On Tue, Oct 1, 2019 at 11:19 AM Stijn De Weirdt <stijn.dewei...@ugent.be> wrote:
> hello mantas, jeremy, all, > > > wrt the pam script magic, i'm not a big fan, esp because it is optional. > i'd rather have those users not login than that they don't have the > constraints. (but obvioulsy, i really don't want to lock myself out, so > i totally see what you need the optional keyword) > It's as optional as you make it. If the script exits with non-0, pam_exec returns PAM_SYSTEM_ERR and you can treat this as a fatal error. To avoid locking yourself out, either always make it exit 0 for root, or "session [success=1 default=ignore] pam_succeed_if.so user ingroup wheel", etc. -- Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel