* Use pam_console to change the ownership of various devices (sound,
CD-ROM drive, etc.) to the logged in user. Woohoo! Finally, no more chown /dev/snd/*. * Get rid of spurious error messages about pam_ldap when we're not using LDAP. svn path=/nixos/trunk/; revision=8861
This commit is contained in:
parent
ea9e6bdbac
commit
1f1db4c48f
@ -2,15 +2,32 @@
|
||||
|
||||
let
|
||||
|
||||
|
||||
optional = option: file:
|
||||
if config.get option then [file] else [];
|
||||
|
||||
|
||||
# !!! ugh, these files shouldn't be created here.
|
||||
|
||||
|
||||
envConf = pkgs.writeText "environment" "
|
||||
PATH=${systemPath}/bin:${systemPath}/sbin:${pkgs.openssh}/bin
|
||||
NIX_REMOTE=daemon
|
||||
" /* ${pkgs.openssh}/bin is a hack to get remote scp to work */;
|
||||
" /* ${pkgs.openssh}/bin is a hack to get remote scp to work */;
|
||||
|
||||
|
||||
# Don't indent this file!
|
||||
pamConsoleHandlers = pkgs.writeText "console.handlers" "
|
||||
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
|
||||
${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
|
||||
${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
|
||||
";
|
||||
|
||||
pamConsolePerms = ./security/console.perms;
|
||||
|
||||
|
||||
in
|
||||
|
||||
|
||||
import ../helpers/make-etc.nix {
|
||||
inherit (pkgs) stdenv;
|
||||
@ -126,15 +143,17 @@ import ../helpers/make-etc.nix {
|
||||
# A bunch of PAM configuration files for various programs.
|
||||
++ (map
|
||||
(program:
|
||||
let isLDAPEnabled = config.get ["users" "ldap" "enable"]; in
|
||||
{ source = pkgs.substituteAll {
|
||||
src = ./pam.d + ("/" + program);
|
||||
inherit (pkgs) pam_unix2;
|
||||
inherit (pkgs) pam_unix2 pam_console;
|
||||
pam_ldap =
|
||||
if config.get ["users" "ldap" "enable"]
|
||||
if isLDAPEnabled
|
||||
then pkgs.pam_ldap
|
||||
else "/no-such-path";
|
||||
inherit (pkgs.xorg) xauth;
|
||||
inherit envConf;
|
||||
inherit envConf pamConsoleHandlers;
|
||||
isLDAPEnabled = if isLDAPEnabled then "" else "#";
|
||||
};
|
||||
target = "pam.d/" + program;
|
||||
}
|
||||
@ -150,6 +169,7 @@ import ../helpers/make-etc.nix {
|
||||
"useradd"
|
||||
"chsh"
|
||||
"common"
|
||||
"common-console" # shared stuff for interactive local sessions
|
||||
]
|
||||
)
|
||||
|
||||
|
@ -1,13 +1,13 @@
|
||||
auth sufficient @pam_ldap@/lib/security/pam_ldap.so
|
||||
@isLDAPEnabled@ auth sufficient @pam_ldap@/lib/security/pam_ldap.so
|
||||
auth sufficient @pam_unix2@/lib/security/pam_unix2.so
|
||||
auth required pam_deny.so
|
||||
|
||||
account optional @pam_ldap@/lib/security/pam_ldap.so
|
||||
@isLDAPEnabled@ account optional @pam_ldap@/lib/security/pam_ldap.so
|
||||
account required @pam_unix2@/lib/security/pam_unix2.so
|
||||
|
||||
password sufficient @pam_ldap@/lib/security/pam_ldap.so
|
||||
@isLDAPEnabled@ password sufficient @pam_ldap@/lib/security/pam_ldap.so
|
||||
password sufficient @pam_unix2@/lib/security/pam_unix2.so nullok
|
||||
|
||||
session optional @pam_ldap@/lib/security/pam_ldap.so
|
||||
@isLDAPEnabled@ session optional @pam_ldap@/lib/security/pam_ldap.so
|
||||
session required @pam_unix2@/lib/security/pam_unix2.so
|
||||
session optional pam_env.so envfile=@envConf@
|
||||
|
1
etc/pam.d/common-console
Normal file
1
etc/pam.d/common-console
Normal file
@ -0,0 +1 @@
|
||||
session optional @pam_console@/lib/security/pam_console.so debug handlersfile=@pamConsoleHandlers@
|
@ -2,3 +2,4 @@ auth include common
|
||||
account include common
|
||||
password include common
|
||||
session include common
|
||||
session include common-console
|
||||
|
@ -2,3 +2,4 @@ auth include common
|
||||
account include common
|
||||
password include common
|
||||
session include common
|
||||
session include common-console
|
||||
|
79
etc/security/console.perms
Normal file
79
etc/security/console.perms
Normal file
@ -0,0 +1,79 @@
|
||||
# This file determines the permissions that will be given to priviledged
|
||||
# users of the console at login time, and the permissions to which to
|
||||
# revert when the users log out.
|
||||
|
||||
# format is:
|
||||
# <class>=list of regexps specifying consoles or globs specifying files
|
||||
# file-glob|<class> perm dev-regex|<dev-class> \
|
||||
# revert-mode revert-owner[.revert-group]
|
||||
# the revert-mode, revert-owner, and revert-group are optional, and default
|
||||
# to 0600, root, and root, respectively.
|
||||
#
|
||||
# For more information:
|
||||
# man 5 console.perms
|
||||
|
||||
# file classes -- these are regular expressions
|
||||
<console>=/dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
|
||||
<xconsole>=:[0-9]\.[0-9] :[0-9]
|
||||
|
||||
# device classes -- these are shell-style globs
|
||||
<floppy>=/dev/fd[0-1]* \
|
||||
/dev/floppy* /mnt/floppy*
|
||||
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
|
||||
/dev/mixer* /dev/sequencer* \
|
||||
/dev/sound/* /dev/beep \
|
||||
/dev/snd/*
|
||||
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
|
||||
<pilot>=/dev/pilot
|
||||
<jaz>=/mnt/jaz*
|
||||
<zip>=/mnt/pocketzip* /mnt/zip* /dev/zip*
|
||||
<ls120>=/dev/ls120 /mnt/ls120*
|
||||
<scanner>=/dev/scanner* /dev/usb/scanner*
|
||||
<rio500>=/dev/usb/rio500
|
||||
<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
|
||||
<memstick>=/mnt/memstick*
|
||||
<flash>=/mnt/flash* /dev/flash*
|
||||
<diskonkey>=/mnt/diskonkey*
|
||||
<rem_ide>=/mnt/microdrive*
|
||||
<fb>=/dev/fb /dev/fb[0-9]* \
|
||||
/dev/fb/*
|
||||
<kbd>=/dev/kbd
|
||||
<joystick>=/dev/js[0-9]*
|
||||
<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
|
||||
/dev/video/*
|
||||
<gpm>=/dev/gpmctl
|
||||
<dri>=/dev/nvidia* /dev/3dfx* /dev/dri/card*
|
||||
<mainboard>=/dev/apm_bios
|
||||
<pmu>=/dev/pmu
|
||||
<bluetooth>=/dev/rfcomm*
|
||||
<raw1394>=/dev/raw1394
|
||||
<irda>=/dev/ircomm*
|
||||
|
||||
# permission definitions
|
||||
<console> 0660 <floppy>
|
||||
<console> 0600 <sound>
|
||||
<console> 0600 <cdrom>
|
||||
<console> 0600 <pilot>
|
||||
<console> 0600 <jaz>
|
||||
<console> 0600 <zip>
|
||||
<console> 0600 <ls120>
|
||||
<console> 0600 <scanner>
|
||||
<console> 0600 <camera>
|
||||
<console> 0600 <memstick>
|
||||
<console> 0600 <flash>
|
||||
<console> 0600 <diskonkey>
|
||||
<console> 0600 <rem_ide>
|
||||
<console> 0600 <fb>
|
||||
<console> 0600 <kbd>
|
||||
<console> 0600 <joystick>
|
||||
<console> 0600 <v4l>
|
||||
<console> 0700 <gpm>
|
||||
<console> 0600 <mainboard>
|
||||
<console> 0600 <rio500>
|
||||
<console> 0600 <pmu>
|
||||
<console> 0600 <bluetooth>
|
||||
<console> 0600 <raw1394>
|
||||
<console> 0600 <irda>
|
||||
|
||||
<xconsole> 0600 /dev/console
|
||||
<console> 0600 <dri>
|
@ -49,8 +49,9 @@ ln -sfn @bash@/bin/sh $mountPoint/bin/sh
|
||||
echo @modprobe@/sbin/modprobe > /proc/sys/kernel/modprobe
|
||||
|
||||
|
||||
# Various log directories.
|
||||
# Various log/runtime directories.
|
||||
mkdir -m 0755 -p /var/run
|
||||
mkdir -m 0755 -p /var/run/console # for pam_console
|
||||
|
||||
touch /var/run/utmp # must exist
|
||||
chmod 644 /var/run/utmp
|
||||
|
Loading…
Reference in New Issue
Block a user