~kennylevinsen/pam_uaccess

Initial commit

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~kennylevinsen/pam_uaccess
read/write
git@git.sr.ht:~kennylevinsen/pam_uaccess

You can also use your local clone with git send-email.

#pam_uaccess

A PAM module that grants access to devices tagged "uaccess" in udev for the duration of the users session.

Replaces (e)logind's uaccess feature. Requires udev rules that set the 'uaccess' tag.

Experimental.

#How to build and install

meson build --prefix /usr
ninja -C build
sudo ninja -C build install

The module will be installed to /usr/lib/security/pam_uaccess.so.

#How to use

To use the PAM module, it must be added to a relevant PAM stack:

session		optional	pam_uaccess.so

getfacl can be used to inspect files to see the added ACL. If no ACL is present, ensure that udev is installed and running and ensure that udev rules that will set 'uaccess' tags are in place and that they match your devices.

#Known issues

#Concurrent logins

pam_uaccess does not track the number of active logins of a user, and so the grants made to a user will be removed when any session logs out, even if others remain.

If this is a problem for your setup (it may not be - e.g., a single greetd instance would not exhibit any issues with such setup), the skip_ungrant argument can be specified to disable ungrant altogether:

session		optional	pam_uaccess.so	skip_ungrant

In this case, pam_uaccess will grant access to devices to a user on their first login, and this access will persist until reboot or until the device is removed.

#Hot-plug

pam_uaccess only operates on login, and does not grant access to new devices as they are added.

This should not be a problem in most cases.

#How to discuss

Go to #kennylevinsen @ irc.libera.chat to discuss, or use ~kennylevinsen/public-inbox@lists.sr.ht.