* Use pam_console to change the ownership of various devices (sound,

CD-ROM drive, etc.) to the logged in user. Woohoo! Finally, no more chown /dev/snd/*. * Get rid of spurious error messages about pam_ldap when we're not using LDAP. svn path=/nixos/trunk/; revision=8861
2007-06-10 20:02:07 +00:00 · 2007-06-10 20:02:07 +00:00 · 1f1db4c48f
commit 1f1db4c48f
parent ea9e6bdbac
7 changed files with 112 additions and 9 deletions
--- a/etc/default.nix
+++ b/etc/default.nix
@ -2,15 +2,32 @@
 let 
  optional = option: file:
    if config.get option then [file] else [];
  # !!! ugh, these files shouldn't be created here.
  envConf = pkgs.writeText "environment" "
    PATH=${systemPath}/bin:${systemPath}/sbin:${pkgs.openssh}/bin
    NIX_REMOTE=daemon
-  " /* ${pkgs.openssh}/bin is a hack to get remote scp to work */; 
+  " /* ${pkgs.openssh}/bin is a hack to get remote scp to work */;
  # Don't indent this file!
  pamConsoleHandlers = pkgs.writeText "console.handlers" "
 console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
 ${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
 ${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
 ";
  pamConsolePerms = ./security/console.perms;
 in
 import ../helpers/make-etc.nix {
  inherit (pkgs) stdenv;
@ -126,15 +143,17 @@ import ../helpers/make-etc.nix {
  # A bunch of PAM configuration files for various programs.
  ++ (map
    (program:
      let isLDAPEnabled = config.get ["users" "ldap" "enable"]; in
      { source = pkgs.substituteAll {
          src = ./pam.d + ("/" + program);
-          inherit (pkgs) pam_unix2;
+          inherit (pkgs) pam_unix2 pam_console;
          pam_ldap =
-            if config.get ["users" "ldap" "enable"]
+            if isLDAPEnabled
            then pkgs.pam_ldap
            else "/no-such-path";
          inherit (pkgs.xorg) xauth;
-          inherit envConf;
+          inherit envConf pamConsoleHandlers;
          isLDAPEnabled = if isLDAPEnabled then "" else "#";
        };
        target = "pam.d/" + program;
      }
@ -150,6 +169,7 @@ import ../helpers/make-etc.nix {
      "useradd"
      "chsh"
      "common"
      "common-console" # shared stuff for interactive local sessions
    ]
  )
--- a/etc/pam.d/common
+++ b/etc/pam.d/common
@ -1,13 +1,13 @@
-auth     sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+@isLDAPEnabled@  auth     sufficient     @pam_ldap@/lib/security/pam_ldap.so 
 auth     sufficient     @pam_unix2@/lib/security/pam_unix2.so
 auth     required       pam_deny.so
-account  optional       @pam_ldap@/lib/security/pam_ldap.so 
+@isLDAPEnabled@  account  optional       @pam_ldap@/lib/security/pam_ldap.so 
 account  required       @pam_unix2@/lib/security/pam_unix2.so
-password sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+@isLDAPEnabled@  password sufficient     @pam_ldap@/lib/security/pam_ldap.so 
 password sufficient     @pam_unix2@/lib/security/pam_unix2.so nullok
-session  optional       @pam_ldap@/lib/security/pam_ldap.so 
+@isLDAPEnabled@  session  optional       @pam_ldap@/lib/security/pam_ldap.so 
 session  required       @pam_unix2@/lib/security/pam_unix2.so
 session  optional       pam_env.so envfile=@envConf@
--- a/etc/pam.d/common-console
+++ b/etc/pam.d/common-console
@ -0,0 +1 @@
 session  optional       @pam_console@/lib/security/pam_console.so debug handlersfile=@pamConsoleHandlers@
--- a/etc/pam.d/login
+++ b/etc/pam.d/login
@ -2,3 +2,4 @@ auth     include        common
 account  include        common
 password include        common
 session  include        common
 session  include        common-console
--- a/etc/pam.d/slim
+++ b/etc/pam.d/slim
@ -2,3 +2,4 @@ auth     include        common
 account  include        common
 password include        common
 session  include        common
 session  include        common-console
--- a/etc/security/console.perms
+++ b/etc/security/console.perms
@ -0,0 +1,79 @@
 # This file determines the permissions that will be given to priviledged
 # users of the console at login time, and the permissions to which to
 # revert when the users log out.
 # format is:
 #   <class>=list of regexps specifying consoles or globs specifying files
 #   file-glob|<class> perm dev-regex|<dev-class> \
 #     revert-mode revert-owner[.revert-group]
 # the revert-mode, revert-owner, and revert-group are optional, and default
 # to 0600, root, and root, respectively.
 #
 # For more information:
 # man 5 console.perms
 # file classes -- these are regular expressions
 <console>=/dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
 <xconsole>=:[0-9]\.[0-9] :[0-9]
 # device classes -- these are shell-style globs
 <floppy>=/dev/fd[0-1]* \
 	 /dev/floppy* /mnt/floppy*
 <sound>=/dev/dsp* /dev/audio* /dev/midi* \
 	/dev/mixer* /dev/sequencer* \
 	/dev/sound/* /dev/beep \
 	/dev/snd/* 
 <cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
 <pilot>=/dev/pilot
 <jaz>=/mnt/jaz*
 <zip>=/mnt/pocketzip* /mnt/zip* /dev/zip*
 <ls120>=/dev/ls120 /mnt/ls120*
 <scanner>=/dev/scanner* /dev/usb/scanner*
 <rio500>=/dev/usb/rio500
 <camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
 <memstick>=/mnt/memstick*
 <flash>=/mnt/flash* /dev/flash*
 <diskonkey>=/mnt/diskonkey*
 <rem_ide>=/mnt/microdrive*
 <fb>=/dev/fb /dev/fb[0-9]* \
     /dev/fb/*
 <kbd>=/dev/kbd
 <joystick>=/dev/js[0-9]*
 <v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
      /dev/video/*
 <gpm>=/dev/gpmctl
 <dri>=/dev/nvidia* /dev/3dfx* /dev/dri/card*
 <mainboard>=/dev/apm_bios
 <pmu>=/dev/pmu
 <bluetooth>=/dev/rfcomm*
 <raw1394>=/dev/raw1394
 <irda>=/dev/ircomm*
 # permission definitions
 <console>  0660 <floppy>
 <console>  0600 <sound>
 <console>  0600 <cdrom>
 <console>  0600 <pilot>
 <console>  0600 <jaz>
 <console>  0600 <zip>
 <console>  0600 <ls120>
 <console>  0600 <scanner>
 <console>  0600 <camera>
 <console>  0600 <memstick>
 <console>  0600 <flash>
 <console>  0600 <diskonkey>
 <console>  0600 <rem_ide>
 <console>  0600 <fb>
 <console>  0600 <kbd>
 <console>  0600 <joystick>
 <console>  0600 <v4l>
 <console>  0700 <gpm>
 <console>  0600 <mainboard>
 <console>  0600 <rio500>
 <console>  0600 <pmu>
 <console>  0600 <bluetooth>
 <console>  0600 <raw1394>
 <console>  0600 <irda>
 <xconsole> 0600 /dev/console
 <console>  0600 <dri>
--- a/system/activate-configuration.sh
+++ b/system/activate-configuration.sh
@ -49,8 +49,9 @@ ln -sfn @bash@/bin/sh $mountPoint/bin/sh
 echo @modprobe@/sbin/modprobe > /proc/sys/kernel/modprobe
-# Various log directories.
+# Various log/runtime directories.
 mkdir -m 0755 -p /var/run
 mkdir -m 0755 -p /var/run/console # for pam_console
 touch /var/run/utmp # must exist
 chmod 644 /var/run/utmp
		`@ -0,0 +1 @@`
							`session optional @pam_console@/lib/security/pam_console.so debug handlersfile=@pamConsoleHandlers@`