system: Allow 'chfn' to change the user's full name.
Fixes <https://issues.guix.gnu.org/52539>. Reported by Jacob First <jacob.first@member.fsf.org>. * gnu/build/accounts.scm (allocate-passwd): Add comment as to why 'real-name' is taken from PREVIOUS. Add (not system?) to the condition. * gnu/system.scm (operating-system-etc-service) <login.defs>: Add "CHFN_RESTRICT". * gnu/system.scm (%setuid-programs): Add "chfn". * gnu/system/pam.scm (base-pam-services): Add "chfn". * doc/guix.texi (User Accounts): Document it.
This commit is contained in:
parent
806a4e986d
commit
671e6a8180
@ -15387,6 +15387,11 @@ account is created.
|
||||
@item @code{comment} (default: @code{""})
|
||||
A comment about the account, such as the account owner's full name.
|
||||
|
||||
Note that, for non-system accounts, users are free to change their real
|
||||
name as it appears in @file{/etc/passwd} using the @command{chfn}
|
||||
command. When they do, their choice prevails over the system
|
||||
administrator's choice; reconfiguring does @emph{not} change their name.
|
||||
|
||||
@item @code{home-directory}
|
||||
This is the name of the home directory for the account.
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2019 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2019, 2021 Ludovic Courtès <ludo@gnu.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
@ -490,7 +490,11 @@ new UIDs."
|
||||
(uid id)
|
||||
(directory directory)
|
||||
(gid (if (number? group) group (group-id group)))
|
||||
(real-name (if previous
|
||||
|
||||
;; Users might change their name to something
|
||||
;; other than what the sysadmin chose, with
|
||||
;; 'chfn'. Thus consider it "stateful".
|
||||
(real-name (if (and previous (not system?))
|
||||
(password-entry-real-name previous)
|
||||
real-name))
|
||||
|
||||
|
@ -913,7 +913,12 @@ the /etc directory."
|
||||
"/run/current-system/profile/sbin\n"
|
||||
"ENV_SUPATH /run/setuid-programs:"
|
||||
"/run/current-system/profile/bin:"
|
||||
"/run/current-system/profile/sbin\n")))
|
||||
"/run/current-system/profile/sbin\n"
|
||||
|
||||
"\n"
|
||||
"# Allow 'chfn' to change the full name,\n"
|
||||
"# room number, and so on.\n"
|
||||
"CHFN_RESTRICT frwh\n")))
|
||||
|
||||
(hurd (operating-system-hurd os))
|
||||
(issue (plain-file "issue" (operating-system-issue os)))
|
||||
@ -1158,6 +1163,7 @@ deprecated; use 'setuid-program' instead~%"))
|
||||
(let ((shadow (@ (gnu packages admin) shadow)))
|
||||
(map file-like->setuid-program
|
||||
(list (file-append shadow "/bin/passwd")
|
||||
(file-append shadow "/bin/chfn")
|
||||
(file-append shadow "/bin/sg")
|
||||
(file-append shadow "/bin/su")
|
||||
(file-append shadow "/bin/newgrp")
|
||||
|
@ -1,5 +1,5 @@
|
||||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès <ludo@gnu.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
@ -285,7 +285,7 @@ authenticate to run COMMAND."
|
||||
;; These programs are setuid-root.
|
||||
(map (cut unix-pam-service <>
|
||||
#:allow-empty-passwords? allow-empty-passwords?)
|
||||
'("passwd" "sudo"))
|
||||
'("passwd" "chfn" "sudo"))
|
||||
;; This is setuid-root, as well. Allow root to run "su" without
|
||||
;; authenticating.
|
||||
(list (unix-pam-service "su"
|
||||
|
Loading…
Reference in New Issue
Block a user