Linux
pam:如何將規則限制為非 root 使用者
從我原來的 pam.d/login 文件開始:
auth include system-local-login account include system-local-login password include system-local-login session optional pam_lastlog.so session include system-local-login作為一個選項,我需要附加 MODULE 的服務(例如 pam_kwallet5.so)
auth include system-local-login auth optional MODULE account include system-local-login password include system-local-login session optional pam_lastlog.so session include system-local-login session optional MODULE PARAMs這樣就達到了預期的目的。
但是,我現在想將此選項限制為非 root 使用者。
(例如,因為 root 永遠不會啟動 kde,所以在登錄時啟動 kwalletd5 守護程序沒有任何意義)
我試圖通過 pam_listfile.so 模組找到我的方式,但徒勞無功。
編輯 1:想知道是否通過 pam_exec.so 以此處描述的方式創建偽條件條目可能是一個可接受的解決方案。
編輯 2:在發現 muru 更好的解決方案之前,由於 pam_succeed_if.so 的使用,我設法找到了一種方法,如下所示:
auth include system-local-login auth [default=1 success=ignore] pam_succeed_if.so uid > 0 auth optional MODULE account include system-local-login password include system-local-login session optional pam_lastlog.so session include system-local-login session [default=1 success=ignore] pam_succeed_if.so uid > 0 session optional MODULE PARAMsmuru 的解決方案基於忽略給定數量的以下規則的相同原則,但更好的是它使用了更專用的模組:pam_rootok.so
success=1和的組合pam_rootok.so應該起作用:auth [success=1,default=ignore] pam_rootok.so auth optional MODULEFor the more complicated syntax valid control values have the following form: [value1=action1 value2=action2 ...] Where valueN corresponds to the return code from the function invoked in the module for which the line is defined. ... The actionN can take one of the following forms: ... N (an unsigned integer) equivalent to ok with the side effect of jumping over the next N modules in the stack. Note that N equal to 0 is not allowed (and it would be identical to ok in such case).因此,如果成功(當使用者是 root 時),
success=1應該讓 PAM 跳過。MODULE``pam_rootok.so