* For X logins, don't use pam_ck_connector since it doesn't really
work for X logins. (The documentation also says so.) Instead just call ck-launch-session from the xsession script. svn path=/nixos/trunk/; revision=17090
This commit is contained in:
Eelco Dolstra
parent
0806a8e203
commit
379778c385
@ -26,11 +26,9 @@ let
|
|||||||
, # If set, root doesn't need to authenticate (e.g. for the "chsh"
|
, # If set, root doesn't need to authenticate (e.g. for the "chsh"
|
||||||
# service).
|
# service).
|
||||||
rootOK ? false
|
rootOK ? false
|
||||||
, # If set, this is a local login (e.g. virtual console or X), so
|
, # If set, use ConsoleKit's PAM connector module to claim
|
||||||
# the user gets ownership of audio devices etc.
|
# ownership of audio devices etc.
|
||||||
localLogin ? false
|
ownDevices ? false
|
||||||
, # Temporary hack to get SLiM to work with ConsoleKit.
|
|
||||||
ckHack ? false
|
|
||||||
, # Whether to forward XAuth keys between users. Mostly useful
|
, # Whether to forward XAuth keys between users. Mostly useful
|
||||||
# for "su".
|
# for "su".
|
||||||
forwardXAuth ? false
|
forwardXAuth ? false
|
||||||
@ -65,9 +63,7 @@ let
|
|||||||
${optionalString config.users.ldap.enable
|
${optionalString config.users.ldap.enable
|
||||||
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
session required ${pam_unix2}/lib/security/pam_unix2.so
|
session required ${pam_unix2}/lib/security/pam_unix2.so
|
||||||
${optionalString ckHack
|
${optionalString ownDevices
|
||||||
"session required pam_env.so debug conffile=${envFile} readenv=0"}
|
|
||||||
${optionalString localLogin
|
|
||||||
"session optional ${pkgs.console_kit}/lib/security/pam_ck_connector.so"}
|
"session optional ${pkgs.console_kit}/lib/security/pam_ck_connector.so"}
|
||||||
${optionalString forwardXAuth
|
${optionalString forwardXAuth
|
||||||
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
|
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
|
||||||
@ -75,14 +71,6 @@ let
|
|||||||
target = "pam.d/${name}";
|
target = "pam.d/${name}";
|
||||||
};
|
};
|
||||||
|
|
||||||
# This is needed to get an active session in ConsoleKit. Apparently
|
|
||||||
# a better way is to run ck-launch-session from the session starter
|
|
||||||
# (or let xdm/kdm do it).
|
|
||||||
envFile = pkgs.writeText "pam_env.conf"
|
|
||||||
''
|
|
||||||
CKCON_X11_DISPLAY_DEVICE DEFAULT="/dev/tty7"
|
|
||||||
'';
|
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
@ -104,13 +92,13 @@ in
|
|||||||
the name of the service. The attribute
|
the name of the service. The attribute
|
||||||
<varname>rootOK</varname> specifies whether the root user is
|
<varname>rootOK</varname> specifies whether the root user is
|
||||||
allowed to use this service without authentication. The
|
allowed to use this service without authentication. The
|
||||||
attribute <varname>localLogin</varname> specifies whether
|
attribute <varname>ownDevices</varname> specifies whether
|
||||||
this is a local login service (e.g. <command>xdm</command>),
|
ConsoleKit's PAM connector module should be used to give the
|
||||||
which implies that the user gets ownership of devices such
|
user ownership of devices such as audio and CD-ROM drives.
|
||||||
as audio and CD-ROM drives. The
|
The attribute <varname>forwardXAuth</varname> specifies
|
||||||
attribute <varname>forwardXAuth</varname> specifies whether
|
whether X authentication keys should be passed from the
|
||||||
X authentication keys should be passed from the calling user
|
calling user to the target user (e.g. for
|
||||||
to the target user (e.g. for <command>su</command>).
|
<command>su</command>).
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -151,7 +139,7 @@ in
|
|||||||
{ name = "useradd"; rootOK = true; }
|
{ name = "useradd"; rootOK = true; }
|
||||||
# Used by groupadd etc.
|
# Used by groupadd etc.
|
||||||
{ name = "shadow"; rootOK = true; }
|
{ name = "shadow"; rootOK = true; }
|
||||||
{ name = "login"; localLogin = true; }
|
{ name = "login"; ownDevices = true; }
|
||||||
];
|
];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|||||||
@ -43,6 +43,12 @@ let
|
|||||||
fi
|
fi
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
# Start a ConsoleKit session so that we get ownership of various
|
||||||
|
# devices.
|
||||||
|
if test -z "$XDG_SESSION_COOKIE"; then
|
||||||
|
exec ${pkgs.console_kit}/bin/ck-launch-session "$0" "$sessionType"
|
||||||
|
fi
|
||||||
|
|
||||||
# Load X defaults.
|
# Load X defaults.
|
||||||
if test -e ~/.Xdefaults; then
|
if test -e ~/.Xdefaults; then
|
||||||
${xorg.xrdb}/bin/xrdb -merge ~/.Xdefaults
|
${xorg.xrdb}/bin/xrdb -merge ~/.Xdefaults
|
||||||
|
|||||||
@ -80,7 +80,7 @@ in
|
|||||||
logsXsession = true;
|
logsXsession = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
security.pam.services = [ { name = "kde"; localLogin = true; ckHack = true; } ];
|
security.pam.services = [ { name = "kde"; } ];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@ -104,7 +104,7 @@ in
|
|||||||
execCmd = "${pkgs.slim}/bin/slim";
|
execCmd = "${pkgs.slim}/bin/slim";
|
||||||
};
|
};
|
||||||
|
|
||||||
security.pam.services = [ { name = "slim"; localLogin = true; ckHack = true; } ];
|
security.pam.services = [ { name = "slim"; } ];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user