[PR PATCH] new package: pam_uaccess

[PR PATCH] new package: pam_uaccess

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 757 bytes --]

There is a new pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages pamu
https://github.com/void-linux/void-packages/pull/50734

new package: pam_uaccess
From the author of `seatd`, this experimental PAM module grants access to devices tagged _uaccess_ in `udev` for the duration of the user session. Replaces `elogind`'s uaccess feature. Requires udev rules that set the uaccess tag, hence I split them from `elogind` package. I tested this locally, and it works for audio (i.e. I can access my audio card without being a member of audio group and without elogind). https://git.sr.ht/~kennylevinsen/pam_uaccess

A patch file from https://github.com/void-linux/void-packages/pull/50734.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-pamu-50734.patch --]
[-- Type: text/x-diff, Size: 4127 bytes --]

From b251c3a0c6d6f9530c396da9d0874361cc42a715 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Fri, 7 Jun 2024 17:22:05 +0200
Subject: [PATCH 1/3] elogind: split udev uaccess rules

---
 srcpkgs/elogind-uaccess  |  1 +
 srcpkgs/elogind/template | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 120000 srcpkgs/elogind-uaccess

diff --git a/srcpkgs/elogind-uaccess b/srcpkgs/elogind-uaccess
new file mode 120000
index 00000000000000..49be2e0cf598f0
--- /dev/null
+++ b/srcpkgs/elogind-uaccess
@@ -0,0 +1 @@
+elogind
\ No newline at end of file
diff --git a/srcpkgs/elogind/template b/srcpkgs/elogind/template
index 3275f48acc8238..b8015dcf8359e8 100644
--- a/srcpkgs/elogind/template
+++ b/srcpkgs/elogind/template
@@ -1,7 +1,7 @@
 # Template file for 'elogind'
 pkgname=elogind
 version=252.9
-revision=2
+revision=3
 build_style=meson
 configure_args="-Dcgroup-controller=elogind -Ddefault-hierarchy=legacy
  -Ddefault-kill-user-processes=false -Dhalt-path=/usr/bin/halt
@@ -12,7 +12,7 @@ hostmakedepends="docbook-xsl glib-devel gperf gettext libxslt
  m4 pkg-config python3-Jinja2 shadow"
 makedepends="acl-devel eudev-libudev-devel libcap-devel
  libglib-devel libseccomp-devel pam-devel"
-depends="dbus"
+depends="dbus elogind-uaccess"
 short_desc="Standalone logind fork"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="GPL-2.0-or-later, LGPL-2.0-or-later"
@@ -78,3 +78,10 @@ libelogind_package() {
 		 vmove "usr/lib/libelogind.so.*"
 	}
 }
+
+elogind-uaccess_package() {
+	short_desk+=" - uaccess rules"
+	pkg_install() {
+		vmove usr/lib/udev/rules.d/70-uaccess.rules
+	}
+}

From 7d1b57ead83b3f9fd7e14efa88a6309de2bd2817 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Wed, 5 Jun 2024 14:45:45 -0400
Subject: [PATCH 2/3] pam-base: add pam_uaccess

---
 srcpkgs/pam-base/files/system-login | 1 +
 srcpkgs/pam-base/template           | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/pam-base/files/system-login b/srcpkgs/pam-base/files/system-login
index 72c4638f07d3fe..dd2501cc95c2b0 100644
--- a/srcpkgs/pam-base/files/system-login
+++ b/srcpkgs/pam-base/files/system-login
@@ -16,5 +16,6 @@ session    optional   pam_motd.so          motd=/etc/motd
 session    optional   pam_mail.so          dir=/var/mail standard quiet
 -session   optional   pam_turnstile.so
 -session   optional   pam_elogind.so
+-session   optional   pam_uaccess.so
 -session   optional   pam_dumb_runtime_dir.so
 session    required   pam_env.so
diff --git a/srcpkgs/pam-base/template b/srcpkgs/pam-base/template
index 38bfa74cd88560..07c14e873cb5fd 100644
--- a/srcpkgs/pam-base/template
+++ b/srcpkgs/pam-base/template
@@ -1,7 +1,7 @@
 # Template file for 'pam-base'
 pkgname=pam-base
 version=0.4
-revision=3
+revision=4
 short_desc="PAM base configuration files"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="Public Domain"

From 2cc7866568300d283053ffcfd60c6df045aef933 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Wed, 5 Jun 2024 14:45:26 -0400
Subject: [PATCH 3/3] new package: pam_uaccess

---
 srcpkgs/pam_uaccess/template | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 srcpkgs/pam_uaccess/template

diff --git a/srcpkgs/pam_uaccess/template b/srcpkgs/pam_uaccess/template
new file mode 100644
index 00000000000000..8f0c9b002065bf
--- /dev/null
+++ b/srcpkgs/pam_uaccess/template
@@ -0,0 +1,19 @@
+# Template file for 'pam_uaccess'
+pkgname=pam_uaccess
+version=0
+revision=1
+_commit=54fbf043c63cc500b4850b0b4a12ea14078f2b53
+build_style=meson
+hostmakedepends="pkg-config"
+makedepends="acl-devel eudev-libudev-devel pam-devel"
+depends="elogind-uaccess"
+short_desc="PAM module that grants access to devices tagged uaccess"
+maintainer="dkwo <npiazza@disroot.org>"
+license="MIT"
+homepage="https://git.sr.ht/~kennylevinsen/pam_uaccess"
+distfiles="https://git.sr.ht/~kennylevinsen/pam_uaccess/archive/${_commit}.tar.gz"
+checksum=44986d6fb341a3ca4e98ad7410037d97b010bb6510ac20e3765693249a1dbc3d
+
+post_install() {
+	vlicense LICENSE
+}

Re: new package: pam_uaccess

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 360 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/pull/50734#issuecomment-2155262948

Comment:
We don't package unreleased software like this and, even if it is tagged and packaged, I'm not sure it should be enabled in `pam-base`. Let users who install the package opt into using it by editing their PAM configs.

Re: new package: pam_uaccess

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 640 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/50734#issuecomment-2156425236

Comment:
I thought the dash in `-session` exactly means it's optional, just like for elogind or turnstile:

> If the type value from the list above is prepended with a - character the PAM library will not log to the system log if it is not possible to load the module because it is missing in the system. This can be useful especially for modules which are not always installed on the system and are not required for correct authentication and authorization of the login session.

Isn't this the right way?

Re: new package: pam_uaccess

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 372 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/50734#issuecomment-2156425991

Comment:
In my view, the benefit (this is the only way to access audio, video without elogind or membership in the groups) outweights the fact that it's unreleased, but I understand. I could inquire with upstream what their recommendation is.

Re: new package: pam_uaccess

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 1090 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/pull/50734#issuecomment-2156459362

Comment:
I'm aware of the functionality if `-session optional`, but that isn't my point:
1. We ship a fair number of PAM modules that aren't optionally enabled in the base configuration.
2. Those that are enabled represent either extremly common workflows (*e.g.*, `elogind`) or represent actions limited to the scope of the user logging in (*e.g.*, `dumb_runtime_dir`, `turnstile`, `gnome_keyring` make directories, run programs or unlock things all owned by the user---they don't grant system-level privileges; also, I don't necessarily think that `turnstile` belongs in there by default).
3. This is still a very new program.

Enabling PAM services by default in `pam-base` inverts a knowledge dependency and should be avoided. We make exceptions in some cases because we lack a good mechanism for modifying the PAM configuration in packages that need it, but that exception should be limited to a few very common programs that are well understood.

Re: new package: pam_uaccess

[ahesford]

[-- Attachment #1: Type: text/plain, Size: 748 bytes --]

New comment by ahesford on void-packages repository

https://github.com/void-linux/void-packages/pull/50734#issuecomment-2156488117

Comment:
> In my view, the benefit (this is the only way to access audio, video without elogind or membership in the groups) outweights the fact that it's unreleased, but I understand. I could inquire with upstream what their recommendation is.

There is no upstream recommendation that is relevant. This repository has a single commit, from two years ago, and no release tags. Until there is a release tag and some indication that this program is actually maintained, it's not suitable for packaging. Frankly, a two-year-old, single-commit repository looks more like a proof of concept than maintained software.

Re: new package: pam_uaccess

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/50734#issuecomment-2158505878

Comment:
> Frankly, a two-year-old, single-commit repository looks more like a proof of concept than maintained software.

I agree with that. I can mark this as a draft, but also feel free to close it.

Would it make sense to split the uaccess udev rule from elogind (1st commit)?

Re: new package: pam_uaccess

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 655 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/50734#issuecomment-2158575029

Comment:
> Hot-plug
>
> pam_uaccess only operates on login, and does not grant access to new devices as they are added.
>
> This should not be a problem in most cases.

IMHO this makes this pretty pointless, unless the use-case is just a single machine with just static devices that need to be managed and multiple users that log in and out.

If you don't need the login/logout tracking stuff you could just write an udev rule that applies acls to all devices tagged with uaccess and it would support hot plugging.