diff options
author | Oleg Pykhalov <go.wigust@gmail.com> | 2021-03-21 21:34:07 +0300 |
---|---|---|
committer | Oleg Pykhalov <go.wigust@gmail.com> | 2021-08-17 01:10:25 +0300 |
commit | b948ab8b56ac238e7a774625b8f971d28aee6055 (patch) | |
tree | eb60f0849d23104af442225b47feb1b2753e3aaa /gnu/system | |
parent | ef4a931532fb8eac68ccff4f84d25005237e9a2f (diff) |
services: slim: Add pam-gnupg support.
* gnu/system/pam.scm (unix-pam-service): Add account and session PAM entries
for pam-gnupg. Don't pass "#f" to "allow-root?" argument, because "lambda*"
already does this by default.
* doc/guix.texi (X Window): Document this.
* gnu/services/xorg.scm (<slim-configuration>)[gnupg?]: New record field.
(slim-pam-service): Pass "#:gnupg?" argument to "unix-pam-service".
Diffstat (limited to 'gnu/system')
-rw-r--r-- | gnu/system/pam.scm | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index ad02586be8..a31daada59 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -27,6 +27,7 @@ #:use-module (srfi srfi-11) #:use-module (srfi srfi-26) #:use-module ((guix utils) #:select (%current-system)) + #:use-module (gnu packages linux) #:export (pam-service pam-service-name pam-service-account @@ -207,14 +208,16 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE." (env (pam-entry ; to honor /etc/environment. (control "required") (module "pam_env.so")))) - (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd - login-uid?) + (lambda* (name #:key allow-empty-passwords? allow-root? motd + login-uid? gnupg?) "Return a standard Unix-style PAM service for NAME. When ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is true, allow root to run the command without authentication. When MOTD is true, it should be a file-like object used as the message-of-the-day. When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets -/proc/self/loginuid, which the libc 'getlogin' function relies on." +/proc/self/loginuid, which the libc 'getlogin' function relies on. When +GNUPG? is true, require the 'pam_gnupg.so' module; that module hands over +the login password to 'gpg-agent'." ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>. (pam-service (name name) @@ -229,7 +232,12 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets (control "required") (module "pam_unix.so") (arguments '("nullok"))) - unix)))) + unix)) + (if gnupg? + (list (pam-entry + (control "required") + (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) + '()))) (password (list (pam-entry (control "required") (module "pam_unix.so") @@ -247,6 +255,11 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets (control "required") (module "pam_loginuid.so"))) '()) + ,@(if gnupg? + (list (pam-entry + (control "required") + (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) + '()) ,env ,unix)))))) (define (rootok-pam-service command) |