Skip to content

Commit

Permalink
fix(login): add custom PAM rules for desktop login
Browse files Browse the repository at this point in the history 
  - remove fprint auth from greetd as user home needs decryption
  - add custom rule to require users to be in group 'video', preventing
    admin login on GUI
  - remove older 'desktop' group in favor of 'video'
  - fix user creation script to disallow creating user duplicates
  - fix user creation script to allow '-' characters in name

Signed-off-by: Manuel Bluhm <[email protected]>
  • Loading branch information
@mbssrc
mbssrc committed Dec 19, 2024
1 parent 40e5ba6 commit 30e83fa
Show file tree
Hide file tree
Showing 6 changed files with 24 additions and 17 deletions.
6 changes: 4 additions & 2 deletions modules/common/users/admin.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,12 @@ in
extraGroups =
[
"wheel"
"video"
]
++ cfg.extraGroups
++ optionals cfg.createHome [ "desktop" ]
++ optionals cfg.createHome [
"audio"
"video"
]
++ optionals config.security.tpm2.enable [ "tss" ]
++ optionals config.ghaf.virtualization.docker.daemon.enable [ "docker" ];
};
Expand Down
10 changes: 2 additions & 8 deletions modules/common/users/desktop.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,12 +137,6 @@ in
members = [ cfg.appUser.name ];
};
})
{
"desktop" = {
name = "desktop";
members = [ ];
};
}
];
};
}
Expand Down Expand Up @@ -177,9 +171,9 @@ in
echo -n "Enter your user name: "
read -e -r USERNAME
USERNAME=''${USERNAME// /_}
USERNAME=''${USERNAME//[^a-zA-Z0-9_]/}
USERNAME=''${USERNAME//[^a-zA-Z0-9_-]/}
USERNAME=''$(echo -n "$USERNAME" | tr '[:upper:]' '[:lower:]')
if grep -q -w "$USERNAME:" /etc/passwd; then
if grep -q "$USERNAME:" /etc/passwd; then
echo "User $USERNAME already exists. Please choose another user name."
else
ACCEPTABLE_USER=true
Expand Down
21 changes: 18 additions & 3 deletions modules/desktop/graphics/labwc.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,8 +166,24 @@ in
};
};

# It will create a /etc/pam.d/ file for authentication
security.pam.services.gtklock = { };
# Create custom PAM rules
security.pam.services = {
gtklock = { };
greetd = {
fprintAuth = false; # User needs to enter password to decrypt home
rules.account.group = {
enable = true;
control = "required";
modulePath = "${pkgs.linux-pam}/lib/security/pam_succeed_if.so";
order = 10000;
args = [
"user"
"ingroup"
"video"
];
};
};
};

# Needed for power commands
security.polkit.enable = true;
Expand All @@ -179,7 +195,6 @@ in
BindsTo = [ "graphical-session.target" ];
After = [ "graphical-session-pre.target" ];
Wants = [ "graphical-session-pre.target" ];
ConditionGroup = "desktop";
};
};

Expand Down
1 change: 0 additions & 1 deletion modules/microvm/virtualization/microvm/audiovm.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,6 @@ let
enable = true;
extraGroups = [
"audio"
"video"
"pipewire"
];
};
Expand Down
1 change: 0 additions & 1 deletion modules/microvm/virtualization/microvm/guivm.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,6 @@ let
extraGroups = [
"audio"
"video"
"desktop"
];
};
};
Expand Down
2 changes: 0 additions & 2 deletions modules/microvm/virtualization/microvm/microvm-host.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,8 +141,6 @@ in
unitConfig.ConditionPathExists = "/storagevm/gui-vm/var/lib/nixos/user.lock";
serviceConfig = {
Type = "oneshot";
StandardOutput = "journal";
StandardError = "journal";
ExecStart = "${userRemovalScript}/bin/remove-users";
};
};
Expand Down

0 comments on commit 30e83fa

Please sign in to comment.