Merge pull request #15735 from poettering/pam-snippet-update

Slightly update our shipped and suggested PAM snippets, so that pam_systemd_home.so is more likely to just work
2024-10-27 01:55:32 +03:00 · 2020-05-06 22:45:29 +02:00 · 2020-05-06 22:45:29 +02:00 · 96249bf8d6
commit 96249bf8d6
parent a06df2a4bd 4ad5bf7865
3 changed files with 28 additions and 15 deletions
--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@ -308,19 +308,24 @@ pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup);
    <filename>systemd-logind.service</filename>:</para>

    <programlisting>#%PAM-1.0
-auth     sufficient pam_unix.so
-auth     required   pam_deny.so
+auth      sufficient pam_unix.so
+-auth     sufficient pam_systemd_home.so
+auth      required   pam_deny.so

-account  required   pam_nologin.so
-account  sufficient pam_unix.so
-account  required   pam_permit.so
+account   required   pam_nologin.so
+-account  sufficient pam_systemd_home.so
+account   sufficient pam_unix.so
+account   required   pam_permit.so

-password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
-password required   pam_deny.so
+-password sufficient pam_systemd_home.so
+password  sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
+password  required   pam_deny.so

-session optional   pam_loginuid.so
-session optional   pam_systemd.so
-session  required   pam_unix.so</programlisting>
+-session  optional   pam_keyinit.so revoke
+-session  optional   pam_loginuid.so
+-session  optional   pam_systemd_home.so
+<command>-session  optional   pam_systemd.so</command>
+session   required   pam_unix.so</programlisting>
  </refsect1>

  <refsect1>
--- a/man/pam_systemd_home.xml
+++ b/man/pam_systemd_home.xml
@ -116,21 +116,21 @@

    <programlisting>#%PAM-1.0
 auth      sufficient pam_unix.so
-auth     sufficient pam_systemd_home.so
+<command>-auth     sufficient pam_systemd_home.so</command>
 auth      required   pam_deny.so

 account   required   pam_nologin.so
-account  sufficient pam_systemd_home.so
+<command>-account  sufficient pam_systemd_home.so</command>
 account   sufficient pam_unix.so
 account   required   pam_permit.so

-password sufficient pam_systemd_home.so
+<command>-password sufficient pam_systemd_home.so</command>
 password  sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
 password  required   pam_deny.so

 -session  optional   pam_keyinit.so revoke
 -session  optional   pam_loginuid.so
-session  optional   pam_systemd_home.so
+<command>-session  optional   pam_systemd_home.so</command>
 -session  optional   pam_systemd.so
 session   required   pam_unix.so</programlisting>
  </refsect1>
--- a/src/login/systemd-user.m4
+++ b/src/login/systemd-user.m4
@ -2,11 +2,19 @@
 #
 # Used by systemd --user instances.

-account required pam_unix.so
+m4_ifdef(`ENABLE_HOMED',
+-account sufficient pam_systemd_home.so
+)m4_dnl
+account sufficient pam_unix.so
+account required pam_permit.so
+
 m4_ifdef(`HAVE_SELINUX',
 session required pam_selinux.so close
 session required pam_selinux.so nottys open
 )m4_dnl
 session required pam_loginuid.so
 session optional pam_keyinit.so force revoke
+m4_ifdef(`ENABLE_HOMED',
+-session optional pam_systemd_home.so
+)m4_dnl
 session optional pam_systemd.so