--- a/data/pam/lightdm +++ b/data/pam/lightdm @@ -1,20 +1,35 @@ #%PAM-1.0 # Block login if they are globally disabled -auth required pam_nologin.so +auth requisite pam_nologin.so # Load environment from /etc/environment and ~/.pam_environment -auth required pam_env.so +auth required pam_env.so envfile=/etc/default/locale -# Use /etc/passwd and /etc/shadow for passwords -auth required pam_unix.so +@include common-auth -# Check account is active, change password if required -account required pam_unix.so +-auth optional pam_gnome_keyring.so -# Allow password to be changed -password required pam_unix.so +@include common-account -# Setup session -session required pam_unix.so -session optional pam_systemd.so +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +session required pam_limits.so +session required pam_loginuid.so +@include common-session + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) + +-session optional pam_gnome_keyring.so auto_start + +@include common-password --- a/data/pam/lightdm-greeter +++ b/data/pam/lightdm-greeter @@ -1,7 +1,7 @@ #%PAM-1.0 # Load environment from /etc/environment and ~/.pam_environment -auth required pam_env.so +auth required pam_env.so envfile=/etc/default/locale # Always let the greeter start without authentication auth required pam_permit.so --- a/data/pam/lightdm-autologin +++ b/data/pam/lightdm-autologin @@ -1,20 +1,35 @@ #%PAM-1.0 # Block login if they are globally disabled -auth required pam_nologin.so +auth requisite pam_nologin.so # Load environment from /etc/environment and ~/.pam_environment -auth required pam_env.so +auth required pam_env.so envfile=/etc/default/locale # Allow access without authentication auth required pam_permit.so -# Stop autologin if account requires action -account required pam_unix.so +@include common-account + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +session required pam_limits.so +session required pam_loginuid.so +@include common-session + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) # Can't change password password required pam_deny.so -# Setup session -session required pam_unix.so -session optional pam_systemd.so +@include common-password