From 7ed998436c39ff922f285fd73d87f0336973218f Mon Sep 17 00:00:00 2001 From: David-John Willis Date: Wed, 18 Nov 2009 14:01:30 +0000 Subject: [PATCH] libpam-base-files: Start to add default config files for libpam * This will start to get Linux-PAM into a usable state. Default config files derived from Debian with tweaks. Some are not needed and will be dropped later and some should really be packaged elsewhere. * Also update libpam_1.0.2 to depend on this package and the meta package with auth systems as it is not a lot of use without them (it works but can't do anything). * Add 1.1.0 and tweaks to 1.0.2. * Update all the pam.d base config files to support the suggested upstream layout not patches legacy layouts used but some Linux distros. * Use the proper include layouts * Still package some 'suggested' files for common services that do not pack there own pam.d files (TODO: move these to the package recipies not this one). --- recipes/pam/libpam-1.1.0/pam-nodocs.patch | 35 ++++++++++ recipes/pam/libpam-base-files.bb | 18 +++++ recipes/pam/libpam-base-files/pam.d/atd | 10 +++ .../libpam-base-files/pam.d/common-account | 25 +++++++ .../pam/libpam-base-files/pam.d/common-auth | 18 +++++ .../libpam-base-files/pam.d/common-password | 27 +++++++ .../libpam-base-files/pam.d/common-session | 20 ++++++ .../pam.d/common-session-noninteractive | 19 +++++ recipes/pam/libpam-base-files/pam.d/cron | 11 +++ recipes/pam/libpam-base-files/pam.d/cups | 3 + recipes/pam/libpam-base-files/pam.d/cvs | 12 ++++ .../pam/libpam-base-files/pam.d/libcupsys2 | 3 + recipes/pam/libpam-base-files/pam.d/other | 27 +++++++ recipes/pam/libpam-base-files/pam.d/polkit | 6 ++ recipes/pam/libpam-base-files/pam.d/polkit-1 | 6 ++ recipes/pam/libpam-base-files/pam.d/ppp | 8 +++ recipes/pam/libpam-base-files/pam.d/sesman | 6 ++ recipes/pam/libpam-base-files/pam.d/sshd | 33 +++++++++ recipes/pam/libpam_1.0.2.bb | 6 +- recipes/pam/libpam_1.1.0.bb | 70 +++++++++++++++++++ 20 files changed, 361 insertions(+), 2 deletions(-) create mode 100644 recipes/pam/libpam-1.1.0/pam-nodocs.patch create mode 100644 recipes/pam/libpam-base-files.bb create mode 100644 recipes/pam/libpam-base-files/pam.d/atd create mode 100644 recipes/pam/libpam-base-files/pam.d/common-account create mode 100644 recipes/pam/libpam-base-files/pam.d/common-auth create mode 100644 recipes/pam/libpam-base-files/pam.d/common-password create mode 100644 recipes/pam/libpam-base-files/pam.d/common-session create mode 100644 recipes/pam/libpam-base-files/pam.d/common-session-noninteractive create mode 100644 recipes/pam/libpam-base-files/pam.d/cron create mode 100644 recipes/pam/libpam-base-files/pam.d/cups create mode 100644 recipes/pam/libpam-base-files/pam.d/cvs create mode 100644 recipes/pam/libpam-base-files/pam.d/libcupsys2 create mode 100644 recipes/pam/libpam-base-files/pam.d/other create mode 100644 recipes/pam/libpam-base-files/pam.d/polkit create mode 100644 recipes/pam/libpam-base-files/pam.d/polkit-1 create mode 100644 recipes/pam/libpam-base-files/pam.d/ppp create mode 100644 recipes/pam/libpam-base-files/pam.d/sesman create mode 100644 recipes/pam/libpam-base-files/pam.d/sshd create mode 100644 recipes/pam/libpam_1.1.0.bb diff --git a/recipes/pam/libpam-1.1.0/pam-nodocs.patch b/recipes/pam/libpam-1.1.0/pam-nodocs.patch new file mode 100644 index 0000000000..895f0e182a --- /dev/null +++ b/recipes/pam/libpam-1.1.0/pam-nodocs.patch @@ -0,0 +1,35 @@ +--- /tmp/Makefile.am 2008-09-05 15:16:21.000000000 +0200 ++++ Linux-PAM-1.0.2/Makefile.am 2008-09-05 15:16:56.153198000 +0200 +@@ -5,9 +5,9 @@ + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + + if STATIC_MODULES +-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests ++SUBDIRS = modules libpam libpamc libpam_misc tests po conf examples xtests + else +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests + endif + + CLEANFILES = *~ +@@ -28,19 +28,7 @@ + + ACLOCAL_AMFLAGS = -I m4 + +-release: dist releasedocs +- +-release-docs: releasedocs +- +-releasedocs: +- rm -rf Linux-PAM-$(VERSION) +- mkdir -p Linux-PAM-$(VERSION)/doc +- make -C doc releasedocs +- tar zfc Linux-PAM-$(VERSION)-docs.tar.gz \ +- Linux-PAM-$(VERSION)/doc +- tar jfc Linux-PAM-$(VERSION)-docs.tar.bz2 \ +- Linux-PAM-$(VERSION)/doc +- rm -rf Linux-PAM-$(VERSION) ++release: dist + + xtests: + make -C xtests xtests diff --git a/recipes/pam/libpam-base-files.bb b/recipes/pam/libpam-base-files.bb new file mode 100644 index 0000000000..0fa11d8051 --- /dev/null +++ b/recipes/pam/libpam-base-files.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "Linux-PAM authentication library for Linux. Base configuration files" + +SECTION = "libs" +PRIORITY = "optional" +LICENSE = "GPLv2" +DEPENDS = "" +RDEPENDS = "libpam" + +PR = "r1" + +SRC_URI = " \ + file://pam.d/* \ +" + +do_install() { + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ +} diff --git a/recipes/pam/libpam-base-files/pam.d/atd b/recipes/pam/libpam-base-files/pam.d/atd new file mode 100644 index 0000000000..17ffb134d3 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/atd @@ -0,0 +1,10 @@ +# +# The PAM configuration file for the at daemon +# + +auth required pam_env.so +auth include common-auth +account include common-account +password include common-password +session required pam_limits.so +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/common-account b/recipes/pam/libpam-base-files/pam.d/common-account new file mode 100644 index 0000000000..316b17337b --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/recipes/pam/libpam-base-files/pam.d/common-auth b/recipes/pam/libpam-base-files/pam.d/common-auth new file mode 100644 index 0000000000..460b69f198 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-auth @@ -0,0 +1,18 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/recipes/pam/libpam-base-files/pam.d/common-password b/recipes/pam/libpam-base-files/pam.d/common-password new file mode 100644 index 0000000000..bc98f199b9 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-password @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +password optional pam_gnome_keyring.so diff --git a/recipes/pam/libpam-base-files/pam.d/common-session b/recipes/pam/libpam-base-files/pam.d/common-session new file mode 100644 index 0000000000..2123967d15 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-session @@ -0,0 +1,20 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_ck_connector.so nox11 diff --git a/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive new file mode 100644 index 0000000000..b110bb2b49 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/recipes/pam/libpam-base-files/pam.d/cron b/recipes/pam/libpam-base-files/pam.d/cron new file mode 100644 index 0000000000..743c0ed31f --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/cron @@ -0,0 +1,11 @@ +# +# The PAM configuration file for the cron daemon +# + +auth include common-auth +session required pam_env.so +account include common-account +session include common-session-noninteractive +# Sets up user limits, please define limits for cron tasks +# through /etc/security/limits.conf +session required pam_limits.so diff --git a/recipes/pam/libpam-base-files/pam.d/cups b/recipes/pam/libpam-base-files/pam.d/cups new file mode 100644 index 0000000000..8e7f973a2c --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/cups @@ -0,0 +1,3 @@ +auth include common-auth +account include common-account +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/cvs b/recipes/pam/libpam-base-files/pam.d/cvs new file mode 100644 index 0000000000..9627c4f7bf --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/cvs @@ -0,0 +1,12 @@ +# +# /etc/pam.d/cvs - specify the PAM behaviour of CVS +# + +# We fall back to the system default in /etc/pam.d/common-* + +auth include common-auth +account include common-account + +# We don't use password or session modules at all +# password include common-password +# session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/libcupsys2 b/recipes/pam/libpam-base-files/pam.d/libcupsys2 new file mode 100644 index 0000000000..8e7f973a2c --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/libcupsys2 @@ -0,0 +1,3 @@ +auth include common-auth +account include common-account +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/other b/recipes/pam/libpam-base-files/pam.d/other new file mode 100644 index 0000000000..6e40cd0c02 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/other @@ -0,0 +1,27 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. + +#If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We use pam_warn.so to generate syslog notes that the 'other' +#fallback rules are being used (as a hint to suggest you should setup +#specific PAM rules for the service and aid to debugging). We then +#fall back to the system default in /etc/pam.d/common-* + +auth required pam_warn.so +auth include common-auth + +account required pam_warn.so +account include common-account + +password required pam_warn.so +password include common-password + +session required pam_warn.so +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/polkit b/recipes/pam/libpam-base-files/pam.d/polkit new file mode 100644 index 0000000000..836b53d61a --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/polkit @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/polkit-1 b/recipes/pam/libpam-base-files/pam.d/polkit-1 new file mode 100644 index 0000000000..836b53d61a --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/polkit-1 @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/ppp b/recipes/pam/libpam-base-files/pam.d/ppp new file mode 100644 index 0000000000..aed08fd1b2 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/ppp @@ -0,0 +1,8 @@ +#%PAM-1.0 +# Information for the PPPD process with the 'login' option. + +auth required pam_nologin.so +auth include common-auth +account include common-account +session include common-session + diff --git a/recipes/pam/libpam-base-files/pam.d/sesman b/recipes/pam/libpam-base-files/pam.d/sesman new file mode 100644 index 0000000000..836b53d61a --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/sesman @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/sshd b/recipes/pam/libpam-base-files/pam.d/sshd new file mode 100644 index 0000000000..c0028ff3cb --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/sshd @@ -0,0 +1,33 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so # [1] + +# Standard Un*x authentication. +auth include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +account include common-accountt + +# Standard Un*x session setup and teardown. +session include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so standard noenv # [1] + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Standard Un*x password updating. +password include common-password diff --git a/recipes/pam/libpam_1.0.2.bb b/recipes/pam/libpam_1.0.2.bb index b288458e98..1ab7fa95f9 100644 --- a/recipes/pam/libpam_1.0.2.bb +++ b/recipes/pam/libpam_1.0.2.bb @@ -12,7 +12,10 @@ LICENSE = "GPLv2" DEPENDS = "flex flex-native" -PR = "r4" +# PAM is not a lot of use without configuration files and the plugins +RRECOMMENDS_${PN} = "libpam-meta libpam-base-files" + +PR = "r5" # The project is actually called Linux-PAM but that gives # a bad OE package name because of the upper case characters @@ -66,7 +69,6 @@ python populate_packages_prepend () { bb.data.setVar('PACKAGES', ' '.join(packages), d) } - do_stage() { autotools_stage_all } diff --git a/recipes/pam/libpam_1.1.0.bb b/recipes/pam/libpam_1.1.0.bb new file mode 100644 index 0000000000..32dc9e15cb --- /dev/null +++ b/recipes/pam/libpam_1.1.0.bb @@ -0,0 +1,70 @@ +DESCRIPTION = "\ +PAM authentication library for Linux. \ +Linux-PAM (Pluggable Authentication Modules for Linux) is a \ +library that enables the local system administrator to choose \ +how individual applications authenticate users. For an \ +overview of the Linux-PAM library see the Linux-PAM System \ +Administrators' Guide." +HOMEPAGE = "http://kernel.org/pub/linux/libs/pam" +SECTION = "libs" +PRIORITY = "optional" +LICENSE = "GPLv2" + +DEFAULT_PREFERENCE_libc-uclibc = "-1" + +DEPENDS = "flex flex-native" + +# PAM is not a lot of use without configuration files and the plugins +RRECOMMENDS_${PN} = "libpam-meta libpam-base-files" + +PR = "r0" + +# The project is actually called Linux-PAM but that gives +# a bad OE package name because of the upper case characters +pn = "Linux-PAM" +p = "${pn}-${PV}" +S = "${WORKDIR}/${p}" + +SRC_URI = "${KERNELORG_MIRROR}/pub/linux/libs/pam/library/${p}.tar.bz2 \ + file://pam-nodocs.patch;patch=1 " + +inherit autotools + +LEAD_SONAME = "libpam.so.*" + +# maintain the pam default layout +EXTRA_OECONF += " --includedir=${includedir}/security" + +PACKAGES_DYNAMIC += " libpam-meta pam-plugin-*" + +python populate_packages_prepend () { + import os.path + + pam_libdir = bb.data.expand('${libdir}/security', d) + pam_libdirdebug = bb.data.expand('${libdir}/security/.debug', d) + pam_filterdir = bb.data.expand('${libdir}/security/pam_filter', d) + do_split_packages(d, pam_libdir, '^pam(.*)\.so$', 'pam-plugin%s', 'PAM plugin for %s', extra_depends='') + do_split_packages(d, pam_libdir, '^pam(.*)\.la$', 'pam-plugin%s-dev', 'PAM plugin for %s dev', extra_depends='') + if os.path.exists(pam_libdirdebug): + do_split_packages(d, pam_libdirdebug, '^pam(.*)\.so$', 'pam-plugin%s-dbg', 'PAM plugin for %s debugging symbols', extra_depends='') + do_split_packages(d, pam_filterdir, '^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='') + + pn = bb.data.getVar('PN', d, 1) + metapkg = pn + '-meta' + bb.data.setVar('ALLOW_EMPTY_' + metapkg, "1", d) + bb.data.setVar('FILES_' + metapkg, "", d) + blacklist = [ pn + '-locale', pn + '-dev', pn + '-dbg', pn + '-doc' ] + metapkg_rdepends = [] + packages = bb.data.getVar('PACKAGES', d, 1).split() + for pkg in packages[1:]: + if not pkg in blacklist and not pkg in metapkg_rdepends and not pkg.endswith('-dev') and not pkg.count('locale') and pkg.count('plugin'): + metapkg_rdepends.append(pkg) + bb.data.setVar('RDEPENDS_' + metapkg, ' '.join(metapkg_rdepends), d) + bb.data.setVar('DESCRIPTION_' + metapkg, pn + ' meta package', d) + packages.append(metapkg) + bb.data.setVar('PACKAGES', ' '.join(packages), d) +} + +do_stage() { + autotools_stage_all +} -- 2.39.2