diff options
author | Silvan Mosberger <infinisil@icloud.com> | 2018-02-02 14:00:01 +0100 |
---|---|---|
committer | Silvan Mosberger <infinisil@icloud.com> | 2018-02-02 14:03:00 +0100 |
commit | cfd22b733bc4c4d6486e179b45b671b25b546778 (patch) | |
tree | 7557bd267d8cc61776340b90d6d128912f2d6210 /nixos | |
parent | 9a5fe79d07204e7b4c9868892d897f501c9aa419 (diff) | |
download | nixlib-cfd22b733bc4c4d6486e179b45b671b25b546778.tar nixlib-cfd22b733bc4c4d6486e179b45b671b25b546778.tar.gz nixlib-cfd22b733bc4c4d6486e179b45b671b25b546778.tar.bz2 nixlib-cfd22b733bc4c4d6486e179b45b671b25b546778.tar.lz nixlib-cfd22b733bc4c4d6486e179b45b671b25b546778.tar.xz nixlib-cfd22b733bc4c4d6486e179b45b671b25b546778.tar.zst nixlib-cfd22b733bc4c4d6486e179b45b671b25b546778.zip |
physlock: add allowAnyUser option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/security/physlock.nix | 64 |
1 files changed, 43 insertions, 21 deletions
diff --git a/nixos/modules/services/security/physlock.nix b/nixos/modules/services/security/physlock.nix index 30224d7fc6ba..97fbd6aae6e0 100644 --- a/nixos/modules/services/security/physlock.nix +++ b/nixos/modules/services/security/physlock.nix @@ -30,6 +30,20 @@ in ''; }; + allowAnyUser = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow any user to lock the screen. This will install a + setuid wrapper to allow any user to start physlock as root, which + is a minor security risk. Call the physlock binary to use this instead + of using the systemd service. + + Note that you might need to relog to have the correct binary in your + PATH upon changing this option. + ''; + }; + disableSysRq = mkOption { type = types.bool; default = true; @@ -79,28 +93,36 @@ in ###### implementation - config = mkIf cfg.enable { - - # for physlock -l and physlock -L - environment.systemPackages = [ pkgs.physlock ]; - - systemd.services."physlock" = { - enable = true; - description = "Physlock"; - wantedBy = optional cfg.lockOn.suspend "suspend.target" - ++ optional cfg.lockOn.hibernate "hibernate.target" - ++ cfg.lockOn.extraTargets; - before = optional cfg.lockOn.suspend "systemd-suspend.service" - ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" - ++ cfg.lockOn.extraTargets; - serviceConfig.Type = "forking"; - script = '' - ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"} - ''; - }; + config = mkIf cfg.enable (mkMerge [ + { + + # for physlock -l and physlock -L + environment.systemPackages = [ pkgs.physlock ]; + + systemd.services."physlock" = { + enable = true; + description = "Physlock"; + wantedBy = optional cfg.lockOn.suspend "suspend.target" + ++ optional cfg.lockOn.hibernate "hibernate.target" + ++ cfg.lockOn.extraTargets; + before = optional cfg.lockOn.suspend "systemd-suspend.service" + ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" + ++ cfg.lockOn.extraTargets; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}"; + }; + }; - security.pam.services.physlock = {}; + security.pam.services.physlock = {}; - }; + } + + (mkIf cfg.allowAnyUser { + + security.wrappers.physlock = { source = "${pkgs.physlock}/bin/physlock"; user = "root"; }; + + }) + ]); } |