From b91bdb44b784171e142fea5f12d1543a3e1f1085 Mon Sep 17 00:00:00 2001 From: tripolar Date: Tue, 22 Oct 2013 00:50:21 +0000 Subject: [PATCH] [packages] libpam: add default rules thanks DkSoul for the patch Signed-off-by: Peter Wagner git-svn-id: svn://svn.openwrt.org/openwrt/packages@38490 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- libs/libpam/Makefile | 13 +++++---- libs/libpam/files/pam.conf | 15 ++++++++++ libs/libpam/files/pam.d/common-account | 20 +++++++++++++ libs/libpam/files/pam.d/common-auth | 21 ++++++++++++++ libs/libpam/files/pam.d/common-password | 28 +++++++++++++++++++ libs/libpam/files/pam.d/common-session | 25 +++++++++++++++++ .../files/pam.d/common-session-noninteractive | 25 +++++++++++++++++ libs/libpam/files/pam.d/other | 16 +++++++++++ 8 files changed, 157 insertions(+), 6 deletions(-) create mode 100644 libs/libpam/files/pam.conf create mode 100644 libs/libpam/files/pam.d/common-account create mode 100644 libs/libpam/files/pam.d/common-auth create mode 100644 libs/libpam/files/pam.d/common-password create mode 100644 libs/libpam/files/pam.d/common-session create mode 100644 libs/libpam/files/pam.d/common-session-noninteractive create mode 100644 libs/libpam/files/pam.d/other diff --git a/libs/libpam/Makefile b/libs/libpam/Makefile index c7c38f4d5..bbfa9d838 100644 --- a/libs/libpam/Makefile +++ b/libs/libpam/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libpam PKG_VERSION:=1.1.8 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.linux-pam.org/library/ @@ -49,8 +49,6 @@ define Build/Configure ) endef - - define Build/InstallDev $(INSTALL_DIR) $(1)/lib $(INSTALL_DIR) $(1)/usr/include @@ -59,11 +57,14 @@ define Build/InstallDev endef define Package/libpam/install - $(INSTALL_DIR) $(1)/lib - $(INSTALL_DIR) $(1)/etc + $(INSTALL_DIR) $(1)/lib $(1)/lib/security $(1)/lib/security/pam_filter + $(INSTALL_DIR) $(1)/etc $(1)/etc/pam.d $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/lib/* $(1)/lib/ + $(CP) $(PKG_INSTALL_DIR)/lib/*.so* $(1)/lib/ + $(CP) $(PKG_INSTALL_DIR)/lib/security/*.so* $(1)/lib/security/ + $(CP) $(PKG_INSTALL_DIR)/lib/security/pam_filter/* $(1)/lib/security/pam_filter/ $(CP) $(PKG_INSTALL_DIR)/etc/* $(1)/etc/ + $(CP) ./files/* $(1)/etc/ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/* $(1)/usr/sbin/ endef diff --git a/libs/libpam/files/pam.conf b/libs/libpam/files/pam.conf new file mode 100644 index 000000000..3eeb72d32 --- /dev/null +++ b/libs/libpam/files/pam.conf @@ -0,0 +1,15 @@ +# ---------------------------------------------------------------------------# +# /etc/pam.conf # +# ---------------------------------------------------------------------------# +# +# NOTE +# ---- +# +# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their +# PAM service modules. This file is used only if that directory does not exist. +# ---------------------------------------------------------------------------# + +# Format: +# serv. module ctrl module [path] ...[args..] # +# name type flag # + diff --git a/libs/libpam/files/pam.d/common-account b/libs/libpam/files/pam.d/common-account new file mode 100644 index 000000000..7162548cc --- /dev/null +++ b/libs/libpam/files/pam.d/common-account @@ -0,0 +1,20 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) + +# end of pam-auth-update config diff --git a/libs/libpam/files/pam.d/common-auth b/libs/libpam/files/pam.d/common-auth new file mode 100644 index 000000000..8fc529d70 --- /dev/null +++ b/libs/libpam/files/pam.d/common-auth @@ -0,0 +1,21 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) + +# end of pam-auth-update config diff --git a/libs/libpam/files/pam.d/common-password b/libs/libpam/files/pam.d/common-password new file mode 100644 index 000000000..5d0dee0a6 --- /dev/null +++ b/libs/libpam/files/pam.d/common-password @@ -0,0 +1,28 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) + +# end of pam-auth-update config diff --git a/libs/libpam/files/pam.d/common-session b/libs/libpam/files/pam.d/common-session new file mode 100644 index 000000000..f0d41ccf7 --- /dev/null +++ b/libs/libpam/files/pam.d/common-session @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config diff --git a/libs/libpam/files/pam.d/common-session-noninteractive b/libs/libpam/files/pam.d/common-session-noninteractive new file mode 100644 index 000000000..f4943e1b0 --- /dev/null +++ b/libs/libpam/files/pam.d/common-session-noninteractive @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config diff --git a/libs/libpam/files/pam.d/other b/libs/libpam/files/pam.d/other new file mode 100644 index 000000000..6679e4f19 --- /dev/null +++ b/libs/libpam/files/pam.d/other @@ -0,0 +1,16 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We fall back to the system default in /etc/pam.d/common-* +# + +auth include common-auth +account include common-account +password include common-password +session include common-session