[gnome-ostree-integration] Add override PAM files

From: Colin Walters <walters src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-ostree-integration] Add override PAM files
Date: Mon, 15 Apr 2013 22:52:47 +0000 (UTC)
commit e3ca5bee8ee3c6a93f19c60fa8bd35d38ba56155
Author: Colin Walters <walters verbum org>
Date:   Sat Apr 13 19:16:57 2013 -0400

    Add override PAM files
    
    The ones from OpenEmbedded (in the current version) don't have what we
    need, and anyways it's easier to maintain static files here, like we
    do with /lib/passwd.

 Makefile-integration.am               |  7 +++++++
 src/pam/common-account                | 25 +++++++++++++++++++++++++
 src/pam/common-auth                   | 19 +++++++++++++++++++
 src/pam/common-password               | 26 ++++++++++++++++++++++++++
 src/pam/common-session                | 23 +++++++++++++++++++++++
 src/pam/common-session-noninteractive | 22 ++++++++++++++++++++++
 src/pam/other                         | 27 +++++++++++++++++++++++++++
 7 files changed, 149 insertions(+)
---
diff --git a/Makefile-integration.am b/Makefile-integration.am
index fd013ce..96d6642 100644
--- a/Makefile-integration.am
+++ b/Makefile-integration.am
@@ -46,6 +46,13 @@ integration-install-data-hook: os-release system-release
        install -D $(srcdir)/src/lib-group $(DESTDIR)$(prefix)/lib/group
        install -D $(srcdir)/src/gnome-logo.png $(DESTDIR)$(datadir)/pixmaps/system-logo-white.png
 
+INSTALL_DATA_HOOKS += integration-install-pam-hook
+integration-install-pam-hook:
+       mkdir -p $(DESTDIR)$(sysconfdir)/pam.d
+       for name in common-account common-auth common-password common-session common-session-noninteractive 
other; do \
+         install -D $(srcdir)/src/pam/$${name} $(DESTDIR)$(sysconfdir)/pam.d/$${name}; \
+       done
+
 ENABLED_SERVICES = NetworkManager ModemManager
 DBUS_ENABLED_SERVICES = org.freedesktop.NetworkManager org.freedesktop.ModemManager
 
diff --git a/src/pam/common-account b/src/pam/common-account
new file mode 100644
index 0000000..316b173
--- /dev/null
+++ b/src/pam/common-account
@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account        [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
+# here's the fallback if no module succeeds
+account        requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account        required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
diff --git a/src/pam/common-auth b/src/pam/common-auth
new file mode 100644
index 0000000..1da7cc7
--- /dev/null
+++ b/src/pam/common-auth
@@ -0,0 +1,19 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+
+# here are the per-package modules (the "Primary" block)
+auth   [success=1 default=ignore]      pam_unix.so nullok_secure
+# here's the fallback if no module succeeds
+auth   requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth   required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth   optional                        pam_gnome_keyring.so
diff --git a/src/pam/common-password b/src/pam/common-password
new file mode 100644
index 0000000..3896057
--- /dev/null
+++ b/src/pam/common-password
@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# here are the per-package modules (the "Primary" block)
+password       [success=1 default=ignore]      pam_unix.so obscure sha512
+# here's the fallback if no module succeeds
+password       requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password       required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
diff --git a/src/pam/common-session b/src/pam/common-session
new file mode 100644
index 0000000..d905815
--- /dev/null
+++ b/src/pam/common-session
@@ -0,0 +1,23 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+
+# here are the per-package modules (the "Primary" block)
+session        [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session        requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session        required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required                       pam_loginuid.so
+session        optional                        pam_keyinit.so revoke
+session        required                        pam_systemd.so
+session        required                        pam_unix.so 
+session        optional                        pam_gnome_keyring.so auto_start
diff --git a/src/pam/common-session-noninteractive b/src/pam/common-session-noninteractive
new file mode 100644
index 0000000..5bac124
--- /dev/null
+++ b/src/pam/common-session-noninteractive
@@ -0,0 +1,22 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+
+# here are the per-package modules (the "Primary" block)
+session        [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session        requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session        required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required                       pam_loginuid.so
+session        optional                        pam_keyinit.so revoke
+session        required                        pam_systemd.so
+session        required                        pam_unix.so 
diff --git a/src/pam/other b/src/pam/other
new file mode 100644
index 0000000..6e40cd0
--- /dev/null
+++ b/src/pam/other
@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron  specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.  
+
+#If you really want nothing to happen then use pam_permit.so or
+#pam_deny.so as appropriate.
+
+# We use pam_warn.so to generate syslog notes that the 'other'
+#fallback rules are being used (as a hint to suggest you should setup
+#specific PAM rules for the service and aid to debugging). We then 
+#fall back to the system default in /etc/pam.d/common-*
+
+auth       required     pam_warn.so
+auth       include      common-auth
+
+account    required     pam_warn.so
+account    include      common-account
+
+password   required     pam_warn.so
+password   include      common-password
+
+session    required     pam_warn.so
+session    include      common-session
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]