summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid-John Willis <John.Willis@Distant-earth.com>2009-11-18 14:01:30 +0000
committerKoen Kooi <koen@openembedded.org>2009-11-24 11:08:35 +0100
commit7ed998436c39ff922f285fd73d87f0336973218f (patch)
tree5f34acd1d0939de090bc5a0cb804229b2ff666cb
parentafa230474855aa110c5b32492dcf8d2cdc1c07e9 (diff)
libpam-base-files: Start to add default config files for libpam
* This will start to get Linux-PAM into a usable state. Default config files derived from Debian with tweaks. Some are not needed and will be dropped later and some should really be packaged elsewhere. * Also update libpam_1.0.2 to depend on this package and the meta package with auth systems as it is not a lot of use without them (it works but can't do anything). * Add 1.1.0 and tweaks to 1.0.2. * Update all the pam.d base config files to support the suggested upstream layout not patches legacy layouts used but some Linux distros. * Use the proper include layouts * Still package some 'suggested' files for common services that do not pack there own pam.d files (TODO: move these to the package recipies not this one).
-rw-r--r--recipes/pam/libpam-1.1.0/pam-nodocs.patch35
-rw-r--r--recipes/pam/libpam-base-files.bb18
-rw-r--r--recipes/pam/libpam-base-files/pam.d/atd10
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-account25
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-auth18
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-password27
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-session20
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-session-noninteractive19
-rw-r--r--recipes/pam/libpam-base-files/pam.d/cron11
-rw-r--r--recipes/pam/libpam-base-files/pam.d/cups3
-rw-r--r--recipes/pam/libpam-base-files/pam.d/cvs12
-rw-r--r--recipes/pam/libpam-base-files/pam.d/libcupsys23
-rw-r--r--recipes/pam/libpam-base-files/pam.d/other27
-rw-r--r--recipes/pam/libpam-base-files/pam.d/polkit6
-rw-r--r--recipes/pam/libpam-base-files/pam.d/polkit-16
-rw-r--r--recipes/pam/libpam-base-files/pam.d/ppp8
-rw-r--r--recipes/pam/libpam-base-files/pam.d/sesman6
-rw-r--r--recipes/pam/libpam-base-files/pam.d/sshd33
-rw-r--r--recipes/pam/libpam_1.0.2.bb6
-rw-r--r--recipes/pam/libpam_1.1.0.bb70
20 files changed, 361 insertions, 2 deletions
diff --git a/recipes/pam/libpam-1.1.0/pam-nodocs.patch b/recipes/pam/libpam-1.1.0/pam-nodocs.patch
new file mode 100644
index 0000000000..895f0e182a
--- /dev/null
+++ b/recipes/pam/libpam-1.1.0/pam-nodocs.patch
@@ -0,0 +1,35 @@
+--- /tmp/Makefile.am 2008-09-05 15:16:21.000000000 +0200
++++ Linux-PAM-1.0.2/Makefile.am 2008-09-05 15:16:56.153198000 +0200
+@@ -5,9 +5,9 @@
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
+
+ if STATIC_MODULES
+-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
++SUBDIRS = modules libpam libpamc libpam_misc tests po conf examples xtests
+ else
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
++SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+ endif
+
+ CLEANFILES = *~
+@@ -28,19 +28,7 @@
+
+ ACLOCAL_AMFLAGS = -I m4
+
+-release: dist releasedocs
+-
+-release-docs: releasedocs
+-
+-releasedocs:
+- rm -rf Linux-PAM-$(VERSION)
+- mkdir -p Linux-PAM-$(VERSION)/doc
+- make -C doc releasedocs
+- tar zfc Linux-PAM-$(VERSION)-docs.tar.gz \
+- Linux-PAM-$(VERSION)/doc
+- tar jfc Linux-PAM-$(VERSION)-docs.tar.bz2 \
+- Linux-PAM-$(VERSION)/doc
+- rm -rf Linux-PAM-$(VERSION)
++release: dist
+
+ xtests:
+ make -C xtests xtests
diff --git a/recipes/pam/libpam-base-files.bb b/recipes/pam/libpam-base-files.bb
new file mode 100644
index 0000000000..0fa11d8051
--- /dev/null
+++ b/recipes/pam/libpam-base-files.bb
@@ -0,0 +1,18 @@
+DESCRIPTION = "Linux-PAM authentication library for Linux. Base configuration files"
+
+SECTION = "libs"
+PRIORITY = "optional"
+LICENSE = "GPLv2"
+DEPENDS = ""
+RDEPENDS = "libpam"
+
+PR = "r1"
+
+SRC_URI = " \
+ file://pam.d/* \
+"
+
+do_install() {
+ install -d ${D}${sysconfdir}/pam.d/
+ install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
+}
diff --git a/recipes/pam/libpam-base-files/pam.d/atd b/recipes/pam/libpam-base-files/pam.d/atd
new file mode 100644
index 0000000000..17ffb134d3
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/atd
@@ -0,0 +1,10 @@
+#
+# The PAM configuration file for the at daemon
+#
+
+auth required pam_env.so
+auth include common-auth
+account include common-account
+password include common-password
+session required pam_limits.so
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/common-account b/recipes/pam/libpam-base-files/pam.d/common-account
new file mode 100644
index 0000000000..316b17337b
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-account
@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system. The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
+# here's the fallback if no module succeeds
+account requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
diff --git a/recipes/pam/libpam-base-files/pam.d/common-auth b/recipes/pam/libpam-base-files/pam.d/common-auth
new file mode 100644
index 0000000000..460b69f198
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-auth
@@ -0,0 +1,18 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+
+# here are the per-package modules (the "Primary" block)
+auth [success=1 default=ignore] pam_unix.so nullok_secure
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
diff --git a/recipes/pam/libpam-base-files/pam.d/common-password b/recipes/pam/libpam-base-files/pam.d/common-password
new file mode 100644
index 0000000000..bc98f199b9
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-password
@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords. The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords. Without this option,
+# the default is Unix crypt. Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# here are the per-package modules (the "Primary" block)
+password [success=1 default=ignore] pam_unix.so obscure sha512
+# here's the fallback if no module succeeds
+password requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+password optional pam_gnome_keyring.so
diff --git a/recipes/pam/libpam-base-files/pam.d/common-session b/recipes/pam/libpam-base-files/pam.d/common-session
new file mode 100644
index 0000000000..2123967d15
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-session
@@ -0,0 +1,20 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
+session optional pam_ck_connector.so nox11
diff --git a/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive
new file mode 100644
index 0000000000..b110bb2b49
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive
@@ -0,0 +1,19 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
diff --git a/recipes/pam/libpam-base-files/pam.d/cron b/recipes/pam/libpam-base-files/pam.d/cron
new file mode 100644
index 0000000000..743c0ed31f
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cron
@@ -0,0 +1,11 @@
+#
+# The PAM configuration file for the cron daemon
+#
+
+auth include common-auth
+session required pam_env.so
+account include common-account
+session include common-session-noninteractive
+# Sets up user limits, please define limits for cron tasks
+# through /etc/security/limits.conf
+session required pam_limits.so
diff --git a/recipes/pam/libpam-base-files/pam.d/cups b/recipes/pam/libpam-base-files/pam.d/cups
new file mode 100644
index 0000000000..8e7f973a2c
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cups
@@ -0,0 +1,3 @@
+auth include common-auth
+account include common-account
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/cvs b/recipes/pam/libpam-base-files/pam.d/cvs
new file mode 100644
index 0000000000..9627c4f7bf
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cvs
@@ -0,0 +1,12 @@
+#
+# /etc/pam.d/cvs - specify the PAM behaviour of CVS
+#
+
+# We fall back to the system default in /etc/pam.d/common-*
+
+auth include common-auth
+account include common-account
+
+# We don't use password or session modules at all
+# password include common-password
+# session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/libcupsys2 b/recipes/pam/libpam-base-files/pam.d/libcupsys2
new file mode 100644
index 0000000000..8e7f973a2c
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/libcupsys2
@@ -0,0 +1,3 @@
+auth include common-auth
+account include common-account
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/other b/recipes/pam/libpam-base-files/pam.d/other
new file mode 100644
index 0000000000..6e40cd0c02
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/other
@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.
+
+#If you really want nothing to happen then use pam_permit.so or
+#pam_deny.so as appropriate.
+
+# We use pam_warn.so to generate syslog notes that the 'other'
+#fallback rules are being used (as a hint to suggest you should setup
+#specific PAM rules for the service and aid to debugging). We then
+#fall back to the system default in /etc/pam.d/common-*
+
+auth required pam_warn.so
+auth include common-auth
+
+account required pam_warn.so
+account include common-account
+
+password required pam_warn.so
+password include common-password
+
+session required pam_warn.so
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/polkit b/recipes/pam/libpam-base-files/pam.d/polkit
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/polkit
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/polkit-1 b/recipes/pam/libpam-base-files/pam.d/polkit-1
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/polkit-1
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/ppp b/recipes/pam/libpam-base-files/pam.d/ppp
new file mode 100644
index 0000000000..aed08fd1b2
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/ppp
@@ -0,0 +1,8 @@
+#%PAM-1.0
+# Information for the PPPD process with the 'login' option.
+
+auth required pam_nologin.so
+auth include common-auth
+account include common-account
+session include common-session
+
diff --git a/recipes/pam/libpam-base-files/pam.d/sesman b/recipes/pam/libpam-base-files/pam.d/sesman
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/sesman
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/sshd b/recipes/pam/libpam-base-files/pam.d/sshd
new file mode 100644
index 0000000000..c0028ff3cb
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/sshd
@@ -0,0 +1,33 @@
+# PAM configuration for the Secure Shell service
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+auth required pam_env.so # [1]
+
+# Standard Un*x authentication.
+auth include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account required pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account required pam_access.so
+
+# Standard Un*x authorization.
+account include common-accountt
+
+# Standard Un*x session setup and teardown.
+session include common-session
+
+# Print the message of the day upon successful login.
+session optional pam_motd.so # [1]
+
+# Print the status of the user's mailbox upon successful login.
+session optional pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session required pam_limits.so
+
+# Standard Un*x password updating.
+password include common-password
diff --git a/recipes/pam/libpam_1.0.2.bb b/recipes/pam/libpam_1.0.2.bb
index b288458e98..1ab7fa95f9 100644
--- a/recipes/pam/libpam_1.0.2.bb
+++ b/recipes/pam/libpam_1.0.2.bb
@@ -12,7 +12,10 @@ LICENSE = "GPLv2"
DEPENDS = "flex flex-native"
-PR = "r4"
+# PAM is not a lot of use without configuration files and the plugins
+RRECOMMENDS_${PN} = "libpam-meta libpam-base-files"
+
+PR = "r5"
# The project is actually called Linux-PAM but that gives
# a bad OE package name because of the upper case characters
@@ -66,7 +69,6 @@ python populate_packages_prepend () {
bb.data.setVar('PACKAGES', ' '.join(packages), d)
}
-
do_stage() {
autotools_stage_all
}
diff --git a/recipes/pam/libpam_1.1.0.bb b/recipes/pam/libpam_1.1.0.bb
new file mode 100644
index 0000000000..32dc9e15cb
--- /dev/null
+++ b/recipes/pam/libpam_1.1.0.bb
@@ -0,0 +1,70 @@
+DESCRIPTION = "\
+PAM authentication library for Linux. \
+Linux-PAM (Pluggable Authentication Modules for Linux) is a \
+library that enables the local system administrator to choose \
+how individual applications authenticate users. For an \
+overview of the Linux-PAM library see the Linux-PAM System \
+Administrators' Guide."
+HOMEPAGE = "http://kernel.org/pub/linux/libs/pam"
+SECTION = "libs"
+PRIORITY = "optional"
+LICENSE = "GPLv2"
+
+DEFAULT_PREFERENCE_libc-uclibc = "-1"
+
+DEPENDS = "flex flex-native"
+
+# PAM is not a lot of use without configuration files and the plugins
+RRECOMMENDS_${PN} = "libpam-meta libpam-base-files"
+
+PR = "r0"
+
+# The project is actually called Linux-PAM but that gives
+# a bad OE package name because of the upper case characters
+pn = "Linux-PAM"
+p = "${pn}-${PV}"
+S = "${WORKDIR}/${p}"
+
+SRC_URI = "${KERNELORG_MIRROR}/pub/linux/libs/pam/library/${p}.tar.bz2 \
+ file://pam-nodocs.patch;patch=1 "
+
+inherit autotools
+
+LEAD_SONAME = "libpam.so.*"
+
+# maintain the pam default layout
+EXTRA_OECONF += " --includedir=${includedir}/security"
+
+PACKAGES_DYNAMIC += " libpam-meta pam-plugin-*"
+
+python populate_packages_prepend () {
+ import os.path
+
+ pam_libdir = bb.data.expand('${libdir}/security', d)
+ pam_libdirdebug = bb.data.expand('${libdir}/security/.debug', d)
+ pam_filterdir = bb.data.expand('${libdir}/security/pam_filter', d)
+ do_split_packages(d, pam_libdir, '^pam(.*)\.so$', 'pam-plugin%s', 'PAM plugin for %s', extra_depends='')
+ do_split_packages(d, pam_libdir, '^pam(.*)\.la$', 'pam-plugin%s-dev', 'PAM plugin for %s dev', extra_depends='')
+ if os.path.exists(pam_libdirdebug):
+ do_split_packages(d, pam_libdirdebug, '^pam(.*)\.so$', 'pam-plugin%s-dbg', 'PAM plugin for %s debugging symbols', extra_depends='')
+ do_split_packages(d, pam_filterdir, '^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='')
+
+ pn = bb.data.getVar('PN', d, 1)
+ metapkg = pn + '-meta'
+ bb.data.setVar('ALLOW_EMPTY_' + metapkg, "1", d)
+ bb.data.setVar('FILES_' + metapkg, "", d)
+ blacklist = [ pn + '-locale', pn + '-dev', pn + '-dbg', pn + '-doc' ]
+ metapkg_rdepends = []
+ packages = bb.data.getVar('PACKAGES', d, 1).split()
+ for pkg in packages[1:]:
+ if not pkg in blacklist and not pkg in metapkg_rdepends and not pkg.endswith('-dev') and not pkg.count('locale') and pkg.count('plugin'):
+ metapkg_rdepends.append(pkg)
+ bb.data.setVar('RDEPENDS_' + metapkg, ' '.join(metapkg_rdepends), d)
+ bb.data.setVar('DESCRIPTION_' + metapkg, pn + ' meta package', d)
+ packages.append(metapkg)
+ bb.data.setVar('PACKAGES', ' '.join(packages), d)
+}
+
+do_stage() {
+ autotools_stage_all
+}