l usershadow: add setuid wrapper for check_pw

author: lassulus <lassulus@lassul.us> 2019-04-13 14:49:48 +0200
committer: lassulus <lassulus@lassul.us> 2019-04-13 14:49:48 +0200
commit: ec4b7f30f5f4dfbc5b2164fdb6f25ff32e841cde (patch)
tree: 622682154a8ef2c92cfe7b38e9efd123f06b85d7 /lass
parent: d03c70bb86ef1fb3e88a2dc9143faf34240feec0 (diff)
1 files changed, 14 insertions, 7 deletions
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index cb289096..383b9a53 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -31,13 +31,20 @@
       session required pam_loginuid.so
     '';
 
-    security.pam.services.dovecot2.text = ''
-      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
-      auth required pam_permit.so
-      account required pam_permit.so
-      session required pam_permit.so
-      session required pam_env.so envfile=${config.system.build.pamEnvironment}
-    '';
+    security.pam.services.dovecot2 = {
+      text = ''
+        auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
+        auth required pam_permit.so
+        account required pam_permit.so
+        session required pam_permit.so
+        session required pam_env.so envfile=${config.system.build.pamEnvironment}
+      '';
+    };
+
+    security.wrappers.shadow_verify_pam = {
+      source = "${usershadow}/bin/verify_pam";
+      owner = "root";
+    };
   };
 
   usershadow = let {
author	lassulus <lassulus@lassul.us>	2019-04-13 14:49:48 +0200
committer	lassulus <lassulus@lassul.us>	2019-04-13 14:49:48 +0200
commit	ec4b7f30f5f4dfbc5b2164fdb6f25ff32e841cde (patch)
tree	622682154a8ef2c92cfe7b38e9efd123f06b85d7 /lass
parent	d03c70bb86ef1fb3e88a2dc9143faf34240feec0 (diff)