diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2024-07-03 15:56:12 +0200 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2024-07-03 23:36:52 +0200 |
| commit | af0cdb44a0016f8b7572483a39f5a80fb518721d (patch) | |
| tree | 9d53b736d3caf28efcdefab409f627cec98eda42 /nixos | |
| parent | 1cf415549842a076d3ec578c766c6caa5263262b (diff) | |
nixos/gdm: Fix fingerprint auth rules
We introduced the gdm-fingerprint.pam in 9d41fe6fcc4df838a56b1cfb2512b65e5e655958. We used the [upstream Arch config] as a template, which contains an extended control field that jumps over **one** immediately-following `auth` rule unless `pam_gdm.so` succeeds. But we decided to not include `pam_gnome_keyring.so` so there was no rule to skip over, resulting in a broken control flow and the PAM module failing with “PAM bad jump in stack”, breaking the fingerprint authentication in GDM. Let’s actually add `pam_gnome_keyring.so`, like the Arch config does. Because we are creating the PAM file using the `text` option, `security.pam.services.gdm-fingerprint.enableGnomeKeyring` does not do anything so we need to do it manually. For the case where gnome-keyring is not enabled, we could add a no-op rule like `optional pam_permit.so` after `pam_gdm.so` so that the branching always has something to jump over but it will be simpler to just make the both conditional. There are no further `auth` rules that could benefit from `pam_gdm.so` doing something so it should be fine. Unlike in Arch, we are not going to invoke `pam_gnome_keyring.so` in a `session` rule since that is already done by the included `login` module. [upstream Arch config]: https://gitlab.gnome.org/GNOME/gdm/-/blob/81ee658c11381912131dd4a29e84190f7f9cd039/data/pam-arch/gdm-fingerprint.pam
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/x11/display-managers/gdm.nix | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index d4f0de2c3bfab..1a39b365db5f3 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -6,6 +6,7 @@ let cfg = config.services.xserver.displayManager; gdm = pkgs.gnome.gdm; + pamCfg = config.security.pam.services; settingsFormat = pkgs.formats.ini { }; configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings; @@ -331,7 +332,10 @@ in auth requisite pam_faillock.so preauth auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so auth required pam_env.so - auth [success=ok default=1] ${pkgs.gnome.gdm}/lib/security/pam_gdm.so + ${lib.optionalString pamCfg.login.enableGnomeKeyring '' + auth [success=ok default=1] ${pkgs.gnome.gdm}/lib/security/pam_gdm.so + auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so + ''} account include login |