From ec4b7f30f5f4dfbc5b2164fdb6f25ff32e841cde Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 13 Apr 2019 14:49:48 +0200 Subject: l usershadow: add setuid wrapper for check_pw --- lass/3modules/usershadow.nix | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'lass/3modules/usershadow.nix') diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index cb2890969..383b9a537 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -31,13 +31,20 @@ session required pam_loginuid.so ''; - security.pam.services.dovecot2.text = '' - auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - session required pam_env.so envfile=${config.system.build.pamEnvironment} - ''; + security.pam.services.dovecot2 = { + text = '' + auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + session required pam_env.so envfile=${config.system.build.pamEnvironment} + ''; + }; + + security.wrappers.shadow_verify_pam = { + source = "${usershadow}/bin/verify_pam"; + owner = "root"; + }; }; usershadow = let { -- cgit v1.2.3 From 91bab57c35d61550ae4fec98cd8e985c037ed7f7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 13 Apr 2019 14:54:29 +0200 Subject: l usershadow: build without -threaded --- lass/3modules/usershadow.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lass/3modules/usershadow.nix') diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index 383b9a537..d967a108a 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -53,10 +53,13 @@ "bytestring" ]; body = pkgs.writeHaskellPackage "passwords" { + ghc-options = [ + "-rtsopts" + "-Wall" + ]; executables.verify_pam = { extra-depends = deps; text = '' - import Data.Monoid import System.IO import Data.Char (chr) import System.Environment (getEnv, getArgs) @@ -79,7 +82,6 @@ executables.verify_arg = { extra-depends = deps; text = '' - import Data.Monoid import System.Environment (getArgs) import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) import qualified Data.ByteString.Char8 as BS8 -- cgit v1.2.3 From 24d7e2fa03a4533368a8ec90599211366feb1510 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 17 Apr 2019 20:16:06 +0200 Subject: l domsen: run verify_arg as root --- lass/3modules/usershadow.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lass/3modules/usershadow.nix') diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index d967a108a..51da2ec93 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -45,6 +45,10 @@ source = "${usershadow}/bin/verify_pam"; owner = "root"; }; + security.wrappers.shadow_verify_arg = { + source = "${usershadow}/bin/verify_arg"; + owner = "root"; + }; }; usershadow = let { -- cgit v1.2.3