* Added support for ConsoleKit.

* Let ConsoleKit track the current logins instead of pam_console. Udev now takes care of setting the device permissions to the active user. This works much better, since pam_console wouldn't apply permissions to new (hot-plugged) devices. Also, the udev+ConsoleKit approach supports user switching. (We don't have that for X yet, but it already works for logins on virtual consoles: if you switch between different users on differents VCs with Alt+Fn, the device ownership will be changed automatically.) svn path=/nixos/trunk/; revision=16743
2009-08-17 01:16:38 +00:00 · 2009-08-17 01:16:38 +00:00 · 7ab616f659
parent ac24c7834d
commit 7ab616f659
7 changed files with 50 additions and 152 deletions
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -23,7 +23,9 @@
  ./programs/pwdutils/pwdutils.nix
  ./programs/ssh.nix
  ./programs/ssmtp.nix
+  ./security/console-kit.nix
  ./security/pam.nix
+  ./security/policy-kit.nix
  ./security/setuid-wrappers.nix
  ./security/sudo.nix
  ./services/audio/alsa.nix
@ -72,7 +74,6 @@
  ./services/scheduling/atd.nix
  ./services/scheduling/cron.nix
  ./services/scheduling/fcron.nix
-  ./services/system/consolekit.nix
  ./services/system/dbus.nix
  ./services/system/nscd.nix
  ./services/ttys/gpm.nix
--- a/modules/security/console-kit.nix
+++ b/modules/security/console-kit.nix
@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+{
+
+  config = {
+
+    environment.systemPackages = [ pkgs.console_kit ];
+
+    services.dbus.packages = [ pkgs.console_kit ];
+
+    environment.etc = singleton
+      { source = (pkgs.buildEnv {
+          name = "console-kit-config";
+          pathsToLink = [ "/etc/ConsoleKit" ];
+          paths = [ pkgs.console_kit pkgs.udev ];
+        }) + "/etc/ConsoleKit";
+        target = "ConsoleKit";
+      };
+
+  };
+
+}
--- a/modules/security/console.perms
+++ b/modules/security/console.perms
@ -1,79 +0,0 @@
-# This file determines the permissions that will be given to priviledged
-# users of the console at login time, and the permissions to which to
-# revert when the users log out.
-
-# format is:
-#   <class>=list of regexps specifying consoles or globs specifying files
-#   file-glob|<class> perm dev-regex|<dev-class> \
-#     revert-mode revert-owner[.revert-group]
-# the revert-mode, revert-owner, and revert-group are optional, and default
-# to 0600, root, and root, respectively.
-#
-# For more information:
-# man 5 console.perms
-
-# file classes -- these are regular expressions
-<console>=/dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
-<xconsole>=:[0-9]\.[0-9] :[0-9]
-
-# device classes -- these are shell-style globs
-<floppy>=/dev/fd[0-1]* \
-	 /dev/floppy* /mnt/floppy*
-<sound>=/dev/dsp* /dev/audio* /dev/midi* \
-	/dev/mixer* /dev/sequencer* \
-	/dev/sound/* /dev/beep \
-	/dev/snd/* 
-<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
-<pilot>=/dev/pilot
-<jaz>=/mnt/jaz*
-<zip>=/mnt/pocketzip* /mnt/zip* /dev/zip*
-<ls120>=/dev/ls120 /mnt/ls120*
-<scanner>=/dev/scanner* /dev/usb/scanner*
-<rio500>=/dev/usb/rio500
-<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
-<memstick>=/mnt/memstick*
-<flash>=/mnt/flash* /dev/flash*
-<diskonkey>=/mnt/diskonkey*
-<rem_ide>=/mnt/microdrive*
-<fb>=/dev/fb /dev/fb[0-9]* \
-     /dev/fb/*
-<kbd>=/dev/kbd
-<joystick>=/dev/js[0-9]*
-<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
-      /dev/video/*
-<gpm>=/dev/gpmctl
-<dri>=/dev/nvidia* /dev/3dfx* /dev/dri/card*
-<mainboard>=/dev/apm_bios
-<pmu>=/dev/pmu
-<bluetooth>=/dev/rfcomm*
-<raw1394>=/dev/raw1394
-<irda>=/dev/ircomm*
-
-# permission definitions
-<console>  0660 <floppy>
-<console>  0600 <sound>
-<console>  0600 <cdrom>
-<console>  0600 <pilot>
-<console>  0600 <jaz>
-<console>  0600 <zip>
-<console>  0600 <ls120>
-<console>  0600 <scanner>
-<console>  0600 <camera>
-<console>  0600 <memstick>
-<console>  0600 <flash>
-<console>  0600 <diskonkey>
-<console>  0600 <rem_ide>
-<console>  0600 <fb>
-<console>  0600 <kbd>
-<console>  0600 <joystick>
-<console>  0600 <v4l>
-<console>  0700 <gpm>
-<console>  0600 <mainboard>
-<console>  0600 <rio500>
-<console>  0600 <pmu>
-<console>  0600 <bluetooth>
-<console>  0600 <raw1394>
-<console>  0600 <irda>
-
-<xconsole> 0600 /dev/console
-<console>  0600 <dri>
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -7,16 +7,7 @@ with pkgs.lib;

 let

-  inherit (pkgs) pam_unix2 pam_console pam_ldap;
-
-  # !!! ugh, these files shouldn't be created here.
-  pamConsoleHandlers = pkgs.writeText "console.handlers" ''
-    console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
-    ${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
-    ${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
-  '';
-
-  pamConsolePerms = ./console.perms;
+  inherit (pkgs) pam_unix2 pam_ldap;

  otherService = pkgs.writeText "other.pam"
    ''
@ -73,13 +64,24 @@ let
              "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
          session required ${pam_unix2}/lib/security/pam_unix2.so
          ${optionalString localLogin
-              "session optional ${pam_console}/lib/security/pam_console.so debug handlersfile=${pamConsoleHandlers}"}
+              ''
+                session required pam_env.so debug conffile=${envFile} readenv=0
+                session optional ${pkgs.console_kit}/lib/security/pam_ck_connector.so debug
+              ''}
          ${optionalString forwardXAuth
              "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
        '';
      target = "pam.d/${name}";
    };

+  # This is needed to get an active session in ConsoleKit.  Apparently
+  # a better way is to run ck-launch-session from the session starter
+  # (or let xdm/kdm do it).
+  envFile = pkgs.writeText "pam_env.conf"
+    ''
+      CKCON_X11_DISPLAY_DEVICE DEFAULT="/dev/tty7"
+    '';
+
 in

 {
--- a/modules/security/policy-kit.nix
+++ b/modules/security/policy-kit.nix
@ -21,4 +21,4 @@ with pkgs.lib;

  };

-}
+}
--- a/modules/services/system/consolekit.nix
+++ b/modules/services/system/consolekit.nix
@ -1,59 +0,0 @@
-{pkgs, config, ...}:
-
-###### interface
-let
-  inherit (pkgs.lib) mkOption;
-
-  options = {
-    services = {
-
-      consolekit = {
-        enable = mkOption {
-          default = false;
-          description = "
-            Whether to start the ConsoleKit daemon.
-          ";
-        };
-      };
-
-    };
-  };
-in
-
-###### implementation
-let
-  cfg = config.services.consolekit;
-  inherit (pkgs.lib) mkIf;
-  inherit (pkgs) ConsoleKit;
-
-  job = {
-    name = "consolekit";
-
-    job = ''
-      description "Console Kit Service"
-
-      start on dbus
-      stop on shutdown
-
-      respawn ${ConsoleKit}/sbin/console-kit-daemon
-    '';
-  };
-
-in
-
-mkIf cfg.enable {
-  require = [
-    #../upstart-jobs/default.nix # config.services.extraJobs
-    #../upstart-jobs/dbus.nix # services.dbus.*
-    options
-  ];
-
-  services = {
-    extraJobs = [job];
-
-    dbus = {
-      enable = true;
-      packages = [ConsoleKit];
-    };
-  };
-}
--- a/modules/services/system/dbus.nix
+++ b/modules/services/system/dbus.nix
@ -17,6 +17,8 @@ let
    buildCommand = ''
      ensureDir $out
      
+      ln -s ${dbus}/etc/dbus-1/session.conf $out/session.conf
+      
      cp ${dbus}/etc/dbus-1/system.conf $out/system.conf

      # Tell the daemon where the setuid wrapper around
@ -30,9 +32,16 @@ let
          
      # Note: system.conf includes ./system.d (i.e. it has a relative,
      # not absolute path).
+      ensureDir $out/session.d
      ensureDir $out/system.d
+      
      for i in ${toString cfg.packages}; do
-        ln -s $i/etc/dbus-1/system.d/* $out/system.d/
+        for j in $i/etc/dbus-1/session.d/*; do
+          ln -s $j  $out/session.d/
+        done
+        for j in $i/etc/dbus-1/system.d/*; do
+          ln -s $j $out/system.d/
+        done
      done
    ''; # */
  };