* For X logins, don't use pam_ck_connector since it doesn't really

work for X logins.  (The documentation also says so.)  Instead just
  call ck-launch-session from the xsession script.

svn path=/nixos/trunk/; revision=17090
This commit is contained in:
Eelco Dolstra 2009-09-13 14:05:21 +00:00
parent 0806a8e203
commit 379778c385
4 changed files with 20 additions and 26 deletions

View File

@ -26,11 +26,9 @@ let
, # If set, root doesn't need to authenticate (e.g. for the "chsh"
# service).
rootOK ? false
, # If set, this is a local login (e.g. virtual console or X), so
# the user gets ownership of audio devices etc.
localLogin ? false
, # Temporary hack to get SLiM to work with ConsoleKit.
ckHack ? false
, # If set, use ConsoleKit's PAM connector module to claim
# ownership of audio devices etc.
ownDevices ? false
, # Whether to forward XAuth keys between users. Mostly useful
# for "su".
forwardXAuth ? false
@ -65,9 +63,7 @@ let
${optionalString config.users.ldap.enable
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
session required ${pam_unix2}/lib/security/pam_unix2.so
${optionalString ckHack
"session required pam_env.so debug conffile=${envFile} readenv=0"}
${optionalString localLogin
${optionalString ownDevices
"session optional ${pkgs.console_kit}/lib/security/pam_ck_connector.so"}
${optionalString forwardXAuth
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
@ -75,14 +71,6 @@ let
target = "pam.d/${name}";
};
# This is needed to get an active session in ConsoleKit. Apparently
# a better way is to run ck-launch-session from the session starter
# (or let xdm/kdm do it).
envFile = pkgs.writeText "pam_env.conf"
''
CKCON_X11_DISPLAY_DEVICE DEFAULT="/dev/tty7"
'';
in
{
@ -104,13 +92,13 @@ in
the name of the service. The attribute
<varname>rootOK</varname> specifies whether the root user is
allowed to use this service without authentication. The
attribute <varname>localLogin</varname> specifies whether
this is a local login service (e.g. <command>xdm</command>),
which implies that the user gets ownership of devices such
as audio and CD-ROM drives. The
attribute <varname>forwardXAuth</varname> specifies whether
X authentication keys should be passed from the calling user
to the target user (e.g. for <command>su</command>).
attribute <varname>ownDevices</varname> specifies whether
ConsoleKit's PAM connector module should be used to give the
user ownership of devices such as audio and CD-ROM drives.
The attribute <varname>forwardXAuth</varname> specifies
whether X authentication keys should be passed from the
calling user to the target user (e.g. for
<command>su</command>).
'';
};
@ -151,7 +139,7 @@ in
{ name = "useradd"; rootOK = true; }
# Used by groupadd etc.
{ name = "shadow"; rootOK = true; }
{ name = "login"; localLogin = true; }
{ name = "login"; ownDevices = true; }
];
};

View File

@ -43,6 +43,12 @@ let
fi
''}
# Start a ConsoleKit session so that we get ownership of various
# devices.
if test -z "$XDG_SESSION_COOKIE"; then
exec ${pkgs.console_kit}/bin/ck-launch-session "$0" "$sessionType"
fi
# Load X defaults.
if test -e ~/.Xdefaults; then
${xorg.xrdb}/bin/xrdb -merge ~/.Xdefaults

View File

@ -80,7 +80,7 @@ in
logsXsession = true;
};
security.pam.services = [ { name = "kde"; localLogin = true; ckHack = true; } ];
security.pam.services = [ { name = "kde"; } ];
};

View File

@ -104,7 +104,7 @@ in
execCmd = "${pkgs.slim}/bin/slim";
};
security.pam.services = [ { name = "slim"; localLogin = true; ckHack = true; } ];
security.pam.services = [ { name = "slim"; } ];
};