从我原来的 pam.d/login 文件开始:
auth include system-local-login
account include system-local-login
password include system-local-login
session optional pam_lastlog.so
session include system-local-login
作为一个选项,我需要附加模块的服务(以 pam_kwallet5.so 为例)
auth include system-local-login
auth optional MODULE
account include system-local-login
password include system-local-login
session optional pam_lastlog.so
session include system-local-login
session optional MODULE PARAMs
这样就达到了预期的目的。
但是,我现在想将此选项限制为非 root 用户。
(例如,由于 root 永远不会启动 kde,因此在登录时启动 kwalletd5 守护进程没有任何意义)
我试图通过 pam_listfile.so 模块找到我的方法,但徒劳无功。
编辑1:想知道是否通过 pam_exec.so 创建了一个伪条件条目这里描述的方式可能是一个可以接受的解决方案。
编辑2:在发现muru更好的解决方案之前,我已经设法找到了一种方法,感谢使用pam_succeed_if.so,如下所示:
auth include system-local-login
auth [default=1 success=ignore] pam_succeed_if.so uid > 0
auth optional MODULE
account include system-local-login
password include system-local-login
session optional pam_lastlog.so
session include system-local-login
session [default=1 success=ignore] pam_succeed_if.so uid > 0
session optional MODULE PARAMs
muru 的解决方案基于忽略给定数量的以下规则的相同原理,但是更好,因为它使用更专用的模块:pam_rootok.so
答案1
success=1和的组合pam_rootok.so应该管用:
auth [success=1,default=ignore] pam_rootok.so
auth optional MODULE
For the more complicated syntax valid control values have the
following form:
[value1=action1 value2=action2 ...]
Where valueN corresponds to the return code from the function
invoked in the module for which the line is defined.
... The actionN can take one of the following forms:
...
N (an unsigned integer)
equivalent to ok with the side effect of jumping over the
next N modules in the stack. Note that N equal to 0 is not
allowed (and it would be identical to ok in such case).
因此,如果成功(当用户是 root 时),success=1应该让 PAM 跳过。MODULEpam_rootok.so