* Added support for ConsoleKit.

* Let ConsoleKit track the current logins instead of pam_console. Udev now takes care of setting the device permissions to the active user. This works much better, since pam_console wouldn't apply permissions to new (hot-plugged) devices. Also, the udev+ConsoleKit approach supports user switching. (We don't have that for X yet, but it already works for logins on virtual consoles: if you switch between different users on differents VCs with Alt+Fn, the device ownership will be changed automatically.) svn path=/nixos/trunk/; revision=16743
2009-08-17 01:16:38 +00:00 · 2009-08-17 01:16:38 +00:00 · 7ab616f659
commit 7ab616f659
parent ac24c7834d
7 changed files with 50 additions and 152 deletions
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -23,7 +23,9 @@
  ./programs/pwdutils/pwdutils.nix
  ./programs/ssh.nix
  ./programs/ssmtp.nix
  ./security/console-kit.nix
  ./security/pam.nix
  ./security/policy-kit.nix
  ./security/setuid-wrappers.nix
  ./security/sudo.nix
  ./services/audio/alsa.nix
@ -72,7 +74,6 @@
  ./services/scheduling/atd.nix
  ./services/scheduling/cron.nix
  ./services/scheduling/fcron.nix
  ./services/system/consolekit.nix
  ./services/system/dbus.nix
  ./services/system/nscd.nix
  ./services/ttys/gpm.nix
--- a/modules/security/console-kit.nix
+++ b/modules/security/console-kit.nix
@ -0,0 +1,24 @@
 { config, pkgs, ... }:
 with pkgs.lib;
 {
  config = {
    environment.systemPackages = [ pkgs.console_kit ];
    services.dbus.packages = [ pkgs.console_kit ];
    environment.etc = singleton
      { source = (pkgs.buildEnv {
          name = "console-kit-config";
          pathsToLink = [ "/etc/ConsoleKit" ];
          paths = [ pkgs.console_kit pkgs.udev ];
        }) + "/etc/ConsoleKit";
        target = "ConsoleKit";
      };
  };
 }
--- a/modules/security/console.perms
+++ b/modules/security/console.perms
@ -1,79 +0,0 @@
 # This file determines the permissions that will be given to priviledged
 # users of the console at login time, and the permissions to which to
 # revert when the users log out.
 # format is:
 #   <class>=list of regexps specifying consoles or globs specifying files
 #   file-glob|<class> perm dev-regex|<dev-class> \
 #     revert-mode revert-owner[.revert-group]
 # the revert-mode, revert-owner, and revert-group are optional, and default
 # to 0600, root, and root, respectively.
 #
 # For more information:
 # man 5 console.perms
 # file classes -- these are regular expressions
 <console>=/dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
 <xconsole>=:[0-9]\.[0-9] :[0-9]
 # device classes -- these are shell-style globs
 <floppy>=/dev/fd[0-1]* \
 	 /dev/floppy* /mnt/floppy*
 <sound>=/dev/dsp* /dev/audio* /dev/midi* \
 	/dev/mixer* /dev/sequencer* \
 	/dev/sound/* /dev/beep \
 	/dev/snd/* 
 <cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
 <pilot>=/dev/pilot
 <jaz>=/mnt/jaz*
 <zip>=/mnt/pocketzip* /mnt/zip* /dev/zip*
 <ls120>=/dev/ls120 /mnt/ls120*
 <scanner>=/dev/scanner* /dev/usb/scanner*
 <rio500>=/dev/usb/rio500
 <camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
 <memstick>=/mnt/memstick*
 <flash>=/mnt/flash* /dev/flash*
 <diskonkey>=/mnt/diskonkey*
 <rem_ide>=/mnt/microdrive*
 <fb>=/dev/fb /dev/fb[0-9]* \
     /dev/fb/*
 <kbd>=/dev/kbd
 <joystick>=/dev/js[0-9]*
 <v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
      /dev/video/*
 <gpm>=/dev/gpmctl
 <dri>=/dev/nvidia* /dev/3dfx* /dev/dri/card*
 <mainboard>=/dev/apm_bios
 <pmu>=/dev/pmu
 <bluetooth>=/dev/rfcomm*
 <raw1394>=/dev/raw1394
 <irda>=/dev/ircomm*
 # permission definitions
 <console>  0660 <floppy>
 <console>  0600 <sound>
 <console>  0600 <cdrom>
 <console>  0600 <pilot>
 <console>  0600 <jaz>
 <console>  0600 <zip>
 <console>  0600 <ls120>
 <console>  0600 <scanner>
 <console>  0600 <camera>
 <console>  0600 <memstick>
 <console>  0600 <flash>
 <console>  0600 <diskonkey>
 <console>  0600 <rem_ide>
 <console>  0600 <fb>
 <console>  0600 <kbd>
 <console>  0600 <joystick>
 <console>  0600 <v4l>
 <console>  0700 <gpm>
 <console>  0600 <mainboard>
 <console>  0600 <rio500>
 <console>  0600 <pmu>
 <console>  0600 <bluetooth>
 <console>  0600 <raw1394>
 <console>  0600 <irda>
 <xconsole> 0600 /dev/console
 <console>  0600 <dri>
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -7,16 +7,7 @@ with pkgs.lib;
 let
-  inherit (pkgs) pam_unix2 pam_console pam_ldap;
+  inherit (pkgs) pam_unix2 pam_ldap;
  # !!! ugh, these files shouldn't be created here.
  pamConsoleHandlers = pkgs.writeText "console.handlers" ''
    console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
    ${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
    ${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
  '';
  pamConsolePerms = ./console.perms;
  otherService = pkgs.writeText "other.pam"
    ''
@ -73,13 +64,24 @@ let
              "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
          session required ${pam_unix2}/lib/security/pam_unix2.so
          ${optionalString localLogin
-              "session optional ${pam_console}/lib/security/pam_console.so debug handlersfile=${pamConsoleHandlers}"}
+              ''
                session required pam_env.so debug conffile=${envFile} readenv=0
                session optional ${pkgs.console_kit}/lib/security/pam_ck_connector.so debug
              ''}
          ${optionalString forwardXAuth
              "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
        '';
      target = "pam.d/${name}";
    };
  # This is needed to get an active session in ConsoleKit.  Apparently
  # a better way is to run ck-launch-session from the session starter
  # (or let xdm/kdm do it).
  envFile = pkgs.writeText "pam_env.conf"
    ''
      CKCON_X11_DISPLAY_DEVICE DEFAULT="/dev/tty7"
    '';
 in
 {
--- a/modules/services/system/consolekit.nix
+++ b/modules/services/system/consolekit.nix
@ -1,59 +0,0 @@
 {pkgs, config, ...}:
 ###### interface
 let
  inherit (pkgs.lib) mkOption;
  options = {
    services = {
      consolekit = {
        enable = mkOption {
          default = false;
          description = "
            Whether to start the ConsoleKit daemon.
          ";
        };
      };
    };
  };
 in
 ###### implementation
 let
  cfg = config.services.consolekit;
  inherit (pkgs.lib) mkIf;
  inherit (pkgs) ConsoleKit;
  job = {
    name = "consolekit";
    job = ''
      description "Console Kit Service"
      start on dbus
      stop on shutdown
      respawn ${ConsoleKit}/sbin/console-kit-daemon
    '';
  };
 in
 mkIf cfg.enable {
  require = [
    #../upstart-jobs/default.nix # config.services.extraJobs
    #../upstart-jobs/dbus.nix # services.dbus.*
    options
  ];
  services = {
    extraJobs = [job];
    dbus = {
      enable = true;
      packages = [ConsoleKit];
    };
  };
 }
--- a/modules/services/system/dbus.nix
+++ b/modules/services/system/dbus.nix
@ -17,6 +17,8 @@ let
    buildCommand = ''
      ensureDir $out
      ln -s ${dbus}/etc/dbus-1/session.conf $out/session.conf
      cp ${dbus}/etc/dbus-1/system.conf $out/system.conf
      # Tell the daemon where the setuid wrapper around
@ -30,9 +32,16 @@ let
      # Note: system.conf includes ./system.d (i.e. it has a relative,
      # not absolute path).
      ensureDir $out/session.d
      ensureDir $out/system.d
      for i in ${toString cfg.packages}; do
-        ln -s $i/etc/dbus-1/system.d/* $out/system.d/
+        for j in $i/etc/dbus-1/session.d/*; do
          ln -s $j  $out/session.d/
        done
        for j in $i/etc/dbus-1/system.d/*; do
          ln -s $j $out/system.d/
        done
      done
    ''; # */
  };