diff options
author | Ming Liu <ming.liu@windriver.com> | 2013-07-26 17:51:02 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2013-07-31 06:56:27 +0100 |
commit | 4ca0af699b5b4b3cf95b3e76482651949fd922ac (patch) | |
tree | 8bec292a5abfb5f77b084a6c8711a83e3883c7a6 /meta/recipes-extended | |
parent | 776c753bc5745b098d6a80e61c7332d956ae7f4f (diff) | |
download | openembedded-core-4ca0af699b5b4b3cf95b3e76482651949fd922ac.tar.gz openembedded-core-4ca0af699b5b4b3cf95b3e76482651949fd922ac.tar.bz2 openembedded-core-4ca0af699b5b4b3cf95b3e76482651949fd922ac.zip |
libpam: deny all services for the OTHER entries
To be secure, change behavior of the OTHER entries to warn and deny
access to everything by stating pam_deny.so on all services.
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r-- | meta/recipes-extended/pam/libpam/pam.d/other | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/meta/recipes-extended/pam/libpam/pam.d/other b/meta/recipes-extended/pam/libpam/pam.d/other index 6e40cd0c02..ec970ecbe0 100644 --- a/meta/recipes-extended/pam/libpam/pam.d/other +++ b/meta/recipes-extended/pam/libpam/pam.d/other @@ -6,22 +6,19 @@ #pam_open_session, the session module out of /etc/pam.d/other is #used. -#If you really want nothing to happen then use pam_permit.so or -#pam_deny.so as appropriate. - # We use pam_warn.so to generate syslog notes that the 'other' #fallback rules are being used (as a hint to suggest you should setup -#specific PAM rules for the service and aid to debugging). We then -#fall back to the system default in /etc/pam.d/common-* +#specific PAM rules for the service and aid to debugging). Then to be +#secure, deny access to all services by default. auth required pam_warn.so -auth include common-auth +auth required pam_deny.so account required pam_warn.so -account include common-account +account required pam_deny.so password required pam_warn.so -password include common-password +password required pam_deny.so session required pam_warn.so -session include common-session +session required pam_deny.so |