system: Allow 'chfn' to change the user's full name.

Fixes <https://issues.guix.gnu.org/52539>.
Reported by Jacob First <jacob.first@member.fsf.org>.

* gnu/build/accounts.scm (allocate-passwd): Add comment as to why
'real-name' is taken from PREVIOUS.  Add (not system?) to the
condition.
* gnu/system.scm (operating-system-etc-service) <login.defs>: Add
"CHFN_RESTRICT".
* gnu/system.scm (%setuid-programs): Add "chfn".
* gnu/system/pam.scm (base-pam-services): Add "chfn".
* doc/guix.texi (User Accounts): Document it.
This commit is contained in:
Ludovic Courtès 2021-12-31 17:45:12 +01:00
parent 806a4e986d
commit 671e6a8180
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
4 changed files with 20 additions and 5 deletions

View File

@ -15387,6 +15387,11 @@ account is created.
@item @code{comment} (default: @code{""})
A comment about the account, such as the account owner's full name.
Note that, for non-system accounts, users are free to change their real
name as it appears in @file{/etc/passwd} using the @command{chfn}
command. When they do, their choice prevails over the system
administrator's choice; reconfiguring does @emph{not} change their name.
@item @code{home-directory}
This is the name of the home directory for the account.

View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2019, 2021 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@ -490,7 +490,11 @@ new UIDs."
(uid id)
(directory directory)
(gid (if (number? group) group (group-id group)))
(real-name (if previous
;; Users might change their name to something
;; other than what the sysadmin chose, with
;; 'chfn'. Thus consider it "stateful".
(real-name (if (and previous (not system?))
(password-entry-real-name previous)
real-name))

View File

@ -913,7 +913,12 @@ the /etc directory."
"/run/current-system/profile/sbin\n"
"ENV_SUPATH /run/setuid-programs:"
"/run/current-system/profile/bin:"
"/run/current-system/profile/sbin\n")))
"/run/current-system/profile/sbin\n"
"\n"
"# Allow 'chfn' to change the full name,\n"
"# room number, and so on.\n"
"CHFN_RESTRICT frwh\n")))
(hurd (operating-system-hurd os))
(issue (plain-file "issue" (operating-system-issue os)))
@ -1158,6 +1163,7 @@ deprecated; use 'setuid-program' instead~%"))
(let ((shadow (@ (gnu packages admin) shadow)))
(map file-like->setuid-program
(list (file-append shadow "/bin/passwd")
(file-append shadow "/bin/chfn")
(file-append shadow "/bin/sg")
(file-append shadow "/bin/su")
(file-append shadow "/bin/newgrp")

View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013-2017, 2019-2021 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@ -285,7 +285,7 @@ authenticate to run COMMAND."
;; These programs are setuid-root.
(map (cut unix-pam-service <>
#:allow-empty-passwords? allow-empty-passwords?)
'("passwd" "sudo"))
'("passwd" "chfn" "sudo"))
;; This is setuid-root, as well. Allow root to run "su" without
;; authenticating.
(list (unix-pam-service "su"