;; Arguments include <pam-service> as well as procedures.
0adfe95a	369	(compose concatenate)
dd0804c6 LC	370	(extend extend-configuration)
	371	(description
	372	"Configure the Pluggable Authentication Modules (PAM) for all
	373	the specified @dfn{PAM services}. Each PAM service corresponds to a program,
	374	such as @command{login} or @command{sshd}, and specifies for instance how the
	375	program may authenticate users or what it should do when opening a new
	376	session.")))
0adfe95a	377
12c00bca	378	(define* (pam-root-service base #:key (transform identity))
0adfe95a	379	"The \"root\" PAM service, which collects <pam-service> instance and turns
12c00bca LC	380	them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
	381	TRANSFORM is a procedure that takes a <pam-service> and returns a
	382	<pam-service>. It can be used to implement cross-cutting concerns that affect
	383	all the PAM services."
	384	(service pam-root-service-type
	385	(pam-configuration (services base)
	386	(transform transform))))
0adfe95a	387
290ad224	388