From 7ab616f659d885180c428515ec5fe77e5792190e Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 17 Aug 2009 01:16:38 +0000
Subject: [PATCH] * Added support for ConsoleKit. * Let ConsoleKit track the
 current logins instead of pam_console.   Udev now takes care of setting the
 device permissions to the active   user.  This works much better, since
 pam_console wouldn't apply   permissions to new (hot-plugged) devices.  Also,
 the udev+ConsoleKit   approach supports user switching.  (We don't have that
 for X yet,   but it already works for logins on virtual consoles: if you
 switch   between different users on differents VCs with Alt+Fn, the device  
 ownership will be changed automatically.)

svn path=/nixos/trunk/; revision=16743
---
 modules/module-list.nix                |  3 +-
 modules/security/console-kit.nix       | 24 ++++++++
 modules/security/console.perms         | 79 --------------------------
 modules/security/pam.nix               | 24 ++++----
 modules/security/policy-kit.nix        |  2 +-
 modules/services/system/consolekit.nix | 59 -------------------
 modules/services/system/dbus.nix       | 11 +++-
 7 files changed, 50 insertions(+), 152 deletions(-)
 create mode 100644 modules/security/console-kit.nix
 delete mode 100644 modules/security/console.perms
 delete mode 100644 modules/services/system/consolekit.nix

diff --git a/modules/module-list.nix b/modules/module-list.nix
index 9938cc6e1b5..68f00dace2b 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -23,7 +23,9 @@
   ./programs/pwdutils/pwdutils.nix
   ./programs/ssh.nix
   ./programs/ssmtp.nix
+  ./security/console-kit.nix
   ./security/pam.nix
+  ./security/policy-kit.nix
   ./security/setuid-wrappers.nix
   ./security/sudo.nix
   ./services/audio/alsa.nix
@@ -72,7 +74,6 @@
   ./services/scheduling/atd.nix
   ./services/scheduling/cron.nix
   ./services/scheduling/fcron.nix
-  ./services/system/consolekit.nix
   ./services/system/dbus.nix
   ./services/system/nscd.nix
   ./services/ttys/gpm.nix
diff --git a/modules/security/console-kit.nix b/modules/security/console-kit.nix
new file mode 100644
index 00000000000..e172a8e4415
--- /dev/null
+++ b/modules/security/console-kit.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+{
+
+  config = {
+
+    environment.systemPackages = [ pkgs.console_kit ];
+
+    services.dbus.packages = [ pkgs.console_kit ];
+
+    environment.etc = singleton
+      { source = (pkgs.buildEnv {
+          name = "console-kit-config";
+          pathsToLink = [ "/etc/ConsoleKit" ];
+          paths = [ pkgs.console_kit pkgs.udev ];
+        }) + "/etc/ConsoleKit";
+        target = "ConsoleKit";
+      };
+
+  };
+
+}
diff --git a/modules/security/console.perms b/modules/security/console.perms
deleted file mode 100644
index c5d9b4aa693..00000000000
--- a/modules/security/console.perms
+++ /dev/null
@@ -1,79 +0,0 @@
-# This file determines the permissions that will be given to priviledged
-# users of the console at login time, and the permissions to which to
-# revert when the users log out.
-
-# format is:
-#   <class>=list of regexps specifying consoles or globs specifying files
-#   file-glob|<class> perm dev-regex|<dev-class> \
-#     revert-mode revert-owner[.revert-group]
-# the revert-mode, revert-owner, and revert-group are optional, and default
-# to 0600, root, and root, respectively.
-#
-# For more information:
-# man 5 console.perms
-
-# file classes -- these are regular expressions
-<console>=/dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
-<xconsole>=:[0-9]\.[0-9] :[0-9]
-
-# device classes -- these are shell-style globs
-<floppy>=/dev/fd[0-1]* \
-	 /dev/floppy* /mnt/floppy*
-<sound>=/dev/dsp* /dev/audio* /dev/midi* \
-	/dev/mixer* /dev/sequencer* \
-	/dev/sound/* /dev/beep \
-	/dev/snd/* 
-<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
-<pilot>=/dev/pilot
-<jaz>=/mnt/jaz*
-<zip>=/mnt/pocketzip* /mnt/zip* /dev/zip*
-<ls120>=/dev/ls120 /mnt/ls120*
-<scanner>=/dev/scanner* /dev/usb/scanner*
-<rio500>=/dev/usb/rio500
-<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
-<memstick>=/mnt/memstick*
-<flash>=/mnt/flash* /dev/flash*
-<diskonkey>=/mnt/diskonkey*
-<rem_ide>=/mnt/microdrive*
-<fb>=/dev/fb /dev/fb[0-9]* \
-     /dev/fb/*
-<kbd>=/dev/kbd
-<joystick>=/dev/js[0-9]*
-<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
-      /dev/video/*
-<gpm>=/dev/gpmctl
-<dri>=/dev/nvidia* /dev/3dfx* /dev/dri/card*
-<mainboard>=/dev/apm_bios
-<pmu>=/dev/pmu
-<bluetooth>=/dev/rfcomm*
-<raw1394>=/dev/raw1394
-<irda>=/dev/ircomm*
-
-# permission definitions
-<console>  0660 <floppy>
-<console>  0600 <sound>
-<console>  0600 <cdrom>
-<console>  0600 <pilot>
-<console>  0600 <jaz>
-<console>  0600 <zip>
-<console>  0600 <ls120>
-<console>  0600 <scanner>
-<console>  0600 <camera>
-<console>  0600 <memstick>
-<console>  0600 <flash>
-<console>  0600 <diskonkey>
-<console>  0600 <rem_ide>
-<console>  0600 <fb>
-<console>  0600 <kbd>
-<console>  0600 <joystick>
-<console>  0600 <v4l>
-<console>  0700 <gpm>
-<console>  0600 <mainboard>
-<console>  0600 <rio500>
-<console>  0600 <pmu>
-<console>  0600 <bluetooth>
-<console>  0600 <raw1394>
-<console>  0600 <irda>
-
-<xconsole> 0600 /dev/console
-<console>  0600 <dri>
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 2a36e7cece0..314f12d4f88 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -7,16 +7,7 @@ with pkgs.lib;
 
 let
 
-  inherit (pkgs) pam_unix2 pam_console pam_ldap;
-
-  # !!! ugh, these files shouldn't be created here.
-  pamConsoleHandlers = pkgs.writeText "console.handlers" ''
-    console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
-    ${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
-    ${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
-  '';
-
-  pamConsolePerms = ./console.perms;
+  inherit (pkgs) pam_unix2 pam_ldap;
 
   otherService = pkgs.writeText "other.pam"
     ''
@@ -73,13 +64,24 @@ let
               "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
           session required ${pam_unix2}/lib/security/pam_unix2.so
           ${optionalString localLogin
-              "session optional ${pam_console}/lib/security/pam_console.so debug handlersfile=${pamConsoleHandlers}"}
+              ''
+                session required pam_env.so debug conffile=${envFile} readenv=0
+                session optional ${pkgs.console_kit}/lib/security/pam_ck_connector.so debug
+              ''}
           ${optionalString forwardXAuth
               "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
         '';
       target = "pam.d/${name}";
     };
 
+  # This is needed to get an active session in ConsoleKit.  Apparently
+  # a better way is to run ck-launch-session from the session starter
+  # (or let xdm/kdm do it).
+  envFile = pkgs.writeText "pam_env.conf"
+    ''
+      CKCON_X11_DISPLAY_DEVICE DEFAULT="/dev/tty7"
+    '';
+
 in
 
 {
diff --git a/modules/security/policy-kit.nix b/modules/security/policy-kit.nix
index 09c216ebcf3..0299bc7d4c2 100644
--- a/modules/security/policy-kit.nix
+++ b/modules/security/policy-kit.nix
@@ -21,4 +21,4 @@ with pkgs.lib;
 
   };
 
-}
\ No newline at end of file
+}
diff --git a/modules/services/system/consolekit.nix b/modules/services/system/consolekit.nix
deleted file mode 100644
index e5d1f104a80..00000000000
--- a/modules/services/system/consolekit.nix
+++ /dev/null
@@ -1,59 +0,0 @@
-{pkgs, config, ...}:
-
-###### interface
-let
-  inherit (pkgs.lib) mkOption;
-
-  options = {
-    services = {
-
-      consolekit = {
-        enable = mkOption {
-          default = false;
-          description = "
-            Whether to start the ConsoleKit daemon.
-          ";
-        };
-      };
-
-    };
-  };
-in
-
-###### implementation
-let
-  cfg = config.services.consolekit;
-  inherit (pkgs.lib) mkIf;
-  inherit (pkgs) ConsoleKit;
-
-  job = {
-    name = "consolekit";
-
-    job = ''
-      description "Console Kit Service"
-
-      start on dbus
-      stop on shutdown
-
-      respawn ${ConsoleKit}/sbin/console-kit-daemon
-    '';
-  };
-
-in
-
-mkIf cfg.enable {
-  require = [
-    #../upstart-jobs/default.nix # config.services.extraJobs
-    #../upstart-jobs/dbus.nix # services.dbus.*
-    options
-  ];
-
-  services = {
-    extraJobs = [job];
-
-    dbus = {
-      enable = true;
-      packages = [ConsoleKit];
-    };
-  };
-}
diff --git a/modules/services/system/dbus.nix b/modules/services/system/dbus.nix
index 66feb6d46f4..8ecaf295a22 100644
--- a/modules/services/system/dbus.nix
+++ b/modules/services/system/dbus.nix
@@ -17,6 +17,8 @@ let
     buildCommand = ''
       ensureDir $out
       
+      ln -s ${dbus}/etc/dbus-1/session.conf $out/session.conf
+      
       cp ${dbus}/etc/dbus-1/system.conf $out/system.conf
 
       # Tell the daemon where the setuid wrapper around
@@ -30,9 +32,16 @@ let
           
       # Note: system.conf includes ./system.d (i.e. it has a relative,
       # not absolute path).
+      ensureDir $out/session.d
       ensureDir $out/system.d
+      
       for i in ${toString cfg.packages}; do
-        ln -s $i/etc/dbus-1/system.d/* $out/system.d/
+        for j in $i/etc/dbus-1/session.d/*; do
+          ln -s $j  $out/session.d/
+        done
+        for j in $i/etc/dbus-1/system.d/*; do
+          ln -s $j $out/system.d/
+        done
       done
     ''; # */
   };