Mercurial > vanilla

changeset 822:a73b34fe66ec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
security/shadow: add custom PAM files recommended per LFS
author David Demelier <markand@malikania.fr>
date Wed, 21 Aug 2019 20:50:00 +0200
parents c5cbe07af6a9
children fdac78a6d06e
files security/shadow/chage security/shadow/chfn security/shadow/chgpasswd security/shadow/chpasswd security/shadow/chsh security/shadow/groupadd security/shadow/groupdel security/shadow/groupmems security/shadow/groupmod security/shadow/login security/shadow/newusers security/shadow/passwd security/shadow/shadow.sh security/shadow/su security/shadow/useradd security/shadow/userdel security/shadow/usermod
diffstat 17 files changed, 172 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/chage	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/chage -- PAM configuration file for shadow's chage
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/chfn	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/chfn -- PAM configuration file for shadow's chfn
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/chgpasswd	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/chgpasswd -- PAM configuration file for shadow's chgpasswd
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/chpasswd	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/chpasswd -- PAM configuration file for shadow's chpasswd
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/chsh	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/chsh -- PAM configuration file for shadow's chsh
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/groupadd	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/groupadd -- PAM configuration file for shadow's groupadd
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/groupdel	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/groupdel -- PAM configuration file for shadow's groupdel
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/groupmems	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/groupmems -- PAM configuration file for shadow's groupmems
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/groupmod	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/groupmod -- PAM configuration file for shadow's groupmod
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/login	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,16 @@
+#
+# /etc/pam.d/login -- PAM configuration file for shadow's login
+#
+
+auth            optional        pam_faildelay.so delay=3000000
+auth            requisite       pam_nologin.so
+auth            include         system-auth
+account         required        pam_access.so
+account         include         system-account
+session         required        pam_env.so
+session         required        pam_limits.so
+session         optional        pam_lastlog.so
+session         optional        pam_motd.so
+session         optional        pam_mail.so standard quiet
+session         include         system-session
+password        include         system-password
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/newusers	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/newusers -- PAM configuration file for shadow's newusers
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/passwd	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,5 @@
+#
+# /etc/pam.d/passwd -- PAM configuration file for shadow's passwd
+#
+
+password include system-password
--- a/security/shadow/shadow.sh	Wed Aug 21 20:45:00 2019 +0200
+++ b/security/shadow/shadow.sh	Wed Aug 21 20:50:00 2019 +0200
@@ -22,7 +22,23 @@
 PKGSUMMARY="password and account management"
 PKGDOWNLOAD="https://github.com/shadow-maint/shadow/releases/download/$PKGVERSION/$PKGNAME-$PKGVERSION.tar.xz"
 PKGOPTIONS="ACL ATTR NLS PAM SELINUX"
-PKGPROTECT="etc/login.defs"
+PKGPROTECT="etc/login.defs
+            etc/pam.d/chage
+            etc/pam.d/chfn
+            etc/pam.d/chgpasswd
+            etc/pam.d/chpasswd
+            etc/pam.d/chsh
+            etc/pam.d/groupadd
+            etc/pam.d/groupdel
+            etc/pam.d/groupmems
+            etc/pam.d/groupmod
+            etc/pam.d/login
+            etc/pam.d/newusers
+            etc/pam.d/passwd
+            etc/pam.d/su
+            etc/pam.d/useradd
+            etc/pam.d/userdel
+            etc/pam.d/usermod"
 
 : ${CHOST:=$(uname -m)-linux-musl}
 : ${CBUILD:=$(uname -m)-linux-musl}
@@ -77,7 +93,7 @@
 	cd $PKGNAME-$PKGVERSION
 
 	#
-	# disable groups, it's provided by busybox/coreutils and documentation
+	# Disable groups, it's provided by busybox/coreutils and documentation
 	# by man-pages.
 	#
 	sed -i 's/groups$(EXEEXT) //' src/Makefile.in
@@ -105,15 +121,12 @@
 	make DESTDIR=$DESTDIR ubindir=/bin usbindir=/bin install
 
 	if [ "$PAM" = "yes" ]; then
-		# --disable-selinux does not update pam.d files
-		if [ "$SELINUX" = "no" ]; then
-			sed -i -e "/pam_selinux.so/d"           \
-				$DESTDIR/etc/pam.d/login        \
-				$DESTDIR/etc/pam.d/su
-		fi
-
-		# pam_console.so isn't shipped with linux-pam.
-		sed -i -e "/pam_console.so/d" $DESTDIR/etc/pam.d/login
+		for i in \
+		    chage chfn chgpasswd chpasswd chsh groupadd groupdel \
+		    groupmems groupmod login newusers passwd su useradd \
+		    userdel usermod; do
+			install -Dm0600 ../$i $DESTDIR/etc/pam.d/$i
+		done
 	fi
 
 	cd ..
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/su	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,10 @@
+#
+# /etc/pam.d/su -- PAM configuration file for shadow's su
+#
+
+auth            sufficient      pam_rootok.so
+auth            include         system-auth
+auth            required        pam_wheel.so use_uid
+account         include         system-account
+session         required        pam_env.so
+session         include         system-session
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/useradd	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/useradd -- PAM configuration file for shadow's useradd
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/userdel	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/userdel -- PAM configuration file for shadow's userdel
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/shadow/usermod	Wed Aug 21 20:50:00 2019 +0200
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/usermod -- PAM configuration file for shadow's usermod
+#
+
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+password  required    pam_permit.so