On Tue, Oct 1, 2019 at 11:19 AM Stijn De Weirdt <stijn.deweirdt@xxxxxxxx> wrote:
hello mantas, jeremy, all,
wrt the pam script magic, i'm not a big fan, esp because it is optional.
i'd rather have those users not login than that they don't have the
constraints. (but obvioulsy, i really don't want to lock myself out, so
i totally see what you need the optional keyword)
It's as optional as you make it. If the script exits with non-0, pam_exec returns PAM_SYSTEM_ERR and you can treat this as a fatal error.
To avoid locking yourself out, either always make it exit 0 for root, or "session [success=1 default=ignore] pam_succeed_if.so user ingroup wheel", etc.
Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
