Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security.pam: make pam_unix.so required, not sufficient
Setting pam_unix set to sufficient means early-succeeding account management group, as soon as pam_unix.so is succeeding. This is not sufficient. For example, modules might install nss modules for user lookup, so pam_unix.so succeeds, and we end the stack successfully, even though other pam modules might want to do more extensive checks. Other distros set pam_unix.so to 'required', so if there are other pam modules in that management group, they get a chance to do some validation too. This broke SSSD, for which @PsyanticY added a workaround knob in NixOS#31969. This also breaks parts of Google OS Login, as the pam_oslogin_admin.so module doesn't get a chance to add a sudoers file for admins (while the NSS module fixes the lookup done in pam_unix.so) This changes the default of pam_unix.so to 'required' We don't drop the `security.pam.services.<name?>.sssdStrictAccess` option, as it's used some lines below to tweak error behaviour inside the pam sssd module.
- Loading branch information