From 39c247d9cb8afb8c96019a55a9e521770f90749d Mon Sep 17 00:00:00 2001 From: Ralph Zhou <36948728+awerty-noob@users.noreply.github.com> Date: Tue, 23 Jun 2026 21:26:51 +0800 Subject: [PATCH] fix(lock): add complete bundled PAM services (#2685) --- core/internal/pam/pam.go | 3 +++ flake.nix | 11 +++++++++-- quickshell/assets/pam/fprint | 3 +++ quickshell/assets/pam/login | 2 ++ quickshell/assets/pam/other | 5 +++++ quickshell/assets/pam/u2f | 3 +++ 6 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 quickshell/assets/pam/other diff --git a/core/internal/pam/pam.go b/core/internal/pam/pam.go index 398d987c..9759542f 100644 --- a/core/internal/pam/pam.go +++ b/core/internal/pam/pam.go @@ -499,6 +499,9 @@ func buildManagedLockscreenU2FPamContent() string { b.WriteString("#%PAM-1.0\n") b.WriteString(LockscreenU2FPamManagedBlockStart + "\n") b.WriteString("auth required pam_u2f.so cue nouserok timeout=10\n") + b.WriteString("account required pam_permit.so\n") + b.WriteString("password required pam_deny.so\n") + b.WriteString("session required pam_permit.so\n") b.WriteString(LockscreenU2FPamManagedBlockEnd + "\n") return b.String() } diff --git a/flake.nix b/flake.nix index f66a4900..92fbde66 100644 --- a/flake.nix +++ b/flake.nix @@ -150,10 +150,17 @@ --replace-fail /bin/bash ${pkgs.bashInteractive}/bin/bash substituteInPlace $out/share/quickshell/dms/assets/pam/fprint \ - --replace-fail pam_fprintd.so ${pkgs.fprintd}/lib/security/pam_fprintd.so + --replace-fail pam_fprintd.so ${pkgs.fprintd}/lib/security/pam_fprintd.so \ + --replace-fail pam_deny.so ${pkgs.pam}/lib/security/pam_deny.so \ + --replace-fail pam_permit.so ${pkgs.pam}/lib/security/pam_permit.so substituteInPlace $out/share/quickshell/dms/assets/pam/u2f \ - --replace-fail pam_u2f.so ${pkgs.pam_u2f}/lib/security/pam_u2f.so + --replace-fail pam_u2f.so ${pkgs.pam_u2f}/lib/security/pam_u2f.so \ + --replace-fail pam_deny.so ${pkgs.pam}/lib/security/pam_deny.so \ + --replace-fail pam_permit.so ${pkgs.pam}/lib/security/pam_permit.so + + substituteInPlace $out/share/quickshell/dms/assets/pam/other \ + --replace-fail pam_deny.so ${pkgs.pam}/lib/security/pam_deny.so installShellCompletion --cmd dms \ --bash <($out/bin/dms completion bash) \ diff --git a/quickshell/assets/pam/fprint b/quickshell/assets/pam/fprint index a0f41d7c..b44bf753 100644 --- a/quickshell/assets/pam/fprint +++ b/quickshell/assets/pam/fprint @@ -1,3 +1,6 @@ #%PAM-1.0 auth required pam_fprintd.so max-tries=5 +account required pam_permit.so +password required pam_deny.so +session required pam_permit.so diff --git a/quickshell/assets/pam/login b/quickshell/assets/pam/login index c221e11a..4a402cb8 100644 --- a/quickshell/assets/pam/login +++ b/quickshell/assets/pam/login @@ -3,3 +3,5 @@ auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so +password required pam_deny.so +session required pam_permit.so diff --git a/quickshell/assets/pam/other b/quickshell/assets/pam/other new file mode 100644 index 00000000..476bcfdb --- /dev/null +++ b/quickshell/assets/pam/other @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required pam_deny.so +account required pam_deny.so +password required pam_deny.so +session required pam_deny.so diff --git a/quickshell/assets/pam/u2f b/quickshell/assets/pam/u2f index bdac4cef..83a3bfb3 100644 --- a/quickshell/assets/pam/u2f +++ b/quickshell/assets/pam/u2f @@ -1,3 +1,6 @@ #%PAM-1.0 auth required pam_u2f.so cue nouserok timeout=10 +account required pam_permit.so +password required pam_deny.so +session required pam_permit.so