diff --git a/etc/rc.conf b/etc/rc.conf index ca0f92075..aca9ec3bf 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -15,6 +15,11 @@ # set to YES. #rc_interactive="YES" +# Set to "NO" if you don't want pam_openrc autostarting user services. This +# effectively disables the pam module, without the need of removing it from +# the pam configuration files. +#rc_autostart_user="YES" + # If we need to drop to a shell, you can specify it here. # If not specified we use $SHELL, otherwise the one specified in /etc/passwd, # otherwise /bin/sh diff --git a/src/pam_openrc/pam_openrc.c b/src/pam_openrc/pam_openrc.c index 5db0db3b3..81f29bcee 100644 --- a/src/pam_openrc/pam_openrc.c +++ b/src/pam_openrc/pam_openrc.c @@ -13,7 +13,7 @@ #include "einfo.h" static int -exec_openrc(pam_handle_t *pamh, bool opening) +exec_openrc(pam_handle_t *pamh, bool opening, bool quiet) { char *svc_name, *pam_lock, *logins, *script = NULL; const char *username = NULL, *session = NULL; @@ -23,8 +23,17 @@ exec_openrc(pam_handle_t *pamh, bool opening) struct passwd *user; pid_t pid = -1; + errno = 0; + if (!rc_yesno(rc_conf_value("rc_autostart_user")) && errno == 0) + return PAM_SUCCESS; + setenv("EINFO_LOG", "pam_openrc", true); + if (quiet) { + setenv("EINFO_QUIET", "yes", true); + setenv("EERROR_QUIET", "yes", true); + } + if (pam_get_item(pamh, PAM_SERVICE, (const void **)&session) != PAM_SUCCESS) { elog(LOG_ERR, "Failed to get PAM_SERVICE"); return PAM_SESSION_ERR; @@ -123,9 +132,8 @@ exec_openrc(pam_handle_t *pamh, bool opening) PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { (void) argc; (void) argv; - (void) flags; - return exec_openrc(pamh, true); + return exec_openrc(pamh, true, flags & PAM_SILENT); } PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -133,5 +141,5 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, con (void) argv; (void) flags; - return exec_openrc(pamh, false); + return exec_openrc(pamh, false, flags & PAM_SILENT); }