nixos/pam: add pam_nologin.so by default #53989
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
Some NixOS services already override the default PAM config and add
pam_nologin.so. This change adds it to the default config, so that it
applies to services like sshd and login too. (It also applies to things
like sudo, which might be surprising, but I'm having a hard time
justifying "forking" the default config for sshd etc. just because of
this.)
pam_nologin.so prevents non-root user login if the file /etc/nologin or
/run/nologin exists. (The file can also contain a message that will be
shown to the user before getting access denied.)
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)