From 4677a67913c5ec376eb016e6aac21f9a7ad5e9c4 Mon Sep 17 00:00:00 2001 From: David-John Willis Date: Mon, 9 Nov 2009 07:54:07 +0000 Subject: shadow: Add version 4.1.4.2 and checksum. * This version now has Linux-PAM support enabled in OE so will need some testing and maybe a little tweaking. * Add pam.d config files for common shadow utils in addition to the default ones. * Cleanup shadow defaults and make shadow 'play nice' with PAM. * Update pam.d service files to suggested upstream Linux-PAM layout. * TODO: Some Shadow default session files still use the older layout (incluse system-auth for everything). These will need newer files to be added to the pam.d folder in the recipe as they are found. --- recipes/shadow/files/login_defs_pam.sed | 25 +++++++++ recipes/shadow/files/pam.d/chfn | 14 +++++ recipes/shadow/files/pam.d/chpasswd | 4 ++ recipes/shadow/files/pam.d/chsh | 19 +++++++ recipes/shadow/files/pam.d/login | 91 +++++++++++++++++++++++++++++++++ recipes/shadow/files/pam.d/newusers | 4 ++ recipes/shadow/files/pam.d/passwd | 5 ++ recipes/shadow/files/pam.d/su | 60 ++++++++++++++++++++++ recipes/shadow/shadow_4.1.4.2.bb | 52 +++++++++++++++++++ 9 files changed, 274 insertions(+) create mode 100644 recipes/shadow/files/login_defs_pam.sed create mode 100644 recipes/shadow/files/pam.d/chfn create mode 100644 recipes/shadow/files/pam.d/chpasswd create mode 100644 recipes/shadow/files/pam.d/chsh create mode 100644 recipes/shadow/files/pam.d/login create mode 100644 recipes/shadow/files/pam.d/newusers create mode 100644 recipes/shadow/files/pam.d/passwd create mode 100644 recipes/shadow/files/pam.d/su create mode 100644 recipes/shadow/shadow_4.1.4.2.bb (limited to 'recipes/shadow') diff --git a/recipes/shadow/files/login_defs_pam.sed b/recipes/shadow/files/login_defs_pam.sed new file mode 100644 index 0000000000..655f115870 --- /dev/null +++ b/recipes/shadow/files/login_defs_pam.sed @@ -0,0 +1,25 @@ +/^FAILLOG_ENAB/b comment +/^LASTLOG_ENAB/b comment +/^MAIL_CHECK_ENAB/b comment +/^OBSCURE_CHECKS_ENAB/b comment +/^PORTTIME_CHECKS_ENAB/b comment +/^QUOTAS_ENAB/b comment +/^MOTD_FILE/b comment +/^FTMP_FILE/b comment +/^NOLOGINS_FILE/b comment +/^ENV_HZ/b comment +/^PASS_MIN_LEN/b comment +/^SU_WHEEL_ONLY/b comment +/^CRACKLIB_DICTPATH/b comment +/^PASS_CHANGE_TRIES/b comment +/^PASS_ALWAYS_WARN/b comment +/^CHFN_AUTH/b comment +/^ENVIRON_FILE/b comment + +b exit + +: comment + s:^:#: + +: exit + diff --git a/recipes/shadow/files/pam.d/chfn b/recipes/shadow/files/pam.d/chfn new file mode 100644 index 0000000000..baf7698bba --- /dev/null +++ b/recipes/shadow/files/pam.d/chfn @@ -0,0 +1,14 @@ +# +# The PAM configuration file for the Shadow `chfn' service +# + +# This allows root to change user infomation without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/recipes/shadow/files/pam.d/chpasswd b/recipes/shadow/files/pam.d/chpasswd new file mode 100644 index 0000000000..9e3efa68ba --- /dev/null +++ b/recipes/shadow/files/pam.d/chpasswd @@ -0,0 +1,4 @@ +# The PAM configuration file for the Shadow 'chpasswd' service +# + +password include common-password diff --git a/recipes/shadow/files/pam.d/chsh b/recipes/shadow/files/pam.d/chsh new file mode 100644 index 0000000000..8fb169f64e --- /dev/null +++ b/recipes/shadow/files/pam.d/chsh @@ -0,0 +1,19 @@ +# +# The PAM configuration file for the Shadow `chsh' service +# + +# This will not allow a user to change their shell unless +# their current one is listed in /etc/shells. This keeps +# accounts with special shells from changing them. +auth required pam_shells.so + +# This allows root to change user shell without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/recipes/shadow/files/pam.d/login b/recipes/shadow/files/pam.d/login new file mode 100644 index 0000000000..2186d3eee9 --- /dev/null +++ b/recipes/shadow/files/pam.d/login @@ -0,0 +1,91 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# Note that it is included as a "requisite" module. No password prompts will +# be displayed if this module fails to avoid having the root password +# transmitted on unsecure ttys. +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root). +auth requisite pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +account include common-account +password include common-password +session include common-session diff --git a/recipes/shadow/files/pam.d/newusers b/recipes/shadow/files/pam.d/newusers new file mode 100644 index 0000000000..4aa3dde48b --- /dev/null +++ b/recipes/shadow/files/pam.d/newusers @@ -0,0 +1,4 @@ +# The PAM configuration file for the Shadow 'newusers' service +# + +password include common-password diff --git a/recipes/shadow/files/pam.d/passwd b/recipes/shadow/files/pam.d/passwd new file mode 100644 index 0000000000..f534992435 --- /dev/null +++ b/recipes/shadow/files/pam.d/passwd @@ -0,0 +1,5 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password diff --git a/recipes/shadow/files/pam.d/su b/recipes/shadow/files/pam.d/su new file mode 100644 index 0000000000..8e35137f37 --- /dev/null +++ b/recipes/shadow/files/pam.d/su @@ -0,0 +1,60 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits, please uncomment and read /etc/security/limits.conf +# to enable this functionality. +# (Replaces the use of /etc/limits in old login) +# session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +auth include common-auth +account include common-account +session include common-session diff --git a/recipes/shadow/shadow_4.1.4.2.bb b/recipes/shadow/shadow_4.1.4.2.bb new file mode 100644 index 0000000000..04887a01d1 --- /dev/null +++ b/recipes/shadow/shadow_4.1.4.2.bb @@ -0,0 +1,52 @@ +DESCRIPTION = "login/password and account utilities" +LICENSE = "GPL" + +DEPEND = "libpam" +RDEPEND = "${DEPEND}" + +PR = "r5" + +EXTRA_OECONF += " --enable-shared --enable-static --with-libpam --without-libcrack" + +inherit autotools + +HOMEPAGE = "http://pkg-shadow.alioth.debian.org/" +SRC_URI = "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-${PV}.tar.bz2 \ + file://login_defs_pam.sed \ +" + +# Additional Policy files for PAM +SRC_URI_append = " \ + file://pam.d/chfn \ + file://pam.d/chpasswd \ + file://pam.d/chsh \ + file://pam.d/login \ + file://pam.d/newusers \ + file://pam.d/passwd \ + file://pam.d/su \ +" + +S = "${WORKDIR}/shadow-${PV}" + +CFLAGS_append = " -I../include" + +do_install_append() { + # Ensure that the image has as /var/spool/mail dir so shadow can put mailboxes there if the user + # reconfigures Shadow to default (see sed below). + install -d ${D}${localstatedir}/spool/mail/ + + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + + # Remove defaults that are not used when supporting PAM + sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs + + # Enable CREATE_HOME by default. + sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs + + # As we are on an embedded system ensure the users mailbox is in ~/ not + # /var/spool/mail by default as who knows where or how big /var is. + # The system MDA will set this later anyway. + sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs + sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs +} -- cgit v1.2.3