openembedded-core.git/meta/recipes-extended/pam, branch dora Mirror of openembedded-core libpam: Avoid host contamination issue w. libprelude 2013-09-24T10:55:29+00:00 David Nyström david.c.nystrom@gmail.com 2013-09-23T16:34:01+00:00 9096c6a46cf2467c90873c235b4533faf97d6175 Since we dont use prelude in OE, we just disable autodetection of prelude in the libpam configuration. Seems like an old bug: http://lists.openembedded.org/pipermail/openembedded-devel/2012-March/083804.html Signed-off-by: David Nyström <david.nystrom@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Since we dont use prelude in OE, we just disable autodetection of
prelude in the libpam configuration.

Seems like an old bug:
http://lists.openembedded.org/pipermail/openembedded-devel/2012-March/083804.html

Signed-off-by: David Nyström <david.nystrom@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libpam: only use pam_systemd.so if systemd is enabled 2013-09-20T11:17:13+00:00 Ross Burton ross.burton@intel.com 2013-09-19T15:03:21+00:00 3ccb0855a7a6b147e5025855c6376747ba72986a So that sysvinit images don't warn on every login only add it to common-session if systemd is a DISTRO_FEATURE. [ YOCTO #3805 ] Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
So that sysvinit images don't warn on every login only add it to common-session
if systemd is a DISTRO_FEATURE.

[ YOCTO #3805 ]

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libpam: add PACKAGECONFIG data concerning audit 2013-08-26T10:42:12+00:00 Joe Slater jslater@windriver.com 2013-08-23T17:42:38+00:00 4db6aa2094447f8d2a9c234089a80ddcd78fcbd0 We do not want libpam to build using audit just because it happens to be lying around, so we create PACKAGECONFIG[] data to give us explicit control. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
We do not want libpam to build using audit just
because it happens to be lying around, so we
create PACKAGECONFIG[] data to give us explicit
control.

Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libpam: deny all services for the OTHER entries 2013-07-31T05:56:27+00:00 Ming Liu ming.liu@windriver.com 2013-07-26T09:51:02+00:00 4ca0af699b5b4b3cf95b3e76482651949fd922ac To be secure, change behavior of the OTHER entries to warn and deny access to everything by stating pam_deny.so on all services. Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
To be secure, change behavior of the OTHER entries to warn and deny
access to everything by stating pam_deny.so on all services.

Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libpam: add a new 'nullok_secure' option support to pam_unix 2013-07-22T16:44:10+00:00 Ming Liu ming.liu@windriver.com 2013-07-18T02:04:22+00:00 10cdd66fe800cffe3f2cbf5c95550b4f7902a311 Debian patch to add a new 'nullok_secure' option to pam_unix, which accepts users with null passwords only when the applicant is connected from a tty listed in /etc/securetty. The original pam_unix.so was configured with nullok_secure in meta/recipes-extended/pam/libpam/pam.d/common-auth, but no such code exists actually. The patch set comes from: http://patch-tracker.debian.org/patch/series/view/pam/1.1.3-7.1/054_pam_security_abstract_securetty_handling http://patch-tracker.debian.org/patch/series/view/pam/1.1.3-7.1/055_pam_unix_nullok_secure Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
Debian patch to add a new 'nullok_secure' option to pam_unix, which
accepts users with null passwords only when the applicant is connected
from a tty listed in /etc/securetty.

The original pam_unix.so was configured with nullok_secure in
meta/recipes-extended/pam/libpam/pam.d/common-auth, but no such code
exists actually.

The patch set comes from:
http://patch-tracker.debian.org/patch/series/view/pam/1.1.3-7.1/054_pam_security_abstract_securetty_handling
http://patch-tracker.debian.org/patch/series/view/pam/1.1.3-7.1/055_pam_unix_nullok_secure

Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libpam: inherit pkgconfig 2013-07-09T14:56:13+00:00 Martin Jansa Martin.Jansa@gmail.com 2013-07-05T00:49:54+00:00 d8d230a164b4e98dbb3a9e6d9bb567c2aabee7f9 * missing dependency on pkgconfig-native was causing that PKG_CHECK_MODULES(DBUS, dbus-1) stayed unexpanded in configure script: checking for dbm_store in -lndbm... no libpam/1.1.6-r2/Linux-PAM-1.1.6/configure: line 14217: syntax error near unexpected token `libtirpc,' libpam/1.1.6-r2/Linux-PAM-1.1.6/configure: line 14217: ` PKG_CHECK_MODULES(libtirpc, libtirpc,' Configure failed. The contents of all config.log files follows to aid debugging Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
* missing dependency on pkgconfig-native was causing
  that PKG_CHECK_MODULES(DBUS, dbus-1) stayed unexpanded in
  configure script:
  checking for dbm_store in -lndbm... no
  libpam/1.1.6-r2/Linux-PAM-1.1.6/configure:
  line 14217: syntax error near unexpected token `libtirpc,'
  libpam/1.1.6-r2/Linux-PAM-1.1.6/configure:
  line 14217: `      PKG_CHECK_MODULES(libtirpc, libtirpc,'
  Configure failed. The contents of all config.log files follows to aid
  debugging

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libpam: check if PAM is enabled when building 2013-06-25T16:30:33+00:00 Ross Burton ross.burton@intel.com 2013-06-20T16:38:24+00:00 fd9bad3e48a605e9fd28c129413300ff6b548788 Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libpam: fix whitespace in shell function 2013-06-25T16:30:32+00:00 Ross Burton ross.burton@intel.com 2013-06-20T16:38:23+00:00 1b4b25d3cebab90398db208281d54e7442d43bcd Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libpam: Fix for CVE-2010-4708 2013-06-19T08:08:50+00:00 Wenzong Fan wenzong.fan@windriver.com 2013-06-19T03:21:29+00:00 871ae7a6453b3b66610fd8bbaa770c92be850e19 Change default for user_readenv to 0 and document the new default for user_readenv. This fix from: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env /pam_env.c?r1=1.22&r2=1.23&view=patch http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env /pam_env.8.xml?r1=1.7&r2=1.8&view=patch Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Change default for user_readenv to 0 and document the
new default for user_readenv.

This fix from:
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
/pam_env.c?r1=1.22&r2=1.23&view=patch
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
/pam_env.8.xml?r1=1.7&r2=1.8&view=patch

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libpam: Avoid wildcards in the SRC_URI 2013-05-29T21:19:01+00:00 Mark Hatle mark.hatle@windriver.com 2013-05-29T15:09:47+00:00 6d3705123dd2f808a9778326aa04a2854f7b5378 Remove the wildcard from the SRC_URI. This causes problems when you .bbappend and add a FILESEXTRAPATHS entry. The unpack task may be unable to find the files to unpack leading to an error. Avoid wildcards at all costs... Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Remove the wildcard from the SRC_URI.  This causes problems when you .bbappend
and add a FILESEXTRAPATHS entry.  The unpack task may be unable to find the
files to unpack leading to an error.

Avoid wildcards at all costs...

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>