summary refs log tree commit diff
path: root/nixos/modules/services
diff options
context:
space:
mode:
authorworldofpeace <worldofpeace@protonmail.ch>2019-07-14 06:32:44 -0400
committerworldofpeace <worldofpeace@protonmail.ch>2019-09-06 18:22:22 -0400
commit0c602541a35a5a01f3a22e82002bde0e66b514d6 (patch)
treef97ca8b40839acb8eff90b40e3d7dadefc5eda04 /nixos/modules/services
parent5d4890b58dcbe0a099cda233a259284a6e5ec9d4 (diff)
downloadnixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar
nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.gz
nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.bz2
nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.lz
nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.xz
nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.zst
nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.zip
nixos/lightdm: fix pam rules
Rules are a translation of what's done in the
GDM module and adjustments based of looking at
Arch Linux's configuration and upstream's.

A side effect of this change is that gnome-keyring
and kwallet modules should work as expected when in-
cluded.

Fixes #64259 #62045
Diffstat (limited to 'nixos/modules/services')
-rw-r--r--nixos/modules/services/x11/display-managers/lightdm.nix51
1 files changed, 28 insertions, 23 deletions
diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix
index 9aed255f878..2d421e4d6cd 100644
--- a/nixos/modules/services/x11/display-managers/lightdm.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm.nix
@@ -232,36 +232,41 @@ in
     # Enable the accounts daemon to find lightdm's dbus interface
     environment.systemPackages = [ lightdm ];
 
-    security.pam.services.lightdm = {
-      allowNullPassword = true;
-      startSession = true;
-    };
-    security.pam.services.lightdm-greeter = {
-      allowNullPassword = true;
-      startSession = true;
-      text = ''
-        auth     required pam_env.so envfile=${config.system.build.pamEnvironment}
-        auth     required pam_permit.so
+    security.pam.services.lightdm.text = ''
+        auth      substack      login
+        account   include       login
+        password  substack      login
+        session   include       login
+    '';
 
-        account  required pam_permit.so
+    security.pam.services.lightdm-greeter.text = ''
+        auth     required       pam_succeed_if.so audit quiet_success user = lightdm
+        auth     optional       pam_permit.so
 
-        password required pam_deny.so
+        account  required       pam_succeed_if.so audit quiet_success user = lightdm
+        account  sufficient     pam_unix.so
+
+        password required       pam_deny.so
+
+        session  required       pam_succeed_if.so audit quiet_success user = lightdm
+        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
+        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
+        session  optional       pam_keyinit.so force revoke
+        session  optional       pam_permit.so
+    '';
 
-        session  required pam_env.so envfile=${config.system.build.pamEnvironment}
-        session  required pam_unix.so
-        session  optional ${pkgs.systemd}/lib/security/pam_systemd.so
-      '';
-    };
     security.pam.services.lightdm-autologin.text = ''
-        auth     requisite pam_nologin.so
-        auth     required  pam_succeed_if.so uid >= 1000 quiet
-        auth     required  pam_permit.so
+        auth      requisite     pam_nologin.so
+
+        auth      required      pam_succeed_if.so uid >= 1000 quiet
+        auth      required      pam_permit.so
 
-        account  include   lightdm
+        account   sufficient    pam_unix.so
 
-        password include   lightdm
+        password  requisite     pam_unix.so nullok sha512
 
-        session  include   lightdm
+        session   optional      pam_keyinit.so revoke
+        session   include       login
     '';
 
     users.users.lightdm = {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-22 19:15:42 +0000