From 4e6f6d0215c27d8937b9f42aedf291120ed0e1c1 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 13 May 2013 11:27:21 +0200
Subject: [PATCH] Use pam_loginuid

This set the loginuid property of processes for auditing.
---
 modules/security/pam.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 8c0231288ec..f97e68a171c 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -51,6 +51,10 @@ let
       # login manager.  If the service is running locally, this will
       # give the user ownership of audio devices etc.
       startSession ? false
+    , # Set the login uid of the process (/proc/self/loginuid) for
+      # auditing purposes.  The login uid is only set by "entry
+      # points" like login and sshd, not by commands like sudo.
+      setLoginUid ? startSession
     , # Whether to forward XAuth keys between users.  Mostly useful
       # for "su".
       forwardXAuth ? false
@@ -118,6 +122,8 @@ let
               "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
           ${optionalString startSession
               "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
+          ${optionalString setLoginUid
+              "session required pam_loginuid.so"}
           ${optionalString forwardXAuth
               "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
           ${optionalString (limits != [])