data/.pam_environment | 1 + data/Makefile.am | 4 ++++ data/pam/lightdm | 37 ++++++++++++++++++------------------- data/pam/lightdm-autologin | 21 +++++++++------------ data/pam/lightdm-greeter | 27 ++++++++++++--------------- 5 files changed, 44 insertions(+), 46 deletions(-) diff --git a/data/.pam_environment b/data/.pam_environment new file mode 100644 index 00000000..2e68c9bc --- /dev/null +++ b/data/.pam_environment @@ -0,0 +1 @@ +GDK_CORE_DEVICE_EVENTS=true diff --git a/data/Makefile.am b/data/Makefile.am index 7f7b4a3f..c920bcaa 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -12,6 +12,10 @@ dist_pam_DATA = pam/lightdm \ pam/lightdm-autologin \ pam/lightdm-greeter +localstatedir = /var/lib +pkglocalstatedir = $(localstatedir)/ldm +pkglocalstate_DATA = .pam_environment + completionsdir = $(datadir)/bash-completion/completions dist_completions_DATA = bash-completion/dm-tool bash-completion/lightdm diff --git a/data/pam/lightdm b/data/pam/lightdm index fed8a9b4..cf39cd7e 100644 --- a/data/pam/lightdm +++ b/data/pam/lightdm @@ -1,20 +1,19 @@ #%PAM-1.0 - -# Block login if they are globally disabled -auth required pam_nologin.so - -# Load environment from /etc/environment and ~/.pam_environment -auth required pam_env.so - -# Use /etc/passwd and /etc/shadow for passwords -auth required pam_unix.so - -# Check account is active, change password if required -account required pam_unix.so - -# Allow password to be changed -password required pam_unix.so - -# Setup session -session required pam_unix.so -session optional pam_systemd.so +auth required pam_shells.so +auth required pam_succeed_if.so quiet uid ne 0 +auth sufficient pam_succeed_if.so user ingroup nopasswdlogin +auth substack common-login +-auth optional pam_gnome_keyring.so +-auth optional pam_mate_keyring.so +-auth optional pam_kwallet.so +-auth optional pam_kwallet5.so +account include common-login +password include common-login +session substack common-login +session optional pam_console.so +-session optional pam_ck_connector.so +session required pam_namespace.so +-session optional pam_gnome_keyring.so auto_start +-session optional pam_mate_keyring.so auto_start +-session optional pam_kwallet.so auto_start +-session optional pam_kwallet5.so auto_start diff --git a/data/pam/lightdm-autologin b/data/pam/lightdm-autologin index 157f469f..011bf432 100644 --- a/data/pam/lightdm-autologin +++ b/data/pam/lightdm-autologin @@ -1,22 +1,19 @@ #%PAM-1.0 # Block login if shell in nologin or false -auth required pam_succeed_if.so shell notin /sbin/nologin:/usr/sbin/nologin:/bin/false:/usr/bin/false +auth required pam_succeed_if.so shell notin /sbin/nologin:/usr/sbin/nologin:/bin/false:/usr/bin/false # Block login if they are globally disabled -auth required pam_nologin.so - -# Load environment from /etc/environment and ~/.pam_environment -auth required pam_env.so +auth required pam_nologin.so # Allow access without authentication -auth required pam_permit.so +auth required pam_permit.so -# Stop autologin if account requires action -account required pam_unix.so +account include common-login # Can't change password -password required pam_deny.so +password required pam_deny.so -# Setup session -session required pam_unix.so -session optional pam_systemd.so +session substack common-login +session optional pam_console.so +-session optional pam_ck_connector.so +session required pam_namespace.so diff --git a/data/pam/lightdm-greeter b/data/pam/lightdm-greeter index 9a6862b5..941c7efc 100644 --- a/data/pam/lightdm-greeter +++ b/data/pam/lightdm-greeter @@ -1,17 +1,14 @@ #%PAM-1.0 -# Load environment from /etc/environment and ~/.pam_environment -auth required pam_env.so - -# Always let the greeter start without authentication -auth required pam_permit.so - -# No action required for account management -account required pam_permit.so - -# Can't change password -password required pam_deny.so - -# Setup session -session required pam_unix.so -session optional pam_systemd.so +account required pam_nologin.so +account required pam_succeed_if.so audit quiet_success user = _ldm +account required pam_permit.so +auth required pam_env.so +auth required pam_succeed_if.so audit quiet_success user = _ldm +auth required pam_permit.so +password required pam_deny.so +session required pam_loginuid.so +-session required pam_systemd.so class=greeter +session required pam_succeed_if.so audit quiet_success user = _ldm +session required pam_env.so user_readenv=1 +session required pam_permit.so