1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
4 ;;; This file is part of GNU Guix.
6 ;;; GNU Guix is free software; you can redistribute it and/or modify it
7 ;;; under the terms of the GNU General Public License as published by
8 ;;; the Free Software Foundation; either version 3 of the License, or (at
9 ;;; your option) any later version.
11 ;;; GNU Guix is distributed in the hope that it will be useful, but
12 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
13 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ;;; GNU General Public License for more details.
16 ;;; You should have received a copy of the GNU General Public License
17 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
19 (define-module (gnu system pam)
20 #:use-module (guix records)
21 #:use-module (guix derivations)
22 #:use-module (guix gexp)
23 #:use-module (gnu services)
24 #:use-module (ice-9 match)
25 #:use-module (srfi srfi-1)
26 #:use-module (srfi srfi-9)
27 #:use-module (srfi srfi-11)
28 #:use-module (srfi srfi-26)
29 #:use-module ((guix utils) #:select (%current-system))
43 pam-limits-entry-domain
46 pam-limits-entry-value
47 pam-limits-entry->string
49 pam-services->directory
53 session-environment-service
54 session-environment-service-type
61 ;;; Configuration of the pluggable authentication modules (PAM).
66 ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html>.)
67 (define-record-type* <pam-service> pam-service
70 (name pam-service-name) ; string
72 ;; The four "management groups".
73 (account pam-service-account ; list of <pam-entry>
75 (auth pam-service-auth
77 (password pam-service-password
79 (session pam-service-session
82 (define-record-type* <pam-entry> pam-entry
85 (control pam-entry-control) ; string
86 (module pam-entry-module) ; file name
87 (arguments pam-entry-arguments ; list of string-valued g-expressions
90 ;; PAM limits entries are used by the pam_limits PAM module to set or override
91 ;; limits on system resources for user sessions. The format is specified
92 ;; here: http://linux-pam.org/Linux-PAM-html/sag-pam_limits.html
93 (define-record-type <pam-limits-entry>
94 (make-pam-limits-entry domain type item value)
96 (domain pam-limits-entry-domain) ; string
97 (type pam-limits-entry-type) ; symbol
98 (item pam-limits-entry-item) ; symbol
99 (value pam-limits-entry-value)) ; symbol or number
101 (define (pam-limits-entry domain type item value)
102 "Construct a pam-limits-entry ensuring that the provided values are valid."
103 (define (valid? value)
105 ((priority) (number? value))
106 ((nice) (and (number? value)
109 (else (or (and (number? value)
111 (member value '(unlimited infinity))))))
113 (list 'core 'data 'fsize
114 'memlock 'nofile 'rss
116 'as 'maxlogins 'maxsyslogins
117 'priority 'locks 'sigpending
118 'msgqueue 'nice 'rtprio))
119 (when (not (member type '(hard soft both)))
120 (error "invalid limit type" type))
121 (when (not (member item items))
122 (error "invalid limit item" item))
123 (when (not (valid? value))
124 (error "invalid limit value" value))
125 (make-pam-limits-entry domain type item value))
127 (define (pam-limits-entry->string entry)
128 "Convert a pam-limits-entry record to a string."
130 (($ <pam-limits-entry> domain type item value)
131 (string-join (list domain
134 (symbol->string type))
135 (symbol->string item)
138 (symbol->string value))
140 (number->string value))))
143 (define (pam-service->configuration service)
144 "Return the derivation building the configuration file for SERVICE, to be
145 dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
146 (define (entry->gexp type entry)
148 (($ <pam-entry> control module (arguments ...))
149 #~(format #t "~a ~a ~a ~a~%"
150 #$type #$control #$module
151 (string-join (list #$@arguments))))))
154 (($ <pam-service> name account auth password session)
157 (with-output-to-file #$output
159 #$@(append (map (cut entry->gexp "account" <>) account)
160 (map (cut entry->gexp "auth" <>) auth)
161 (map (cut entry->gexp "password" <>) password)
162 (map (cut entry->gexp "session" <>) session))
165 (computed-file name builder))))
167 (define (pam-services->directory services)
168 "Return the derivation to build the configuration directory to be used as
169 /etc/pam.d for SERVICES."
170 (let ((names (map pam-service-name services))
171 (files (map pam-service->configuration services)))
174 (use-modules (ice-9 match)
178 (for-each (match-lambda
180 (symlink file (string-append #$output "/" name))))
182 ;; Since <pam-service> objects cannot be compared with
183 ;; 'equal?' since they contain gexps, which contain
184 ;; closures, use 'delete-duplicates' on the build-side
185 ;; instead. See <http://bugs.gnu.org/20037>.
186 (delete-duplicates '#$(zip names files)))))
188 (computed-file "pam.d" builder)))
190 (define %pam-other-services
191 ;; The "other" PAM configuration, which denies everything (see
192 ;; <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.)
193 (let ((deny (pam-entry
195 (module "pam_deny.so"))))
198 (account (list deny))
200 (password (list deny))
201 (session (list deny)))))
203 (define unix-pam-service
204 (let ((unix (pam-entry
206 (module "pam_unix.so")))
207 (env (pam-entry ; to honor /etc/environment.
209 (module "pam_env.so"))))
210 (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
212 "Return a standard Unix-style PAM service for NAME. When
213 ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
214 true, allow root to run the command without authentication. When MOTD is
215 true, it should be a file-like object used as the message-of-the-day.
216 When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
217 /proc/self/loginuid, which the libc 'getlogin' function relies on."
218 ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
221 (account (list unix))
222 (auth (append (if allow-root?
224 (control "sufficient")
225 (module "pam_rootok.so")))
227 (list (if allow-empty-passwords?
230 (module "pam_unix.so")
231 (arguments '("nullok")))
233 (password (list (pam-entry
235 (module "pam_unix.so")
236 ;; Store SHA-512 encrypted passwords in /etc/shadow.
237 (arguments '("sha512" "shadow")))))
238 (session `(,@(if motd
241 (module "pam_motd.so")
243 (list #~(string-append "motd=" #$motd)))))
246 (list (pam-entry ;to fill in /proc/self/loginuid
248 (module "pam_loginuid.so")))
252 (define (rootok-pam-service command)
253 "Return a PAM service for COMMAND such that 'root' does not need to
254 authenticate to run COMMAND."
255 (let ((unix (pam-entry
257 (module "pam_unix.so"))))
260 (account (list unix))
261 (auth (list (pam-entry
262 (control "sufficient")
263 (module "pam_rootok.so"))))
264 (password (list unix))
265 (session (list unix)))))
267 (define* (base-pam-services #:key allow-empty-passwords?)
268 "Return the list of basic PAM services everyone would want."
269 ;; TODO: Add other Shadow programs?
270 (append (list %pam-other-services)
272 ;; These programs are setuid-root.
273 (map (cut unix-pam-service <>
274 #:allow-empty-passwords? allow-empty-passwords?)
276 ;; This is setuid-root, as well. Allow root to run "su" without
278 (list (unix-pam-service "su"
279 #:allow-empty-passwords? allow-empty-passwords?
282 ;; These programs are not setuid-root, and we want root to be able
283 ;; to run them without having to authenticate (notably because
284 ;; 'useradd' and 'groupadd' are run during system activation.)
285 (map rootok-pam-service
286 '("useradd" "userdel" "usermod"
287 "groupadd" "groupdel" "groupmod"))))
291 ;;; System-wide environment variables.
294 (define (environment-variables->environment-file vars)
295 "Return a file for pam_env(8) that contains environment variables VARS."
296 (apply mixed-text-file "environment"
297 (append-map (match-lambda
299 (list key "=" value "\n")))
302 (define session-environment-service-type
304 (name 'session-environment)
306 (list (service-extension
309 (list `("environment"
310 ,(environment-variables->environment-file vars)))))))
311 (compose concatenate)
314 "Populate @file{/etc/environment}, which is honored by @code{pam_env},
315 with the specified environment variables. The value of this service is a list
316 of name/value pairs for environments variables, such as:
319 '((\"TZ\" . \"Canada/Pacific\"))
322 (define (session-environment-service vars)
323 "Return a service that builds the @file{/etc/environment}, which can be read
324 by PAM-aware applications to set environment variables for sessions.
326 VARS should be an association list in which both the keys and the values are
327 strings or string-valued gexps."
328 (service session-environment-service-type vars))
333 ;;; PAM root service.
336 ;; Overall PAM configuration: a list of services, plus a procedure that takes
337 ;; one <pam-service> and returns a <pam-service>. The procedure is used to
338 ;; implement cross-cutting concerns such as the use of the 'elogind.so'
339 ;; session module that keeps track of logged-in users.
340 (define-record-type* <pam-configuration>
341 pam-configuration make-pam-configuration? pam-configuration?
342 (services pam-configuration-services) ;list of <pam-service>
343 (transform pam-configuration-transform)) ;procedure
345 (define (/etc-entry config)
346 "Return the /etc/pam.d entry corresponding to CONFIG."
348 (($ <pam-configuration> services transform)
349 (let ((services (map transform services)))
350 `(("pam.d" ,(pam-services->directory services)))))))
352 (define (extend-configuration initial extensions)
353 "Extend INITIAL with NEW."
354 (let-values (((services procs)
355 (partition pam-service? extensions)))
357 (services (append (pam-configuration-services initial)
359 (transform (apply compose
360 (pam-configuration-transform initial)
363 (define pam-root-service-type
364 (service-type (name 'pam)
365 (extensions (list (service-extension etc-service-type
368 ;; Arguments include <pam-service> as well as procedures.
369 (compose concatenate)
370 (extend extend-configuration)
372 "Configure the Pluggable Authentication Modules (PAM) for all
373 the specified @dfn{PAM services}. Each PAM service corresponds to a program,
374 such as @command{login} or @command{sshd}, and specifies for instance how the
375 program may authenticate users or what it should do when opening a new
378 (define* (pam-root-service base #:key (transform identity))
379 "The \"root\" PAM service, which collects <pam-service> instance and turns
380 them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
381 TRANSFORM is a procedure that takes a <pam-service> and returns a
382 <pam-service>. It can be used to implement cross-cutting concerns that affect
383 all the PAM services."
384 (service pam-root-service-type
385 (pam-configuration (services base)
386 (transform transform))))