with an empty password, rather than with a hashed empty password.
The latter is a security risk, because it allows remote root logins
if a user enables sshd before setting a proper root password.
* Allow empty passwords for login and slim, but nothing else.
svn path=/nixos/trunk/; revision=17833
work for X logins. (The documentation also says so.) Instead just
call ck-launch-session from the xsession script.
svn path=/nixos/trunk/; revision=17090
* Let ConsoleKit track the current logins instead of pam_console.
Udev now takes care of setting the device permissions to the active
user. This works much better, since pam_console wouldn't apply
permissions to new (hot-plugged) devices. Also, the udev+ConsoleKit
approach supports user switching. (We don't have that for X yet,
but it already works for logins on virtual consoles: if you switch
between different users on differents VCs with Alt+Fn, the device
ownership will be changed automatically.)
svn path=/nixos/trunk/; revision=16743
mkOption argument, because then we lose them if somebody sets
security.setuidPrograms somewhere else. (Shouldn't "default" be
merged as well?)
svn path=/nixos/trunk/; revision=16734
programs require that the mode is 4550 so that execution of the
setuid program can be restricted to members of a group.
* setuid-wrappers: remove a race condition in the creation of the
wrappers if the ownership or mode was different than root:root and
4555.
* setuid-wrappers: allow the full path of the wrapped program to be
specified, rather than looking it up in $PATH.
svn path=/nixos/trunk/; revision=16733
option security.pam.services containing the list of PAM services.
For instance, the SLiM module simply declares:
security.pam.services = [ { name = "slim"; localLogin = true; } ];
svn path=/nixos/trunk/; revision=16729
enabled as a session type. Since I'm lazy, provide it
unconditionally. Also have it include "common-console" to set
device ownership when logging in.
svn path=/nixos/branches/modular-nixos/; revision=15800
modules/security/setuid-wrappers.nix.
* Removed the "path" activation scriptlet. The partial ordering was
underspecified (there was nothing ensuring that it came near the end
of the activation script), and it wasn't needed in any case.
svn path=/nixos/branches/modular-nixos/; revision=15726