[gnome-ostree] 3.6: Rebase gdm patch set
- From: Colin Walters <walters src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-ostree] 3.6: Rebase gdm patch set
- Date: Wed, 16 May 2012 13:01:27 +0000 (UTC)
commit 0b554ef80255cb7366f9541a3be6fd4c24f01893
Author: Colin Walters <walters verbum org>
Date: Wed May 16 08:42:25 2012 -0400
3.6: Rebase gdm patch set
gnomeos-3.6.json | 13 +-
...ault-pam-config-option-autodetect-from-e.patch} | 104 +++++++-----
...fingerprint-gdm-smartcard-into-pam-redhat.patch | 150 +++++++++++++++++
...it-authentication-build-setting-for-Red-H.patch | 59 +++++++
...m-password-from-simple-greeter-extensions.patch | 90 ++++++++++
...PAM-files-from-Fedora-git-into-pam-redhat.patch | 148 ++++++++++++++++
...06-Add-enable-internal-pam-console-option.patch | 176 ++++++++++++++++++++
patches/gdm-debug-prints.patch | 58 -------
patches/gdm-disable-documentation.patch | 53 ------
9 files changed, 692 insertions(+), 159 deletions(-)
---
diff --git a/gnomeos-3.6.json b/gnomeos-3.6.json
index d7862c7..144be50 100644
--- a/gnomeos-3.6.json
+++ b/gnomeos-3.6.json
@@ -685,11 +685,16 @@
{"src": "gnome:gdm",
"config-opts": ["--disable-documentation",
"--disable-split-authentication",
- "--with-default-pam-config=linux",
+ "--enable-internal-pam-console",
+ "--with-default-pam-config=openembedded",
"--with-consolekit"],
- "patches": ["gdm-disable-documentation.patch",
- "gdm-debug-prints.patch",
- "gdm-pam-config.patch"]},
+ "patches": ["gdm-0001-Add-with-default-pam-config-option-autodetect-from-e.patch",
+ "gdm-0002-Move-gdm-fingerprint-gdm-smartcard-into-pam-redhat.patch",
+ "gdm-0003-Respect-split-authentication-build-setting-for-Red-H.patch",
+ "gdm-0004-Delete-gdm-password-from-simple-greeter-extensions.patch",
+ "gdm-0005-Merge-in-PAM-files-from-Fedora-git-into-pam-redhat.patch",
+ "gdm-0006-Add-enable-internal-pam-console-option.patch"
+ ]},
{"src": "fd-telepathy:telepathy-logger",
"branch": "telepathy-logger-0.2.12",
diff --git a/patches/gdm-pam-config.patch b/patches/gdm-0001-Add-with-default-pam-config-option-autodetect-from-e.patch
similarity index 72%
rename from patches/gdm-pam-config.patch
rename to patches/gdm-0001-Add-with-default-pam-config-option-autodetect-from-e.patch
index 7ff24b7..368eac2 100644
--- a/patches/gdm-pam-config.patch
+++ b/patches/gdm-0001-Add-with-default-pam-config-option-autodetect-from-e.patch
@@ -1,73 +1,89 @@
-From 5239bd5782ba083f30d3667e038b7c44f2f579c9 Mon Sep 17 00:00:00 2001
+From 0ee291dd4fa73fbffb1f2ad571688440324564b3 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters verbum org>
Date: Fri, 27 Apr 2012 18:34:39 -0400
-Subject: [PATCH 3/3] Add --with-default-pam-config option
+Subject: [PATCH 1/6] Add --with-default-pam-config option, autodetect from
+ /etc/foo-release files
The PAM files that ship with GDM are really specific to Red Hat's
historical fork of pam. For example, the "system-auth" file still
-lives in the Fedora 17 "pam" git.
+lives in the Fedora 17 "pam" git. A long while back, Debian hit the
+same problem, and of course the difference is the naming;
+common-auth/common-password etc.
-Add new PAM files (which may still not work for everybody, but hey,
-it's a starting point) that should be somewhat useful for people who
-build with "Linux PAM" upstream, which uses "common-*" prefixes.
+OpenEmbedded then picked up Debian's PAM fork. Since for OSTree-GNOME
+we're using Poky/OpenEmbedded, let's add an option to integrate with
+their PAM.
-The default is still to use the Red Hat PAM files for backwards
-compatibility.
+We use code similar to what NetworkManager has, so we should keep
+using the Red Hat files on systems with /etc/redhat-release or
+/etc/fedora-release.
https://bugzilla.gnome.org/show_bug.cgi?id=675085
---
- configure.ac | 17 +++++++++++++++++
- data/Makefile.am | 33 +++++++++++++++++++++------------
- data/gdm | 12 ------------
- data/gdm-autologin | 10 ----------
- data/gdm-welcome | 9 ---------
- data/pam-linux/gdm | 12 ++++++++++++
- data/pam-linux/gdm-autologin | 10 ++++++++++
- data/pam-linux/gdm-welcome | 9 +++++++++
- data/pam-redhat/gdm | 12 ++++++++++++
- data/pam-redhat/gdm-autologin | 10 ++++++++++
- data/pam-redhat/gdm-welcome | 9 +++++++++
- 11 files changed, 100 insertions(+), 43 deletions(-)
+ configure.ac | 22 ++++++++++++++++++++++
+ data/Makefile.am | 33 +++++++++++++++++++++------------
+ data/gdm | 12 ------------
+ data/gdm-autologin | 10 ----------
+ data/gdm-welcome | 9 ---------
+ data/pam-openembedded/gdm | 12 ++++++++++++
+ data/pam-openembedded/gdm-autologin | 10 ++++++++++
+ data/pam-openembedded/gdm-welcome | 9 +++++++++
+ data/pam-redhat/gdm | 12 ++++++++++++
+ data/pam-redhat/gdm-autologin | 10 ++++++++++
+ data/pam-redhat/gdm-welcome | 9 +++++++++
+ 11 files changed, 105 insertions(+), 43 deletions(-)
delete mode 100644 data/gdm
delete mode 100644 data/gdm-autologin
delete mode 100644 data/gdm-welcome
- create mode 100644 data/pam-linux/gdm
- create mode 100644 data/pam-linux/gdm-autologin
- create mode 100644 data/pam-linux/gdm-welcome
+ create mode 100644 data/pam-openembedded/gdm
+ create mode 100644 data/pam-openembedded/gdm-autologin
+ create mode 100644 data/pam-openembedded/gdm-welcome
create mode 100644 data/pam-redhat/gdm
create mode 100644 data/pam-redhat/gdm-autologin
create mode 100644 data/pam-redhat/gdm-welcome
diff --git a/configure.ac b/configure.ac
-index 35e6e04..21e44e0 100644
+index 81ea23e..fdd4676 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -226,6 +226,23 @@ if test x$enable_split_authentication = xyes; then
+@@ -226,6 +226,27 @@ if test x$enable_split_authentication = xyes; then
AC_DEFINE(ENABLE_SPLIT_AUTHENTICATION, 1, [Define if split authentication is enabled])
fi
+AC_ARG_WITH(default-pam-config,
-+ AS_HELP_STRING([--with-default-pam-config: One of redhat, linux @<:@default=redhat@:>@]),
-+ with_default_pam_config=${withval}, with_default_pam_config=redhat)
++ AS_HELP_STRING([--with-default-pam-config: One of redhat, openembedded, none @<:@default=auto@:>@]))
++dnl If not given, try autodetecting from release files (see NetworkManager source)
++if test x$with_default_pam_config = x; then
++ AC_CHECK_FILE(/etc/redhat-release,with_default_pam_config="redhat")
++ AC_CHECK_FILE(/etc/fedora-release,with_default_pam_config="redhat")
++ dnl If not autodetected, default to none
++ if test x$with_default_pam_config = x; then
++ with_default_pam_config=none
++ fi
++fi
+case x$with_default_pam_config in
-+ xredhat|xlinux) ;;
++ xredhat|xopenembedded|xnone) ;;
+ *)
+ AC_MSG_ERROR([Invalid --with-default-pam-config ${with_default_pam_config}])
+ exit 1
+ ;;
+esac
+AM_CONDITIONAL(ENABLE_REDHAT_PAM_CONFIG, test x$with_default_pam_config = xredhat)
-+AM_CONDITIONAL(ENABLE_LINUX_PAM_CONFIG, test x$with_default_pam_config = xlinux)
-+
-+if test x$enable_split_authentication = xyes; then
-+ AC_DEFINE(ENABLE_SPLIT_AUTHENTICATION, 1, [Define if split authentication is enabled])
-+fi
++AM_CONDITIONAL(ENABLE_OPENEMBEDDED_PAM_CONFIG, test x$with_default_pam_config = xopenembedded)
+
AC_ARG_ENABLE(console-helper,
AS_HELP_STRING([--enable-console-helper],
[Enable PAM console helper @<:@default=auto@:>@]),,
+@@ -1550,6 +1571,7 @@ echo "
+
+ dbus-1 system.d dir: ${DBUS_SYS_DIR}
+ PAM prefix: ${PAM_PREFIX}
++ PAM config: ${with_default_pam_config}
+ X server: ${X_SERVER}
+ "
+
diff --git a/data/Makefile.am b/data/Makefile.am
-index f0d00bf..e940d71 100644
+index f0d00bf..9c8379b 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -1,5 +1,6 @@
@@ -84,14 +100,14 @@ index f0d00bf..e940d71 100644
-EXTRA_DIST = \
+pam_redhat_files = pam-redhat/gdm pam-redhat/gdm-autologin pam-redhat/gdm-welcome
+EXTRA_DIST += $(pam_redhat_files)
-+pam_linux_files = pam-linux/gdm pam-linux/gdm-autologin pam-linux/gdm-welcome
-+EXTRA_DIST += $(pam_linux_files)
++pam_openembedded_files = pam-openembedded/gdm pam-openembedded/gdm-autologin pam-openembedded/gdm-welcome
++EXTRA_DIST += $(pam_openembedded_files)
+
+if ENABLE_REDHAT_PAM_CONFIG
+pam_files = $(pam_redhat_files)
+endif
-+if ENABLE_LINUX_PAM_CONFIG
-+pam_files = $(pam_linux_files)
++if ENABLE_OPENEMBEDDED_PAM_CONFIG
++pam_files = $(pam_openembedded_files)
+endif
+
+EXTRA_DIST += \
@@ -179,11 +195,11 @@ index b301f4f..0000000
-session required pam_loginuid.so
-session optional pam_keyinit.so force revoke
-session include system-auth
-diff --git a/data/pam-linux/gdm b/data/pam-linux/gdm
+diff --git a/data/pam-openembedded/gdm b/data/pam-openembedded/gdm
new file mode 100644
index 0000000..de223de
--- /dev/null
-+++ b/data/pam-linux/gdm
++++ b/data/pam-openembedded/gdm
@@ -0,0 +1,12 @@
+#%PAM-1.0
+auth required pam_env.so
@@ -197,11 +213,11 @@ index 0000000..de223de
+session include common-session
+session required pam_loginuid.so
+session optional pam_console.so
-diff --git a/data/pam-linux/gdm-autologin b/data/pam-linux/gdm-autologin
+diff --git a/data/pam-openembedded/gdm-autologin b/data/pam-openembedded/gdm-autologin
new file mode 100644
index 0000000..32d5248
--- /dev/null
-+++ b/data/pam-linux/gdm-autologin
++++ b/data/pam-openembedded/gdm-autologin
@@ -0,0 +1,10 @@
+#%PAM-1.0
+auth required pam_env.so
@@ -213,11 +229,11 @@ index 0000000..32d5248
+session include common-session
+session required pam_loginuid.so
+session optional pam_console.so
-diff --git a/data/pam-linux/gdm-welcome b/data/pam-linux/gdm-welcome
+diff --git a/data/pam-openembedded/gdm-welcome b/data/pam-openembedded/gdm-welcome
new file mode 100644
index 0000000..602217b
--- /dev/null
-+++ b/data/pam-linux/gdm-welcome
++++ b/data/pam-openembedded/gdm-welcome
@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth required pam_env.so
diff --git a/patches/gdm-0002-Move-gdm-fingerprint-gdm-smartcard-into-pam-redhat.patch b/patches/gdm-0002-Move-gdm-fingerprint-gdm-smartcard-into-pam-redhat.patch
new file mode 100644
index 0000000..bfccf04
--- /dev/null
+++ b/patches/gdm-0002-Move-gdm-fingerprint-gdm-smartcard-into-pam-redhat.patch
@@ -0,0 +1,150 @@
+From d2469e4693b8b280bbf763b6822f34d73686cfe8 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters verbum org>
+Date: Tue, 1 May 2012 14:10:38 -0400
+Subject: [PATCH 2/6] Move gdm-fingerprint/gdm-smartcard into pam-redhat
+
+These are also Red Hat specific PAM files, so unify them with
+the rest.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=675085
+---
+ data/Makefile.am | 14 ++------------
+ data/gdm-fingerprint.pam | 17 -----------------
+ data/gdm-smartcard.pam | 18 ------------------
+ data/pam-redhat/gdm-fingerprint | 17 +++++++++++++++++
+ data/pam-redhat/gdm-smartcard | 18 ++++++++++++++++++
+ 5 files changed, 37 insertions(+), 47 deletions(-)
+ delete mode 100644 data/gdm-fingerprint.pam
+ delete mode 100644 data/gdm-smartcard.pam
+ create mode 100644 data/pam-redhat/gdm-fingerprint
+ create mode 100644 data/pam-redhat/gdm-smartcard
+
+diff --git a/data/Makefile.am b/data/Makefile.am
+index 9c8379b..e449ad5 100644
+--- a/data/Makefile.am
++++ b/data/Makefile.am
+@@ -89,16 +89,8 @@ localealias_DATA = locale.alias
+ sessiondir = $(datadir)/gnome-session/sessions
+ session_DATA = gdm-fallback.session gdm-shell.session
+
+-gdm-fingerprint: gdm-fingerprint.pam
+- cp $(srcdir)/gdm-fingerprint.pam $(builddir)/gdm-fingerprint
+-
+-gdm-smartcard: gdm-smartcard.pam
+- cp $(srcdir)/gdm-smartcard.pam $(builddir)/gdm-smartcard
+-
+-pamdir = $(PAM_PREFIX)/pam.d
+-pam_DATA = gdm-fingerprint gdm-smartcard
+-
+-pam_redhat_files = pam-redhat/gdm pam-redhat/gdm-autologin pam-redhat/gdm-welcome
++pam_redhat_files = pam-redhat/gdm pam-redhat/gdm-autologin pam-redhat/gdm-welcome \
++ pam-redhat/gdm-fingerprint pam-redhat/gdm-smartcard
+ EXTRA_DIST += $(pam_redhat_files)
+ pam_openembedded_files = pam-openembedded/gdm pam-openembedded/gdm-autologin pam-openembedded/gdm-welcome
+ EXTRA_DIST += $(pam_openembedded_files)
+@@ -118,8 +110,6 @@ EXTRA_DIST += \
+ gdm.schemas.in.in \
+ gdm.conf-custom.in \
+ Xsession.in \
+- gdm-fingerprint.pam \
+- gdm-smartcard.pam \
+ gdm-fallback.session \
+ Init.in \
+ PreSession.in \
+diff --git a/data/gdm-fingerprint.pam b/data/gdm-fingerprint.pam
+deleted file mode 100644
+index 1a1c777..0000000
+--- a/data/gdm-fingerprint.pam
++++ /dev/null
+@@ -1,17 +0,0 @@
+-# Sample PAM file for doing fingerprint authentication.
+-# Distros should replace this with what makes sense for them.
+-auth required pam_env.so
+-auth required pam_fprintd.so
+-auth sufficient pam_succeed_if.so uid >= 500 quiet
+-auth required pam_deny.so
+-
+-account required pam_unix.so
+-account sufficient pam_localuser.so
+-account sufficient pam_succeed_if.so uid < 500 quiet
+-account required pam_permit.so
+-
+-password required pam_deny.so
+-
+-session optional pam_keyinit.so revoke
+-session required pam_limits.so
+-session required pam_unix.so
+diff --git a/data/gdm-smartcard.pam b/data/gdm-smartcard.pam
+deleted file mode 100644
+index d5ac1fa..0000000
+--- a/data/gdm-smartcard.pam
++++ /dev/null
+@@ -1,18 +0,0 @@
+-# Sample PAM file for doing smartcard authentication.
+-# Distros should replace this with what makes sense for them.
+-auth required pam_env.so
+-auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
+-auth requisite pam_succeed_if.so uid >= 500 quiet
+-auth required pam_deny.so
+-
+-account required pam_unix.so
+-account sufficient pam_localuser.so
+-account sufficient pam_succeed_if.so uid < 500 quiet
+-account required pam_permit.so
+-
+-password optional pam_pkcs11.so
+-password requisite pam_cracklib.so try_first_pass retry=3 type=
+-
+-session optional pam_keyinit.so revoke
+-session required pam_limits.so
+-session required pam_unix.so
+diff --git a/data/pam-redhat/gdm-fingerprint b/data/pam-redhat/gdm-fingerprint
+new file mode 100644
+index 0000000..1a1c777
+--- /dev/null
++++ b/data/pam-redhat/gdm-fingerprint
+@@ -0,0 +1,17 @@
++# Sample PAM file for doing fingerprint authentication.
++# Distros should replace this with what makes sense for them.
++auth required pam_env.so
++auth required pam_fprintd.so
++auth sufficient pam_succeed_if.so uid >= 500 quiet
++auth required pam_deny.so
++
++account required pam_unix.so
++account sufficient pam_localuser.so
++account sufficient pam_succeed_if.so uid < 500 quiet
++account required pam_permit.so
++
++password required pam_deny.so
++
++session optional pam_keyinit.so revoke
++session required pam_limits.so
++session required pam_unix.so
+diff --git a/data/pam-redhat/gdm-smartcard b/data/pam-redhat/gdm-smartcard
+new file mode 100644
+index 0000000..d5ac1fa
+--- /dev/null
++++ b/data/pam-redhat/gdm-smartcard
+@@ -0,0 +1,18 @@
++# Sample PAM file for doing smartcard authentication.
++# Distros should replace this with what makes sense for them.
++auth required pam_env.so
++auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
++auth requisite pam_succeed_if.so uid >= 500 quiet
++auth required pam_deny.so
++
++account required pam_unix.so
++account sufficient pam_localuser.so
++account sufficient pam_succeed_if.so uid < 500 quiet
++account required pam_permit.so
++
++password optional pam_pkcs11.so
++password requisite pam_cracklib.so try_first_pass retry=3 type=
++
++session optional pam_keyinit.so revoke
++session required pam_limits.so
++session required pam_unix.so
+--
+1.7.7.6
+
diff --git a/patches/gdm-0003-Respect-split-authentication-build-setting-for-Red-H.patch b/patches/gdm-0003-Respect-split-authentication-build-setting-for-Red-H.patch
new file mode 100644
index 0000000..0c35a4e
--- /dev/null
+++ b/patches/gdm-0003-Respect-split-authentication-build-setting-for-Red-H.patch
@@ -0,0 +1,59 @@
+From d4a447a583c363fcec21675d4a334130df4b2192 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters verbum org>
+Date: Tue, 1 May 2012 14:24:17 -0400
+Subject: [PATCH 3/6] Respect split-authentication build setting for Red Hat
+ PAM files
+
+If split authentication is disabled, install "pam.d/gdm", otherwise
+install the smartcard and fingerprint ones.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=675085
+---
+ data/Makefile.am | 20 ++++++++++++--------
+ 1 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/data/Makefile.am b/data/Makefile.am
+index e449ad5..5f3f024 100644
+--- a/data/Makefile.am
++++ b/data/Makefile.am
+@@ -89,17 +89,21 @@ localealias_DATA = locale.alias
+ sessiondir = $(datadir)/gnome-session/sessions
+ session_DATA = gdm-fallback.session gdm-shell.session
+
+-pam_redhat_files = pam-redhat/gdm pam-redhat/gdm-autologin pam-redhat/gdm-welcome \
+- pam-redhat/gdm-fingerprint pam-redhat/gdm-smartcard
+-EXTRA_DIST += $(pam_redhat_files)
+-pam_openembedded_files = pam-openembedded/gdm pam-openembedded/gdm-autologin pam-openembedded/gdm-welcome
+-EXTRA_DIST += $(pam_openembedded_files)
++EXTRA_DIST += pam-redhat/gdm pam-redhat/gdm-autologin pam-redhat/gdm-welcome \
++ pam-redhat/gdm-fingerprint pam-redhat/gdm-smartcard \
++ pam-openembedded/gdm pam-openembedded/gdm-autologin pam-openembedded/gdm-welcome
+
++enabled_pam_files =
+ if ENABLE_REDHAT_PAM_CONFIG
+-pam_files = $(pam_redhat_files)
++enabled_pam_files += pam-redhat/gdm-autologin pam-redhat/gdm-welcome
++if ENABLE_SPLIT_AUTHENTICATION
++enabled_pam_files += pam-redhat/gdm-fingerprint pam-redhat/gdm-smartcard
++else
++enabled_pam_files += pam-redhat/gdm
++endif
+ endif
+ if ENABLE_OPENEMBEDDED_PAM_CONFIG
+-pam_files = $(pam_openembedded_files)
++enabled_pam_files += pam-openembedded/gdm pam-openembedded/gdm-autologin pam-openembedded/gdm-welcome
+ endif
+
+ EXTRA_DIST += \
+@@ -234,7 +238,7 @@ install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession 00-upstr
+ chmod 755 $(DESTDIR)$(PAM_PREFIX)/pam.d; \
+ fi; \
+ if test $$system = Linux; then \
+- for file in $(pam_files); do \
++ for file in $(enabled_pam_files); do \
+ bn=$$(basename $$file); \
+ if test '!' -f $(DESTDIR)$(PAM_PREFIX)/pam.d/$$bn; then \
+ $(INSTALL_DATA) $(srcdir)/$$file $(DESTDIR)$(PAM_PREFIX)/pam.d/$$bn; \
+--
+1.7.7.6
+
diff --git a/patches/gdm-0004-Delete-gdm-password-from-simple-greeter-extensions.patch b/patches/gdm-0004-Delete-gdm-password-from-simple-greeter-extensions.patch
new file mode 100644
index 0000000..720716f
--- /dev/null
+++ b/patches/gdm-0004-Delete-gdm-password-from-simple-greeter-extensions.patch
@@ -0,0 +1,90 @@
+From a28f3475ff4bf5e20a4386d505a222b58035cb74 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters verbum org>
+Date: Tue, 1 May 2012 15:33:39 -0400
+Subject: [PATCH 4/6] Delete gdm-password from simple-greeter/extensions
+
+It's going to be obsoleted by the next patch. See commit
+0e0aca600da17cb952525617f79ee3cadc028a8a which should have moved it.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=675085
+---
+ gui/simple-greeter/extensions/password/Makefile.am | 9 +--------
+ .../extensions/password/gdm-password | 19 -------------------
+ .../extensions/password/gdm-password.pam | 19 -------------------
+ 3 files changed, 1 insertions(+), 46 deletions(-)
+ delete mode 100644 gui/simple-greeter/extensions/password/gdm-password
+ delete mode 100644 gui/simple-greeter/extensions/password/gdm-password.pam
+
+diff --git a/gui/simple-greeter/extensions/password/Makefile.am b/gui/simple-greeter/extensions/password/Makefile.am
+index e15fc82..84d4729 100644
+--- a/gui/simple-greeter/extensions/password/Makefile.am
++++ b/gui/simple-greeter/extensions/password/Makefile.am
+@@ -36,14 +36,7 @@ libpassword_la_SOURCES = \
+ gdm-password-extension.h \
+ gdm-password-extension.c
+
+-$(PAM_SERVICE_NAME): $(PAM_SERVICE_NAME).pam
+- cp $(srcdir)/$(PAM_SERVICE_NAME).pam $(builddir)/$(PAM_SERVICE_NAME)
+-
+-pamdir = $(PAM_PREFIX)/pam.d
+-pam_DATA = $(PAM_SERVICE_NAME)
+-
+-EXTRA_DIST = $(extension_DATA) $(PAM_SERVICE_NAME).pam
+-CLEANFILES = $(PAM_SERVICE_NAME)
++EXTRA_DIST = $(extension_DATA)
+
+ MAINTAINERCLEANFILES = \
+ *~ \
+diff --git a/gui/simple-greeter/extensions/password/gdm-password b/gui/simple-greeter/extensions/password/gdm-password
+deleted file mode 100644
+index bac431d..0000000
+--- a/gui/simple-greeter/extensions/password/gdm-password
++++ /dev/null
+@@ -1,19 +0,0 @@
+-# Sample PAM file for doing password authentication.
+-# Distros should replace this with what makes sense for them.
+-auth required pam_env.so
+-auth sufficient pam_unix.so nullok try_first_pass
+-auth requisite pam_succeed_if.so uid >= 500 quiet
+-auth required pam_deny.so
+-
+-account required pam_unix.so
+-account sufficient pam_localuser.so
+-account sufficient pam_succeed_if.so uid < 500 quiet
+-account required pam_permit.so
+-
+-password requisite pam_cracklib.so try_first_pass retry=3 type=
+-password sufficient pam_unix.so nullok try_first_pass use_authtok
+-password required pam_deny.so
+-
+-session optional pam_keyinit.so revoke
+-session required pam_limits.so
+-session required pam_unix.so
+diff --git a/gui/simple-greeter/extensions/password/gdm-password.pam b/gui/simple-greeter/extensions/password/gdm-password.pam
+deleted file mode 100644
+index bac431d..0000000
+--- a/gui/simple-greeter/extensions/password/gdm-password.pam
++++ /dev/null
+@@ -1,19 +0,0 @@
+-# Sample PAM file for doing password authentication.
+-# Distros should replace this with what makes sense for them.
+-auth required pam_env.so
+-auth sufficient pam_unix.so nullok try_first_pass
+-auth requisite pam_succeed_if.so uid >= 500 quiet
+-auth required pam_deny.so
+-
+-account required pam_unix.so
+-account sufficient pam_localuser.so
+-account sufficient pam_succeed_if.so uid < 500 quiet
+-account required pam_permit.so
+-
+-password requisite pam_cracklib.so try_first_pass retry=3 type=
+-password sufficient pam_unix.so nullok try_first_pass use_authtok
+-password required pam_deny.so
+-
+-session optional pam_keyinit.so revoke
+-session required pam_limits.so
+-session required pam_unix.so
+--
+1.7.7.6
+
diff --git a/patches/gdm-0005-Merge-in-PAM-files-from-Fedora-git-into-pam-redhat.patch b/patches/gdm-0005-Merge-in-PAM-files-from-Fedora-git-into-pam-redhat.patch
new file mode 100644
index 0000000..b850f06
--- /dev/null
+++ b/patches/gdm-0005-Merge-in-PAM-files-from-Fedora-git-into-pam-redhat.patch
@@ -0,0 +1,148 @@
+From cfd3d53d5502f1e92862728a7c49b8e869e4262f Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters verbum org>
+Date: Tue, 1 May 2012 14:29:42 -0400
+Subject: [PATCH 5/6] Merge in PAM files from Fedora git into pam-redhat
+
+No sense having broken copies in here; since we now have machinery to
+maintain OS-specific PAM files in gdm git, let's drain the Fedora
+version here.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=675085
+---
+ data/Makefile.am | 4 ++--
+ data/pam-redhat/gdm-autologin | 12 +++++++++---
+ data/pam-redhat/gdm-password | 21 +++++++++++++++++++++
+ data/pam-redhat/gdm-smartcard | 30 +++++++++++++++---------------
+ data/pam-redhat/gdm-welcome | 2 ++
+ 5 files changed, 49 insertions(+), 20 deletions(-)
+ create mode 100644 data/pam-redhat/gdm-password
+
+diff --git a/data/Makefile.am b/data/Makefile.am
+index 5f3f024..3e65dd3 100644
+--- a/data/Makefile.am
++++ b/data/Makefile.am
+@@ -90,14 +90,14 @@ sessiondir = $(datadir)/gnome-session/sessions
+ session_DATA = gdm-fallback.session gdm-shell.session
+
+ EXTRA_DIST += pam-redhat/gdm pam-redhat/gdm-autologin pam-redhat/gdm-welcome \
+- pam-redhat/gdm-fingerprint pam-redhat/gdm-smartcard \
++ pam-redhat/gdm-fingerprint pam-redhat/gdm-smartcard pam-redhat/gdm-password \
+ pam-openembedded/gdm pam-openembedded/gdm-autologin pam-openembedded/gdm-welcome
+
+ enabled_pam_files =
+ if ENABLE_REDHAT_PAM_CONFIG
+ enabled_pam_files += pam-redhat/gdm-autologin pam-redhat/gdm-welcome
+ if ENABLE_SPLIT_AUTHENTICATION
+-enabled_pam_files += pam-redhat/gdm-fingerprint pam-redhat/gdm-smartcard
++enabled_pam_files += pam-redhat/gdm-password pam-redhat/gdm-fingerprint pam-redhat/gdm-smartcard
+ else
+ enabled_pam_files += pam-redhat/gdm
+ endif
+diff --git a/data/pam-redhat/gdm-autologin b/data/pam-redhat/gdm-autologin
+index c4e598a..0616e66 100644
+--- a/data/pam-redhat/gdm-autologin
++++ b/data/pam-redhat/gdm-autologin
+@@ -1,10 +1,16 @@
+-#%PAM-1.0
++ #%PAM-1.0
+ auth required pam_env.so
+ auth required pam_permit.so
++auth include postlogin
+ account required pam_nologin.so
+ account include system-auth
+ password include system-auth
+-session optional pam_keyinit.so force revoke
+-session include system-auth
++session required pam_selinux.so close
+ session required pam_loginuid.so
+ session optional pam_console.so
++-session optional pam_ck_connector.so
++session required pam_selinux.so open
++session optional pam_keyinit.so force revoke
++session required pam_namespace.so
++session include system-auth
++session include postlogin
+diff --git a/data/pam-redhat/gdm-password b/data/pam-redhat/gdm-password
+new file mode 100644
+index 0000000..650534c
+--- /dev/null
++++ b/data/pam-redhat/gdm-password
+@@ -0,0 +1,21 @@
++auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
++auth substack password-auth
++auth required pam_succeed_if.so user != root quiet
++auth optional pam_gnome_keyring.so
++auth include postlogin
++
++account required pam_nologin.so
++account include password-auth
++
++password include password-auth
++
++session required pam_selinux.so close
++session required pam_loginuid.so
++session optional pam_console.so
++-session optional pam_ck_connector.so
++session required pam_selinux.so open
++session optional pam_keyinit.so force revoke
++session required pam_namespace.so
++session include password-auth
++session optional pam_gnome_keyring.so auto_start
++session include postlogin
+diff --git a/data/pam-redhat/gdm-smartcard b/data/pam-redhat/gdm-smartcard
+index d5ac1fa..1c8c7b1 100644
+--- a/data/pam-redhat/gdm-smartcard
++++ b/data/pam-redhat/gdm-smartcard
+@@ -1,18 +1,18 @@
+-# Sample PAM file for doing smartcard authentication.
+-# Distros should replace this with what makes sense for them.
+-auth required pam_env.so
+-auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
+-auth requisite pam_succeed_if.so uid >= 500 quiet
+-auth required pam_deny.so
++auth substack smartcard-auth
++auth required pam_succeed_if.so user != root quiet
++auth include postlogin
+
+-account required pam_unix.so
+-account sufficient pam_localuser.so
+-account sufficient pam_succeed_if.so uid < 500 quiet
+-account required pam_permit.so
++account required pam_nologin.so
++account include smartcard-auth
+
+-password optional pam_pkcs11.so
+-password requisite pam_cracklib.so try_first_pass retry=3 type=
++password include smartcard-auth
+
+-session optional pam_keyinit.so revoke
+-session required pam_limits.so
+-session required pam_unix.so
++session required pam_selinux.so close
++session required pam_loginuid.so
++session optional pam_console.so
++-session optional pam_ck_connector.so
++session required pam_selinux.so open
++session optional pam_keyinit.so force revoke
++session required pam_namespace.so
++session include smartcard-auth
++session include postlogin
+diff --git a/data/pam-redhat/gdm-welcome b/data/pam-redhat/gdm-welcome
+index b301f4f..17f323e 100644
+--- a/data/pam-redhat/gdm-welcome
++++ b/data/pam-redhat/gdm-welcome
+@@ -1,9 +1,11 @@
+ #%PAM-1.0
+ auth required pam_env.so
+ auth required pam_permit.so
++auth include postlogin
+ account required pam_nologin.so
+ account include system-auth
+ password include system-auth
+ session required pam_loginuid.so
+ session optional pam_keyinit.so force revoke
+ session include system-auth
++session include postlogin
+--
+1.7.7.6
+
diff --git a/patches/gdm-0006-Add-enable-internal-pam-console-option.patch b/patches/gdm-0006-Add-enable-internal-pam-console-option.patch
new file mode 100644
index 0000000..3c50cde
--- /dev/null
+++ b/patches/gdm-0006-Add-enable-internal-pam-console-option.patch
@@ -0,0 +1,176 @@
+From d6b62284bd35087f4b514cf48ce3682d8e825f04 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters verbum org>
+Date: Tue, 15 May 2012 23:04:16 -0400
+Subject: [PATCH 6/6] Add --enable-internal-pam-console option
+
+For OS builders who don't want to ship the full pam_console[1], this
+simple option allows GDM to create the file /var/run/console/foo,
+which is enough for DBus, which in turn is enough for NetworkManager.
+
+Note there was a --enable-console-helper configure option which
+was unused, so I deleted it.
+
+This patch mirrors the Solaris devlogin handling.
+
+[1] Because it's messy, complex code, mostly to implement the "chown
+ device files" part which is completely obsoleted by udev. The
+ "make /var/run/console/foo" file isn't though; that's what this
+ patch does.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=676138
+---
+ configure.ac | 11 +++++---
+ daemon/gdm-simple-slave.c | 55 +++++++++++++++++++++++++++++++++++++++-----
+ 2 files changed, 55 insertions(+), 11 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index fdd4676..8222244 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -247,10 +247,13 @@ esac
+ AM_CONDITIONAL(ENABLE_REDHAT_PAM_CONFIG, test x$with_default_pam_config = xredhat)
+ AM_CONDITIONAL(ENABLE_OPENEMBEDDED_PAM_CONFIG, test x$with_default_pam_config = xopenembedded)
+
+-AC_ARG_ENABLE(console-helper,
+- AS_HELP_STRING([--enable-console-helper],
+- [Enable PAM console helper @<:@default=auto@:>@]),,
+- enable_console_helper=auto)
++AC_ARG_ENABLE(internal-pam-console,
++ AS_HELP_STRING([--enable-internal-pam-console],
++ [Directly write /var/run/console directly @<:@default=no@:>@]),,
++ enable_internal_pam_console=no)
++if test x$enable_internal_pam_console != xno; then
++ AC_DEFINE(ENABLE_INTERNAL_PAM_CONSOLE, 1, [Define if we should write /var/run/console directly])
++fi
+
+ AC_ARG_ENABLE(authentication-scheme,
+ AS_HELP_STRING([--enable-authentication-scheme=@<:@pam/crypt/shadow@:>@],
+diff --git a/daemon/gdm-simple-slave.c b/daemon/gdm-simple-slave.c
+index bf48246..dff7bf5 100644
+--- a/daemon/gdm-simple-slave.c
++++ b/daemon/gdm-simple-slave.c
+@@ -90,8 +90,10 @@ struct GdmSimpleSlavePrivate
+
+ guint start_session_when_ready : 1;
+ guint waiting_to_start_session : 1;
+-#ifdef HAVE_LOGINDEVPERM
++#if defined(HAVE_LOGINDEVPERM)
+ gboolean use_logindevperm;
++#elif defined(ENABLE_INTERNAL_PAM_CONSOLE)
++ gboolean use_internal_pam_console;
+ #endif
+ #ifdef WITH_PLYMOUTH
+ guint plymouth_is_running : 1;
+@@ -140,7 +142,6 @@ on_session_started (GdmSession *session,
+ */
+ }
+
+-#ifdef HAVE_LOGINDEVPERM
+ static void
+ gdm_simple_slave_grant_console_permissions (GdmSimpleSlave *slave)
+ {
+@@ -151,6 +152,7 @@ gdm_simple_slave_grant_console_permissions (GdmSimpleSlave *slave)
+ username = gdm_session_direct_get_username (slave->priv->session);
+ display_device = gdm_session_direct_get_display_device (slave->priv->session);
+
++#if defined(HAVE_LOGINDEVPERM)
+ if (username != NULL) {
+ gdm_get_pwent_for_name (username, &passwd_entry);
+
+@@ -175,6 +177,34 @@ gdm_simple_slave_grant_console_permissions (GdmSimpleSlave *slave)
+ g_debug ("Not calling di_devperm_login login for user %s, device %s",
+ username, display_device);
+ }
++#elif defined(ENABLE_INTERNAL_PAM_CONSOLE)
++ if (username != NULL && display_device != NULL) {
++ int fd;
++ char *consoledir_path;
++ char *path;
++
++ gdm_get_pwent_for_name (username, &passwd_entry);
++
++ slave->priv->use_internal_pam_console = TRUE;
++
++ consoledir_path = g_strdup_printf ("/var/run/console");
++
++ (void) mkdir (consoledir_path, 0755);
++
++ path = g_build_filename (consoledir_path, username, NULL);
++ fd = open (path, O_CREAT | O_NOFOLLOW, 0644);
++ if (fd < 0) {
++ g_warning ("Failed to create %s: %s", path, strerror (errno));
++ } else {
++ (void)fchown (fd, passwd_entry->pw_uid, passwd_entry->pw_gid);
++ close (fd);
++ }
++ g_free (path);
++ }
++#else
++#endif
++ g_free (username);
++ g_free (display_device);
+ }
+
+ static void
+@@ -182,10 +212,12 @@ gdm_simple_slave_revoke_console_permissions (GdmSimpleSlave *slave)
+ {
+ char *username;
+ char *display_device;
++ struct passwd *passwd_entry;
+
+ username = gdm_session_direct_get_username (slave->priv->session);
+ display_device = gdm_session_direct_get_display_device (slave->priv->session);
+
++#if defined(HAVE_LOGINDEVPERM)
+ /*
+ * Only do logindevperm processing if /dev/console or a device
+ * associated with a VT. Do this after processing the PostSession
+@@ -204,11 +236,24 @@ gdm_simple_slave_revoke_console_permissions (GdmSimpleSlave *slave)
+ g_debug ("Not calling di_devperm_logout logout for user %s, device %s",
+ username, display_device);
+ }
++#elif defined(ENABLE_INTERNAL_PAM_CONSOLE)
++ if (slave->priv->use_internal_pam_console) {
++ char *path;
++
++ gdm_get_pwent_for_name (username, &passwd_entry);
++
++ slave->priv->use_internal_pam_console = FALSE;
++
++ path = g_strdup_printf ("/var/run/console/%s", username);
++ if (unlink (path) < 0)
++ g_warning ("Failed to unlink %s: %s", path, strerror (errno));
++ g_free (path);
++ }
+
++#endif
+ g_free (username);
+ g_free (display_device);
+ }
+-#endif /* HAVE_LOGINDEVPERM */
+
+ static void
+ on_session_exited (GdmSession *session,
+@@ -567,9 +612,7 @@ on_session_opened (GdmSession *session,
+ const char *service_name,
+ GdmSimpleSlave *slave)
+ {
+-#ifdef HAVE_LOGINDEVPERM
+ gdm_simple_slave_grant_console_permissions (slave);
+-#endif /* HAVE_LOGINDEVPERM */
+
+ if (slave->priv->greeter_server != NULL) {
+ gdm_greeter_server_session_opened (slave->priv->greeter_server, service_name);
+@@ -1647,9 +1690,7 @@ gdm_simple_slave_stop (GdmSlave *slave)
+ }
+ g_free (username);
+
+-#ifdef HAVE_LOGINDEVPERM
+ gdm_simple_slave_revoke_console_permissions (GDM_SIMPLE_SLAVE (slave));
+-#endif
+
+ gdm_session_close (GDM_SESSION (GDM_SIMPLE_SLAVE (slave)->priv->session));
+ g_object_unref (GDM_SIMPLE_SLAVE (slave)->priv->session);
+--
+1.7.7.6
+
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
