* Use pam_console to change the ownership of various devices (sound,

CD-ROM drive, etc.) to the logged in user.  Woohoo!  Finally, no
  more chown /dev/snd/*.
* Get rid of spurious error messages about pam_ldap when we're not
  using LDAP.

svn path=/nixos/trunk/; revision=8861
This commit is contained in:
Eelco Dolstra 2007-06-10 20:02:07 +00:00
parent ea9e6bdbac
commit 1f1db4c48f
7 changed files with 112 additions and 9 deletions

View File

@ -2,15 +2,32 @@
let
optional = option: file:
if config.get option then [file] else [];
# !!! ugh, these files shouldn't be created here.
envConf = pkgs.writeText "environment" "
PATH=${systemPath}/bin:${systemPath}/sbin:${pkgs.openssh}/bin
NIX_REMOTE=daemon
" /* ${pkgs.openssh}/bin is a hack to get remote scp to work */;
" /* ${pkgs.openssh}/bin is a hack to get remote scp to work */;
# Don't indent this file!
pamConsoleHandlers = pkgs.writeText "console.handlers" "
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
";
pamConsolePerms = ./security/console.perms;
in
import ../helpers/make-etc.nix {
inherit (pkgs) stdenv;
@ -126,15 +143,17 @@ import ../helpers/make-etc.nix {
# A bunch of PAM configuration files for various programs.
++ (map
(program:
let isLDAPEnabled = config.get ["users" "ldap" "enable"]; in
{ source = pkgs.substituteAll {
src = ./pam.d + ("/" + program);
inherit (pkgs) pam_unix2;
inherit (pkgs) pam_unix2 pam_console;
pam_ldap =
if config.get ["users" "ldap" "enable"]
if isLDAPEnabled
then pkgs.pam_ldap
else "/no-such-path";
inherit (pkgs.xorg) xauth;
inherit envConf;
inherit envConf pamConsoleHandlers;
isLDAPEnabled = if isLDAPEnabled then "" else "#";
};
target = "pam.d/" + program;
}
@ -150,6 +169,7 @@ import ../helpers/make-etc.nix {
"useradd"
"chsh"
"common"
"common-console" # shared stuff for interactive local sessions
]
)

View File

@ -1,13 +1,13 @@
auth sufficient @pam_ldap@/lib/security/pam_ldap.so
@isLDAPEnabled@ auth sufficient @pam_ldap@/lib/security/pam_ldap.so
auth sufficient @pam_unix2@/lib/security/pam_unix2.so
auth required pam_deny.so
account optional @pam_ldap@/lib/security/pam_ldap.so
@isLDAPEnabled@ account optional @pam_ldap@/lib/security/pam_ldap.so
account required @pam_unix2@/lib/security/pam_unix2.so
password sufficient @pam_ldap@/lib/security/pam_ldap.so
@isLDAPEnabled@ password sufficient @pam_ldap@/lib/security/pam_ldap.so
password sufficient @pam_unix2@/lib/security/pam_unix2.so nullok
session optional @pam_ldap@/lib/security/pam_ldap.so
@isLDAPEnabled@ session optional @pam_ldap@/lib/security/pam_ldap.so
session required @pam_unix2@/lib/security/pam_unix2.so
session optional pam_env.so envfile=@envConf@

1
etc/pam.d/common-console Normal file
View File

@ -0,0 +1 @@
session optional @pam_console@/lib/security/pam_console.so debug handlersfile=@pamConsoleHandlers@

View File

@ -2,3 +2,4 @@ auth include common
account include common
password include common
session include common
session include common-console

View File

@ -2,3 +2,4 @@ auth include common
account include common
password include common
session include common
session include common-console

View File

@ -0,0 +1,79 @@
# This file determines the permissions that will be given to priviledged
# users of the console at login time, and the permissions to which to
# revert when the users log out.
# format is:
# <class>=list of regexps specifying consoles or globs specifying files
# file-glob|<class> perm dev-regex|<dev-class> \
# revert-mode revert-owner[.revert-group]
# the revert-mode, revert-owner, and revert-group are optional, and default
# to 0600, root, and root, respectively.
#
# For more information:
# man 5 console.perms
# file classes -- these are regular expressions
<console>=/dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
<xconsole>=:[0-9]\.[0-9] :[0-9]
# device classes -- these are shell-style globs
<floppy>=/dev/fd[0-1]* \
/dev/floppy* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer* \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<pilot>=/dev/pilot
<jaz>=/mnt/jaz*
<zip>=/mnt/pocketzip* /mnt/zip* /dev/zip*
<ls120>=/dev/ls120 /mnt/ls120*
<scanner>=/dev/scanner* /dev/usb/scanner*
<rio500>=/dev/usb/rio500
<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
<memstick>=/mnt/memstick*
<flash>=/mnt/flash* /dev/flash*
<diskonkey>=/mnt/diskonkey*
<rem_ide>=/mnt/microdrive*
<fb>=/dev/fb /dev/fb[0-9]* \
/dev/fb/*
<kbd>=/dev/kbd
<joystick>=/dev/js[0-9]*
<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
/dev/video/*
<gpm>=/dev/gpmctl
<dri>=/dev/nvidia* /dev/3dfx* /dev/dri/card*
<mainboard>=/dev/apm_bios
<pmu>=/dev/pmu
<bluetooth>=/dev/rfcomm*
<raw1394>=/dev/raw1394
<irda>=/dev/ircomm*
# permission definitions
<console> 0660 <floppy>
<console> 0600 <sound>
<console> 0600 <cdrom>
<console> 0600 <pilot>
<console> 0600 <jaz>
<console> 0600 <zip>
<console> 0600 <ls120>
<console> 0600 <scanner>
<console> 0600 <camera>
<console> 0600 <memstick>
<console> 0600 <flash>
<console> 0600 <diskonkey>
<console> 0600 <rem_ide>
<console> 0600 <fb>
<console> 0600 <kbd>
<console> 0600 <joystick>
<console> 0600 <v4l>
<console> 0700 <gpm>
<console> 0600 <mainboard>
<console> 0600 <rio500>
<console> 0600 <pmu>
<console> 0600 <bluetooth>
<console> 0600 <raw1394>
<console> 0600 <irda>
<xconsole> 0600 /dev/console
<console> 0600 <dri>

View File

@ -49,8 +49,9 @@ ln -sfn @bash@/bin/sh $mountPoint/bin/sh
echo @modprobe@/sbin/modprobe > /proc/sys/kernel/modprobe
# Various log directories.
# Various log/runtime directories.
mkdir -m 0755 -p /var/run
mkdir -m 0755 -p /var/run/console # for pam_console
touch /var/run/utmp # must exist
chmod 644 /var/run/utmp