From ef1253aa2393666bb2a0b0132b722f51ec7ebbf3 Mon Sep 17 00:00:00 2001 From: Jeremy Soller Date: Fri, 6 Sep 2024 10:34:37 -0600 Subject: [PATCH] Add custom PAM configuration to start gnome-keyring --- cosmic-greeter.toml | 2 +- debian/cosmic-greeter.pam | 25 +++++++++++++++++++++++++ debian/rules | 1 + examples/pam.rs | 2 +- src/locker.rs | 3 +-- 5 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 debian/cosmic-greeter.pam diff --git a/cosmic-greeter.toml b/cosmic-greeter.toml index c8b22eb..7a57354 100644 --- a/cosmic-greeter.toml +++ b/cosmic-greeter.toml @@ -2,7 +2,7 @@ vt = "1" [general] -service = "login" +service = "cosmic-greeter" [default_session] command = "cosmic-comp systemd-cat -t cosmic-greeter cosmic-greeter" diff --git a/debian/cosmic-greeter.pam b/debian/cosmic-greeter.pam new file mode 100644 index 0000000..2a15d02 --- /dev/null +++ b/debian/cosmic-greeter.pam @@ -0,0 +1,25 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth required pam_succeed_if.so user != root quiet_success +@include common-auth +auth optional pam_gnome_keyring.so +@include common-account +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without this it is possible +# that a module could execute code in the wrong domain. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +# pam_selinux.so changes the SELinux context of the used TTY and configures +# SELinux in order to transition to the user context with the next execve() +# call. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session optional pam_keyinit.so force revoke +session required pam_limits.so +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale +@include common-session +session optional pam_gnome_keyring.so auto_start +@include common-password diff --git a/debian/rules b/debian/rules index 1d5c700..80405ca 100755 --- a/debian/rules +++ b/debian/rules @@ -22,6 +22,7 @@ override_dh_auto_install: just rootdir=$(DESTDIR) install-debian execute_after_dh_install: + dh_installpam dh_installsysusers override_dh_installsystemd: diff --git a/examples/pam.rs b/examples/pam.rs index 35b6aba..c637030 100644 --- a/examples/pam.rs +++ b/examples/pam.rs @@ -5,7 +5,7 @@ fn main() { let passwd = pwd::Passwd::current_user().expect("Failed to get current user"); let mut context = Context::new( - "login", // Service name, decides which policy is used (see `/etc/pam.d`) + "cosmic-greeter", // Service name, decides which policy is used (see `/etc/pam.d`) Some(&passwd.name), // Optional preset user name Conversation::new(), // Handler for user interaction ) diff --git a/src/locker.rs b/src/locker.rs index f620bb1..b38d01c 100644 --- a/src/locker.rs +++ b/src/locker.rs @@ -83,8 +83,7 @@ pub fn pam_thread(username: String, conversation: Conversation) -> Result<(), pa //TODO: send errors to GUI, restart process // Create PAM context - //TODO: search for and use custom context? - let mut context = pam_client::Context::new("login", Some(&username), conversation)?; + let mut context = pam_client::Context::new("cosmic-greeter", Some(&username), conversation)?; // Authenticate the user (ask for password, 2nd-factor token, fingerprint, etc.) log::info!("authenticate");