[ptxdist] [PATCH] linux-pam: add new package

[Andreas Schmidt <mail@schmidt-andreas.de>]

Signed-off-by: Andreas Schmidt <mail@schmidt-andreas.de>
---
Hi,
this patch should add Linux-PAM libraries, modules, minimal
configuration and Linux-PAM applications to ptxdist.

I search for similar patches in mailinglist archive and found two. Sadly
both patches never were done. The patches / posts are:

1) [ptxdist] [PATCHv7] linux-pam: this patch add Linux-PAM support to
ptxdist. Posted by Oliver Graute on Thu, Oct 22, 2015 at 04:04:15PM
+0200
2) [ptxdist] [PATCH 2/3] Adding the Linux-PAM package. Posted by Joseph
A. Lutz on Nov 30, 2010 at 05:06:33PM -0600

If Oliver Graute and/or Joseph A. Lutz wont to be add as signed-off-by,
let me know it. 

For this patch I try to fix/implement all relevant comments in
appropriate mail-threads for patches, mentioned above. I improved
obsolete things and add a minimal configuration files. But for one part
I need some help.

In Kconfig file for two modules help description is messing:
1) For LINUX_PAM_SEPERMIT
2) For LINUX_PAM_STRESS

I search for documentation on Linux-PAM homepage, but I did nothing
found. Can some one help and write the help description or send a link
where I can find some information?

I added Copyright by me to make file header, like it is in other make
files. Is it right? I'm not firm with such stuff :(

I'm looking forward for constructive comments!

Regards,
Andreas

---
 projectroot/etc/pam.conf              |  15 +
 projectroot/etc/pam.d/common-account  |   9 +
 projectroot/etc/pam.d/common-auth     |  10 +
 projectroot/etc/pam.d/common-password |  12 +
 projectroot/etc/pam.d/common-session  |  10 +
 projectroot/etc/pam.d/other           |   8 +
 projectroot/etc/securetty             |  12 +
 projectroot/etc/shells                |   1 +
 rules/linux-pam.in                    | 533 ++++++++++++++++++++++++++++++++++
 rules/linux-pam.make                  | 182 ++++++++++++
 10 files changed, 792 insertions(+)
 create mode 100644 projectroot/etc/pam.conf
 create mode 100644 projectroot/etc/pam.d/common-account
 create mode 100644 projectroot/etc/pam.d/common-auth
 create mode 100644 projectroot/etc/pam.d/common-password
 create mode 100644 projectroot/etc/pam.d/common-session
 create mode 100644 projectroot/etc/pam.d/other
 create mode 100644 projectroot/etc/securetty
 create mode 100644 projectroot/etc/shells
 create mode 100644 rules/linux-pam.in
 create mode 100644 rules/linux-pam.make

diff --git a/projectroot/etc/pam.conf b/projectroot/etc/pam.conf
new file mode 100644
index 000000000..0f1a6111b
--- /dev/null
+++ b/projectroot/etc/pam.conf
@@ -0,0 +1,15 @@
+#
+# other - The default security level
+#
+
+other account required pam_warn.so
+other account required pam_permit.so
+
+other auth required pam_warn.so
+other auth required pam_permit.so
+
+other password required pam_warn.so
+other password required pam_permit.so
+
+other session required pam_warn.so
+other session required pam_permit.so
diff --git a/projectroot/etc/pam.d/common-account b/projectroot/etc/pam.d/common-account
new file mode 100644
index 000000000..667ca1ded
--- /dev/null
+++ b/projectroot/etc/pam.d/common-account
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.
+
+account required pam_warn.so
+account required pam_permit.so
diff --git a/projectroot/etc/pam.d/common-auth b/projectroot/etc/pam.d/common-auth
new file mode 100644
index 000000000..afa99728c
--- /dev/null
+++ b/projectroot/etc/pam.d/common-auth
@@ -0,0 +1,10 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).
+
+auth required pam_warn.so
+auth required pam_permit.so
diff --git a/projectroot/etc/pam.d/common-password b/projectroot/etc/pam.d/common-password
new file mode 100644
index 000000000..08b160038
--- /dev/null
+++ b/projectroot/etc/pam.d/common-password
@@ -0,0 +1,12 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.
+
+# Currently no password changes are allowed durring the authentication process
+# because we do not know how it will react with the ldap server if at all
+
+password required pam_warn.so
+password required pam_permit.so
diff --git a/projectroot/etc/pam.d/common-session b/projectroot/etc/pam.d/common-session
new file mode 100644
index 000000000..0067dda62
--- /dev/null
+++ b/projectroot/etc/pam.d/common-session
@@ -0,0 +1,10 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+
+session required pam_warn.so
+session required pam_permit.so
diff --git a/projectroot/etc/pam.d/other b/projectroot/etc/pam.d/other
new file mode 100644
index 000000000..b111f7422
--- /dev/null
+++ b/projectroot/etc/pam.d/other
@@ -0,0 +1,8 @@
+#
+# other - The default security level
+#
+
+account include common-account # Include the standard account controls
+auth include common-auth # Include the standard auth controls
+password include common-password # Include the standard passwd controls
+session include common-session # Include the standard session controls
diff --git a/projectroot/etc/securetty b/projectroot/etc/securetty
new file mode 100644
index 000000000..2040401c0
--- /dev/null
+++ b/projectroot/etc/securetty
@@ -0,0 +1,12 @@
+tty0
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+ttyS0
+ttyS1
+ttyO0
+ttyO1
diff --git a/projectroot/etc/shells b/projectroot/etc/shells
new file mode 100644
index 000000000..c2cdaa0f2
--- /dev/null
+++ b/projectroot/etc/shells
@@ -0,0 +1 @@
+/bin/sh
diff --git a/rules/linux-pam.in b/rules/linux-pam.in
new file mode 100644
index 000000000..4aa7dcf7d
--- /dev/null
+++ b/rules/linux-pam.in
@@ -0,0 +1,533 @@
+## SECTION=shell_and_console
+
+menuconfig LINUX_PAM
+	tristate
+	prompt "linux-pam"
+	select FLEX
+	select DB if LINUX_PAM_USERDB
+	select LIBSELINUX if LINUX_PAM_SELINUX
+	help
+	  Linux-PAM is a free implementation of the following DCE-RFC from
+	  Sunsoft. PAM provides a way to develop programs that are
+	  independent of authentication scheme. These programs need
+	  "authentication modules" to be attatched to them at run-time
+	  in order to work. Which authentication module is to be attatched
+	  is dependent upon the local system setup and is at the discretion.
+
+if LINUX_PAM
+
+menu "PAM modules"
+
+config LINUX_PAM_ACCESS
+	bool
+	prompt "PAM access module"
+	help
+	  The pam_access PAM module is mainly for access
+	  management. It provides logdaemon style login access
+	  control based on login names, host or domain names,
+	  internet addresses or network numbers, or on terminal
+	  line names in case of non-networked logins.
+
+config LINUX_PAM_DEBUG
+	bool
+	prompt "PAM debug module"
+	help
+	  The pam_debug PAM module is intended as a debugging
+	  aide for determining how the PAM stack is operating.
+
+config LINUX_PAM_DENY
+	bool
+	prompt "PAM deny module"
+	help
+	  This module can be used to deny access. It always
+	  indicates a failure to the application through the PAM
+	  framework. It might be suitable for using for default
+	  (the OTHER) entries.
+
+config LINUX_PAM_ECHO
+	bool
+	prompt "PAM echo module"
+	help
+	  The pam_echo PAM module is for printing text messages
+	  to inform user about special things.
+
+config LINUX_PAM_ENV
+	bool
+	prompt "PAM env module"
+	help
+	  The pam_env PAM module allows the (un)setting of
+	  environment variables. Supported is the use of
+	  previously set environment variables as well as
+	  PAM_ITEMs such as PAM_RHOSTS.
+
+config LINUX_PAM_EXEC
+	bool
+	prompt "PAM exec module"
+	help
+	  pam_exec is a PAM module that can be used to run an
+	  external command.
+
+config LINUX_PAM_FAILDELAY
+	bool
+	prompt "PAM faildelay module"
+	help
+	  pam_faildelay is a PAM module that can be used to set
+	  the delay on failure per-application.
+	  If no delay is given, pam_faildelay will use the value
+	  of FAIL_DELAY from /etc/login.defs. 
+
+config LINUX_PAM_FILTER
+	bool
+	prompt "PAM filter module"
+	help
+	  This module is intended to be a platform for providing
+	  access to all of the input/output that passes between
+	  the user and the application. It is only suitable for
+	  tty-based and (stdin/stdout) applications.
+	  To function this module requires filters to be
+	  installed on the system. The single filter provided
+	  with the module simply transposes upper and lower case
+	  letters in the input and output streams. (This can be
+	  very annoying and is not kind to termcap based editors).
+
+config LINUX_PAM_FILTER_UPPERLOWER
+	bool
+	prompt "upperLOWER program"
+	depends on LINUX_PAM_FILTER
+	default n
+	help
+	  This is a sample filter program, for use with
+	  pam_filter. This filter simply transposes upper
+	  and lower case letters, it is intended for
+	  demonstration purposes and it serves no purpose
+	  other than to annoy the user...
+
+config LINUX_PAM_FTP
+	bool
+	prompt "PAM ftp module"
+	help
+	  pam_ftp is a PAM module which provides a pluggable
+	  anonymous ftp mode of access.
+	  This module is not safe and easily spoofable.
+
+config LINUX_PAM_GROUP
+	bool
+	prompt "PAM group module"
+	help
+	  The pam_group PAM module does not authenticate the
+	  user, but instead it grants group memberships (in the
+	  credential setting phase of the authentication module)
+	  to the user. Such memberships are based on the service
+	  they are applying for.
+
+config LINUX_PAM_ISSUE
+	bool
+	prompt "PAM issue module"
+	help
+	  pam_issue is a PAM module to prepend an issue file to
+	  the username prompt. It also by default parses escape
+	  codes in the issue file similar to some common getty's
+	  (using \x format).
+
+config LINUX_PAM_KEYINIT
+	bool
+	prompt "PAM keyinit module"
+	help
+	  The pam_keyinit PAM module ensures that the invoking
+	  process has a session keyring other than the user
+	  default session keyring.
+
+config LINUX_PAM_LASTLOG
+	bool
+	prompt "PAM lastlog module"
+	help
+	  pam_lastlog is a PAM module to display a line of
+	  information about the last login of the user. In
+	  addition, the module maintains the /var/log/lastlog
+	  file.
+
+config LINUX_PAM_LIMITS
+	bool
+	prompt "PAM limits module"
+	help
+	  The pam_limits PAM module sets limits on the system
+	  resources that can be obtained in a user-session.
+	  Users of uid=0 are affected by this limits, too.
+	  The module must not be called by a multithreaded
+	  application.
+
+config LINUX_PAM_LISTFILE
+	bool
+	prompt "PAM listfile module"
+	help
+	  pam_listfile is a PAM module which provides a way to
+	  deny or allow services based on an arbitrary file.
+	  No credentials are awarded by this module.
+
+config LINUX_PAM_LOCALUSER
+	bool
+	prompt "PAM localuser module"
+	help
+	  pam_localuser is a PAM module to help implementing
+	  site-wide login policies, where they typically include
+	  a subset of the network's users and a few accounts
+	  that are local to a particular workstation. Using
+	  pam_localuser and pam_wheel or pam_listfile is an
+	  effective way to restrict access to either local users
+	  and/or a subset of the network's users.
+	  This could also be implemented using pam_listfile.so
+	  and a very short awk script invoked by cron, but it's
+	  common enough to have been separated out. 
+
+config LINUX_PAM_LOGINUID
+	bool
+	prompt "PAM loginuid module"
+	help
+	  The pam_loginuid module sets the loginuid process
+	  attribute for the process that was authenticated. This
+	  is necessary for applications to be correctly audited.
+	  This PAM module should only be used for entry point
+	  applications like: login, sshd, gdm, vsftpd, crond and
+	  atd. There are probably other entry point applications
+	  besides these. You should not use it for applications
+	  like sudo or su as that defeats the purpose by
+	  changing the loginuid to the account they just
+	  switched to.
+
+config LINUX_PAM_MAIL
+	bool
+	prompt "PAM mail module"
+	help
+	  The pam_mail PAM module provides the "you have new
+	  mail" service to the user. It can be plugged into any
+	  application that has credential or session hooks. It
+	  gives a single message indicating the newness of any
+	  mail it finds in the user's mail folder. This module
+	  also sets the PAM environment variable, MAIL, to the
+	  user's mail directory.
+
+config LINUX_PAM_MKHOMEDIR
+	bool
+	prompt "PAM mkhomedir module"
+	help
+	  The pam_mkhomedir PAM module will create a users home
+	  directory if it does not exist when the session begins.
+	  This allows users to be present in central database
+	  (such as NIS, kerberos or LDAP) without using a
+	  distributed file system or pre-creating a large number
+	  of directories. The skeleton directory (usually
+	  /etc/skel/) is used to copy default files and also
+	  set's a umask for the creation.
+	  The new users home directory will not be removed after
+	  logout of the user.
+
+config LINUX_PAM_MKHOMEDIR_MKHOMEDIR_HELPER
+	bool
+	prompt "mkhomedir_helper program"
+	depends on LINUX_PAM_MKHOMEDIR
+	help
+	  mkhomedir_helper - Helper binary that creates home
+	  directories. mkhomedir_helper is a helper program
+	  for the pam_mkhomedir module that creates home
+	  directories and populates them with contents of the
+	  specified skel directory.
+
+config LINUX_PAM_MOTD
+	bool
+	prompt "PAM motd module"
+	help
+	  pam_motd is a PAM module that can be used to display
+	  arbitrary motd (message of the day) files after a
+	  succesful login. By default the /etc/motd file is
+	  shown. The message size is limited to 64KB.
+
+config LINUX_PAM_NAMESPACE
+	bool
+	prompt "PAM namespace module"
+	help
+	  This module allows setup of private namespaces with
+	  polyinstantiated directories. Directories can be
+	  polyinstantiated based on user name or, in the case of
+	  SELinux, user name, sensitivity level or complete
+	  security context.
+
+config LINUX_PAM_NOLOGIN
+	bool
+	prompt "PAM netlogin module"
+	help
+	  pam_nologin is a PAM module that prevents users from
+	  logging into the system when /etc/nologin exists. The
+	  contents of the /etc/nologin file are displayed to the
+	  user. The pam_nologin module has no effect on the root
+	  user's ability to log in.
+
+config LINUX_PAM_PERMIT
+	bool
+	prompt "PAM permit module"
+	default y
+	help
+	  pam_permit is a PAM module that always permit access.
+	  It does nothing else.
+	  This module is very dangerous. It should be used with
+	  extreme caution.
+
+config LINUX_PAM_PWHISTORY
+	bool
+	prompt "PAM pwhistory module"
+	help
+	  This module saves the last passwords for each user in
+	  order to force password change history and keep the
+	  user from alternating between the same password too
+	  frequently. 
+
+config LINUX_PAM_RHOSTS
+	bool
+	prompt "PAM rhost module"
+	help
+	  This module performs the standard network
+	  authentication for services, as used by traditional
+	  implementations of rlogin  and rsh etc.
+
+config LINUX_PAM_ROOTOK
+	bool
+	prompt "PAM rootok module"
+	default y
+	help
+	  pam_rootok is a PAM module that authenticates the user
+	  if their UID is 0. Applications that are created
+	  setuid-root generally retain the UID of the user but
+	  run with the authority of an enhanced effective-UID.
+	  It is the real UID  that is checked.
+
+config LINUX_PAM_SECURETTY
+	bool
+	prompt "PAM securetty module"
+	help
+	  pam_securetty is a PAM module that allows root logins
+	  only if the user is logging in on a "secure" tty, as
+	  defined by the listing in /etc/securetty.
+	  pam_securetty also checks to make sure that
+	  /etc/securetty is a plain file and not world writable.
+
+config LINUX_PAM_SELINUX
+	bool
+	prompt "PAM selinux module"
+	depends on GLOBAL_SELINUX
+	help
+	  pam_selinux sets up the default security context for the next 
+	  shell.
+
+config LINUX_PAM_SEPERMIT
+	bool
+	prompt "PAM sepermit module"
+	depends on LINUX_PAM_SELINUX
+
+config LINUX_PAM_SHELLS
+	bool
+	prompt "PAM shells module"
+	help
+	  pam_shells is a PAM module that only allows access to
+	  the system if the users shell is listed in /etc/shells.
+
+config LINUX_PAM_STRESS
+	bool
+	prompt "PAM stress module"
+
+config LINUX_PAM_SUCCEED_IF
+	bool
+	prompt "PAM succeed_if module"
+	help
+	  pam_succeed_if.so is designed to succeed or fail
+	  authentication based on characteristics of the account
+	  belonging to the user being authenticated. One use is
+	  to select whether to load other modules based on this
+	  test.
+
+config LINUX_PAM_TALLY
+	bool
+	prompt "PAM tally module"
+	help
+	  This module maintains a count of attempted accesses,
+	  can reset count on success, can deny access if too
+	  many attempts fail.
+
+config LINUX_PAM_TALLY_PAM_TALLY
+	bool
+	prompt "pam_tally program"
+	depends on LINUX_PAM_TALLY
+	help
+	  pam_tally - The login counter (tallying) module.
+	  pam_tally is an (optional) application which can be
+	  used to interrogate and manipulate the counter file.
+	  It can display users?? counts, set individual counts,
+	  or clear all counts. Setting artificially high
+	  counts may be useful for blocking users without
+	  changing their passwords. The faillog command can be
+	  used instead of pam_tally to to maintain the counter
+	  file.
+
+config LINUX_PAM_TALLY2
+	bool
+	prompt "PAM tally2 module"
+	help
+	  This module maintains a count of attempted accesses,
+	  can reset count on success, can deny access if too
+	  many attempts fail.
+
+config LINUX_PAM_TALLY2_PAM_TALLY2
+	bool
+	prompt "pam_tally2 program"
+	depends on LINUX_PAM_TALLY2
+	help
+	  pam_tally2 - The login counter (tallying) module.
+	  pam_tally2 is an (optional) application which can
+	  be used to interrogate and manipulate the counter
+	  file. It can display users?? counts, set individual
+	  counts, or clear all counts. Setting artificially
+	  high counts may be useful for blocking users without
+	  changing their passwords.
+
+config LINUX_PAM_TIME
+	bool
+	prompt "PAM time module"
+	help
+	  The pam_time PAM module does not authenticate the user,
+	  but instead it restricts access to a system and or
+	  specific applications at various times of the day and
+	  on specific days or over various terminal lines. This
+	  module can be configured to deny access to (individual)
+	  users based on their name, the time of day, the day of
+	  week, the service they are applying for and their
+	  terminal from which they are making their request.
+
+config LINUX_PAM_TIMESTAMP
+	bool
+	prompt "PAM timestamp module"
+	help
+	  pam_timestamp caches successful authentication attempts,
+	  and allows you to use a recent successful attempt as the
+	  basis for authentication. This is similar mechanism
+	  which is used in sudo.
+
+config LINUX_PAM_TIMESTAMP_TIMESTAMP_CHECK
+	bool
+	prompt "pam_timestamp_check program"
+	depends on LINUX_PAM_TIMESTAMP
+	help
+	  pam_timestamp_check - Check to see if the default
+	  timestamp is valid.
+
+config LINUX_PAM_UMASK
+	bool
+	prompt "PAM umask module"
+	help
+	  pam_umask is a PAM module to set the file mode
+	  creation mask of the current environment. The umask
+	  affects the default permissions assigned to newly
+	  created files.
+
+config LINUX_PAM_UNIX
+	bool
+	prompt "PAM unix module"
+	default y
+	help
+	  This is the standard Unix authentication module.
+	  It uses standard calls from the system's libraries
+	  to retrieve and set account information as well as
+	  authentication. Usually this is obtained from the
+	  /etc/passwd and the /etc/shadow file as well if
+	  shadow is enabled.
+
+config LINUX_PAM_UNIX_UNIX_UPDATE
+	bool
+	prompt "unix_update program"
+	depends on LINUX_PAM_UNIX
+	help
+	  unix_update - Helper binary that updates the password
+	  of a given user. The purpose of the helper is to enable
+	  tighter confinement of login and password changing
+	  services. The helper is thus called only when SELinux
+	  is enabled and in the enforcing mode on the system.
+
+config LINUX_PAM_UNIX_UNIX_CHKPWD
+	bool
+	prompt "unix_chkpwd program"
+	depends on LINUX_PAM_UNIX
+	help
+	  unix_chkpwd - Helper binary that verifies the password
+	  of the current user.
+
+config LINUX_PAM_USERDB
+	bool
+	prompt "PAM userdb module"
+	help
+	  The pam_userdb module is used to verify a
+	  username/password pair against values stored in a
+	  Berkeley DB database. The database is indexed by
+	  the username, and the data fields corresponding to
+	  the username keys are the passwords.
+
+config LINUX_PAM_WARN
+	bool
+	prompt "PAM warn module"
+	default y
+	help
+	  pam_warn is a PAM module that logs the service,
+	  terminal, user, remote user and remote host to
+	  syslog(3). The items are not probed for, but instead
+	  obtained from the standard PAM items. The module
+	  always returns PAM_IGNORE, indicating that it does not
+	  want to affect the authentication process.
+
+config LINUX_PAM_WHEEL
+	bool
+	prompt "PAM wheel module"
+	default y
+	help
+	  The pam_wheel PAM module is used to enforce the
+	  so-called wheel group. By default it permits root
+	  access to the system if the applicant user is a member
+	  of the wheel group. If no group with this name exist,
+	  the module is using the group with the group-ID 0.
+
+config LINUX_PAM_XAUTH
+	bool
+	prompt "PAM xauth module"
+	default y
+	help
+	  The pam_xauth PAM module is designed to forward xauth
+	  keys (sometimes referred to as "cookies") between users.
+
+endmenu
+
+config LINUX_PAM_LOCKING
+	bool
+	default n
+	prompt "Locking"
+	help
+	 Configure libpam to observe a global authentication lock.
+
+config LINUX_PAM_MAILSPOOL
+	string
+	prompt "Mail spool path"
+	help
+	  Alternative path to mail spool directory or
+	  leave empty for default path (/var/spool/mail).
+
+config LINUX_PAM_RANDOMDEV
+	bool
+	default y
+	prompt "Random decive"
+	help
+	  Say yes for using random device.
+
+config LINUX_PAM_RANDOMDEV_PATH
+	string
+	prompt "Random device path"
+	depends on LINUX_PAM_RANDOMDEV
+	help
+	  Specify random device or leave empty for
+	  default device path (/dev/urandom).
+
+endif
+
diff --git a/rules/linux-pam.make b/rules/linux-pam.make
new file mode 100644
index 000000000..a651c8a6f
--- /dev/null
+++ b/rules/linux-pam.make
@@ -0,0 +1,182 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2018 by Andreas Schmidt <mail@schmidt-andreas.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LINUX_PAM) += linux-pam
+
+#
+# Paths and names
+#
+LINUX_PAM_VERSION      := 1.3.0
+LINUX_PAM_MD5          := da4b2289b7cfb19583d54e9eaaef1c3a
+LINUX_PAM              := Linux-PAM-$(LINUX_PAM_VERSION)
+LINUX_PAM_SUFFIX       := tar.bz2
+LINUX_PAM_URL          := http://www.linux-pam.org/library/$(LINUX_PAM).$(LINUX_PAM_SUFFIX)
+LINUX_PAM_SOURCE       := $(SRCDIR)/$(LINUX_PAM).$(LINUX_PAM_SUFFIX)
+LINUX_PAM_DIR          := $(BUILDDIR)/$(LINUX_PAM)
+LINUX_PAM_LICENSE      := GPL, BSD
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+LINUX_PAM_MOD-  =
+LINUX_PAM_ETC- =
+LINUX_PAM_SBIN- =
+LINUX_PAM_FILTER- =
+
+
+# PAM modules without "pam_" prefix
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ACCESS)     += access
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_DEBUG)      += debug
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_DENY)       += deny
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ECHO)       += echo
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ENV)        += env
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_EXEC)       += exec
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FAILDELAY)  += faildelay
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FILTER)     += filter
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FTP)        += ftp
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_GROUP)      += group
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ISSUE)      += issue
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_KEYINIT)    += keyinit
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LASTLOG)    += lastlog
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LIMITS)     += limits
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LISTFILE)   += listfile
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LOCALUSER)  += localuser
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LOGINUID)   += loginuid
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MAIL)       += mail
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MKHOMEDIR)  += mkhomedir
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MOTD)       += motd
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_NAMESPACE)  += namespace
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_NOLOGIN)    += nologin
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_PERMIT)     += permit
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_PWHISTORY)  += pwhistory
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_RHOSTS)     += rhosts
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ROOTOK)     += rootok
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SECURETTY)  += securetty
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SELINUX)    += selinux
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SEPERMIT)   += sepermit
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SHELLS)     += shells
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_STRESS)     += stress
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SUCCEED_IF) += succeed_if
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TALLY)      += tally
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TALLY2)     += tally2
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TIME)       += time
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TIMESTAMP)  += timestamp
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_UMASK)      += umask
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_UNIX)       += unix
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_USERDB)     += userdb
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_WARN)       += warn
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_WHEEL)      += wheel
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_XAUTH)      += xauth
+
+# Configuration files related to /etc
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ACCESS)    += security/access.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ENV)       += security/pam_env.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_GROUP)     += security/group.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_LIMITS)    += security/limits.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_NAMESPACE) += security/namespace.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_NAMESPACE) += security/namespace.init
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_TIME)      += security/time.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ENV)       += environment
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_SECURETTY) += securetty 
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_SHELLS)    += shells
+
+# Programs in /usr/sbin
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_MKHOMEDIR_MKHOMEDIR_HELPER) += mkhomedir_helper
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TALLY_PAM_TALLY)            += pam_tally
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TALLY2_PAM_TALLY2)          += pam_tally2
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TIMESTAMP_TIMESTAMP_CHECK)  += pam_timestamp_check
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_UNIX_UNIX_UPDATE)           += unix_update
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_UNIX_UNIX_CHKPWD)           += unix_chkpwd
+
+# PAM filters
+LINUX_PAM_FILTER-$(PTXCONF_LINUX_PAM_FILTER_UPPERLOWER) += upperLOWER
+
+# Prepare variables
+MAILSPOOL=$(call ptx/ifdef, PTXCONF_LINUX_PAM_MAILSPOOL, $(PTXCONF_LINUX_PAM_MAILSPOOL), /var/spool/mail)
+RANDOMDEV=$(call ptx/ifdef, PTXCONF_LINUX_PAM_RANDOMDEV, \
+			$(call ptx/ifdef, PTXCONF_LINUX_PAM_RANDOMDEV_PATH, $(PTXCONF_LINUX_PAM_RANDOMDEV_PATH), yes), no)
+#
+# autoconf
+#
+LINUX_PAM_CONF_TOOL    := autoconf
+LINUX_PAM_CONF_OPT := \
+	$(CROSS_AUTOCONF_USR) \
+	$(GLOBAL_LARGE_FILE_OPTION) \
+	--bindir=/usr/bin \
+	--sbindir=/usr/sbin \
+	--disable-silent-rules \
+	--disable-dependency-tracking \
+	--disable-libtool-lock \
+	--disable-pie \
+	--disable-prelude \
+	--disable-debug \
+	--enable-securedir=/usr/lib/security \
+	--$(call ptx/endis, PTXCONF_LINUX_PAM_LOCKING)-pamlocking \
+	--enable-read-both-confs \
+	--disable-lckpwdf \
+	--disable-cracklib \
+	--disable-audit \
+	--enable-db=$(call ptx/ifdef, PTXCONF_LINUX_PAM_USERDB, yes, no) \
+	--disable-nis \
+	--$(call ptx/endis, PTXCONF_LINUX_PAM_SELINUX)-selinux \
+	--disable-regenerate-docu \
+	--disable-nls \
+	--disable-rpath \
+	--with-mailspool="$(MAILSPOOL)" \
+	--with-randomdev=$(RANDOMDEV)
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/linux-pam.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, linux-pam)
+	@$(call install_fixup, linux-pam,PRIORITY,optional)
+	@$(call install_fixup, linux-pam,SECTION,base)
+	@$(call install_fixup, linux-pam,AUTHOR,"Andreas Schmidt <mail@schmidt-andreas.de>")
+	@$(call install_fixup, linux-pam,DESCRIPTION,missing)
+
+	@$(call install_lib, linux-pam, 0, 0, 0644, libpam)
+	@$(call install_lib, linux-pam, 0, 0, 0644, libpam_misc)
+	@$(call install_lib, linux-pam, 0, 0, 0644, libpamc)
+
+	@$(foreach module, $(LINUX_PAM_MOD-y), \
+		$(call install_copy, linux-pam, 0, 0, 0644, -, /usr/lib/security/pam_$(module).so);)
+
+	@$(foreach conf, $(LINUX_PAM_ETC-y), \
+		$(call install_alternative, linux-pam, 0, 0, 0644, /etc/$(conf));)
+
+	@$(foreach app, $(LINUX_PAM_SBIN-y), \
+		$(call install_copy, linux-pam, 0, 0, 0755, -, /usr/sbin/$(app));)
+
+	@$(foreach file, $(LINUX_PAM_FILTER-y), \
+		$(call install_copy, linux-pam, 0, 0, 0755, -, /usr/lib/security/pam_filter/$(file));)
+
+	@$(call install_copy, linux-pam, 0, 0, 0755, $(MAILSPOOL))
+
+	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.conf)
+	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/other)
+	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-account)
+	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-auth)
+	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-password)
+	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-session)
+
+	@$(call install_finish, linux-pam)
+	
+	@$(call touch)
+
+# vim: syntax=make
+
-- 
2.16.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de