* [ptxdist] [PATCH] linux-pam: add new package
@ 2018-02-10 14:09 Andreas Schmidt
2018-02-21 15:37 ` Michael Olbrich
0 siblings, 1 reply; 3+ messages in thread
From: Andreas Schmidt @ 2018-02-10 14:09 UTC (permalink / raw)
To: ptxdist
Signed-off-by: Andreas Schmidt <mail@schmidt-andreas.de>
---
Hi,
this patch should add Linux-PAM libraries, modules, minimal
configuration and Linux-PAM applications to ptxdist.
I search for similar patches in mailinglist archive and found two. Sadly
both patches never were done. The patches / posts are:
1) [ptxdist] [PATCHv7] linux-pam: this patch add Linux-PAM support to
ptxdist. Posted by Oliver Graute on Thu, Oct 22, 2015 at 04:04:15PM
+0200
2) [ptxdist] [PATCH 2/3] Adding the Linux-PAM package. Posted by Joseph
A. Lutz on Nov 30, 2010 at 05:06:33PM -0600
If Oliver Graute and/or Joseph A. Lutz wont to be add as signed-off-by,
let me know it.
For this patch I try to fix/implement all relevant comments in
appropriate mail-threads for patches, mentioned above. I improved
obsolete things and add a minimal configuration files. But for one part
I need some help.
In Kconfig file for two modules help description is messing:
1) For LINUX_PAM_SEPERMIT
2) For LINUX_PAM_STRESS
I search for documentation on Linux-PAM homepage, but I did nothing
found. Can some one help and write the help description or send a link
where I can find some information?
I added Copyright by me to make file header, like it is in other make
files. Is it right? I'm not firm with such stuff :(
I'm looking forward for constructive comments!
Regards,
Andreas
---
projectroot/etc/pam.conf | 15 +
projectroot/etc/pam.d/common-account | 9 +
projectroot/etc/pam.d/common-auth | 10 +
projectroot/etc/pam.d/common-password | 12 +
projectroot/etc/pam.d/common-session | 10 +
projectroot/etc/pam.d/other | 8 +
projectroot/etc/securetty | 12 +
projectroot/etc/shells | 1 +
rules/linux-pam.in | 533 ++++++++++++++++++++++++++++++++++
rules/linux-pam.make | 182 ++++++++++++
10 files changed, 792 insertions(+)
create mode 100644 projectroot/etc/pam.conf
create mode 100644 projectroot/etc/pam.d/common-account
create mode 100644 projectroot/etc/pam.d/common-auth
create mode 100644 projectroot/etc/pam.d/common-password
create mode 100644 projectroot/etc/pam.d/common-session
create mode 100644 projectroot/etc/pam.d/other
create mode 100644 projectroot/etc/securetty
create mode 100644 projectroot/etc/shells
create mode 100644 rules/linux-pam.in
create mode 100644 rules/linux-pam.make
diff --git a/projectroot/etc/pam.conf b/projectroot/etc/pam.conf
new file mode 100644
index 000000000..0f1a6111b
--- /dev/null
+++ b/projectroot/etc/pam.conf
@@ -0,0 +1,15 @@
+#
+# other - The default security level
+#
+
+other account required pam_warn.so
+other account required pam_permit.so
+
+other auth required pam_warn.so
+other auth required pam_permit.so
+
+other password required pam_warn.so
+other password required pam_permit.so
+
+other session required pam_warn.so
+other session required pam_permit.so
diff --git a/projectroot/etc/pam.d/common-account b/projectroot/etc/pam.d/common-account
new file mode 100644
index 000000000..667ca1ded
--- /dev/null
+++ b/projectroot/etc/pam.d/common-account
@@ -0,0 +1,9 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.
+
+account required pam_warn.so
+account required pam_permit.so
diff --git a/projectroot/etc/pam.d/common-auth b/projectroot/etc/pam.d/common-auth
new file mode 100644
index 000000000..afa99728c
--- /dev/null
+++ b/projectroot/etc/pam.d/common-auth
@@ -0,0 +1,10 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).
+
+auth required pam_warn.so
+auth required pam_permit.so
diff --git a/projectroot/etc/pam.d/common-password b/projectroot/etc/pam.d/common-password
new file mode 100644
index 000000000..08b160038
--- /dev/null
+++ b/projectroot/etc/pam.d/common-password
@@ -0,0 +1,12 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.
+
+# Currently no password changes are allowed durring the authentication process
+# because we do not know how it will react with the ldap server if at all
+
+password required pam_warn.so
+password required pam_permit.so
diff --git a/projectroot/etc/pam.d/common-session b/projectroot/etc/pam.d/common-session
new file mode 100644
index 000000000..0067dda62
--- /dev/null
+++ b/projectroot/etc/pam.d/common-session
@@ -0,0 +1,10 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+
+session required pam_warn.so
+session required pam_permit.so
diff --git a/projectroot/etc/pam.d/other b/projectroot/etc/pam.d/other
new file mode 100644
index 000000000..b111f7422
--- /dev/null
+++ b/projectroot/etc/pam.d/other
@@ -0,0 +1,8 @@
+#
+# other - The default security level
+#
+
+account include common-account # Include the standard account controls
+auth include common-auth # Include the standard auth controls
+password include common-password # Include the standard passwd controls
+session include common-session # Include the standard session controls
diff --git a/projectroot/etc/securetty b/projectroot/etc/securetty
new file mode 100644
index 000000000..2040401c0
--- /dev/null
+++ b/projectroot/etc/securetty
@@ -0,0 +1,12 @@
+tty0
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+ttyS0
+ttyS1
+ttyO0
+ttyO1
diff --git a/projectroot/etc/shells b/projectroot/etc/shells
new file mode 100644
index 000000000..c2cdaa0f2
--- /dev/null
+++ b/projectroot/etc/shells
@@ -0,0 +1 @@
+/bin/sh
diff --git a/rules/linux-pam.in b/rules/linux-pam.in
new file mode 100644
index 000000000..4aa7dcf7d
--- /dev/null
+++ b/rules/linux-pam.in
@@ -0,0 +1,533 @@
+## SECTION=shell_and_console
+
+menuconfig LINUX_PAM
+ tristate
+ prompt "linux-pam"
+ select FLEX
+ select DB if LINUX_PAM_USERDB
+ select LIBSELINUX if LINUX_PAM_SELINUX
+ help
+ Linux-PAM is a free implementation of the following DCE-RFC from
+ Sunsoft. PAM provides a way to develop programs that are
+ independent of authentication scheme. These programs need
+ "authentication modules" to be attatched to them at run-time
+ in order to work. Which authentication module is to be attatched
+ is dependent upon the local system setup and is at the discretion.
+
+if LINUX_PAM
+
+menu "PAM modules"
+
+config LINUX_PAM_ACCESS
+ bool
+ prompt "PAM access module"
+ help
+ The pam_access PAM module is mainly for access
+ management. It provides logdaemon style login access
+ control based on login names, host or domain names,
+ internet addresses or network numbers, or on terminal
+ line names in case of non-networked logins.
+
+config LINUX_PAM_DEBUG
+ bool
+ prompt "PAM debug module"
+ help
+ The pam_debug PAM module is intended as a debugging
+ aide for determining how the PAM stack is operating.
+
+config LINUX_PAM_DENY
+ bool
+ prompt "PAM deny module"
+ help
+ This module can be used to deny access. It always
+ indicates a failure to the application through the PAM
+ framework. It might be suitable for using for default
+ (the OTHER) entries.
+
+config LINUX_PAM_ECHO
+ bool
+ prompt "PAM echo module"
+ help
+ The pam_echo PAM module is for printing text messages
+ to inform user about special things.
+
+config LINUX_PAM_ENV
+ bool
+ prompt "PAM env module"
+ help
+ The pam_env PAM module allows the (un)setting of
+ environment variables. Supported is the use of
+ previously set environment variables as well as
+ PAM_ITEMs such as PAM_RHOSTS.
+
+config LINUX_PAM_EXEC
+ bool
+ prompt "PAM exec module"
+ help
+ pam_exec is a PAM module that can be used to run an
+ external command.
+
+config LINUX_PAM_FAILDELAY
+ bool
+ prompt "PAM faildelay module"
+ help
+ pam_faildelay is a PAM module that can be used to set
+ the delay on failure per-application.
+ If no delay is given, pam_faildelay will use the value
+ of FAIL_DELAY from /etc/login.defs.
+
+config LINUX_PAM_FILTER
+ bool
+ prompt "PAM filter module"
+ help
+ This module is intended to be a platform for providing
+ access to all of the input/output that passes between
+ the user and the application. It is only suitable for
+ tty-based and (stdin/stdout) applications.
+ To function this module requires filters to be
+ installed on the system. The single filter provided
+ with the module simply transposes upper and lower case
+ letters in the input and output streams. (This can be
+ very annoying and is not kind to termcap based editors).
+
+config LINUX_PAM_FILTER_UPPERLOWER
+ bool
+ prompt "upperLOWER program"
+ depends on LINUX_PAM_FILTER
+ default n
+ help
+ This is a sample filter program, for use with
+ pam_filter. This filter simply transposes upper
+ and lower case letters, it is intended for
+ demonstration purposes and it serves no purpose
+ other than to annoy the user...
+
+config LINUX_PAM_FTP
+ bool
+ prompt "PAM ftp module"
+ help
+ pam_ftp is a PAM module which provides a pluggable
+ anonymous ftp mode of access.
+ This module is not safe and easily spoofable.
+
+config LINUX_PAM_GROUP
+ bool
+ prompt "PAM group module"
+ help
+ The pam_group PAM module does not authenticate the
+ user, but instead it grants group memberships (in the
+ credential setting phase of the authentication module)
+ to the user. Such memberships are based on the service
+ they are applying for.
+
+config LINUX_PAM_ISSUE
+ bool
+ prompt "PAM issue module"
+ help
+ pam_issue is a PAM module to prepend an issue file to
+ the username prompt. It also by default parses escape
+ codes in the issue file similar to some common getty's
+ (using \x format).
+
+config LINUX_PAM_KEYINIT
+ bool
+ prompt "PAM keyinit module"
+ help
+ The pam_keyinit PAM module ensures that the invoking
+ process has a session keyring other than the user
+ default session keyring.
+
+config LINUX_PAM_LASTLOG
+ bool
+ prompt "PAM lastlog module"
+ help
+ pam_lastlog is a PAM module to display a line of
+ information about the last login of the user. In
+ addition, the module maintains the /var/log/lastlog
+ file.
+
+config LINUX_PAM_LIMITS
+ bool
+ prompt "PAM limits module"
+ help
+ The pam_limits PAM module sets limits on the system
+ resources that can be obtained in a user-session.
+ Users of uid=0 are affected by this limits, too.
+ The module must not be called by a multithreaded
+ application.
+
+config LINUX_PAM_LISTFILE
+ bool
+ prompt "PAM listfile module"
+ help
+ pam_listfile is a PAM module which provides a way to
+ deny or allow services based on an arbitrary file.
+ No credentials are awarded by this module.
+
+config LINUX_PAM_LOCALUSER
+ bool
+ prompt "PAM localuser module"
+ help
+ pam_localuser is a PAM module to help implementing
+ site-wide login policies, where they typically include
+ a subset of the network's users and a few accounts
+ that are local to a particular workstation. Using
+ pam_localuser and pam_wheel or pam_listfile is an
+ effective way to restrict access to either local users
+ and/or a subset of the network's users.
+ This could also be implemented using pam_listfile.so
+ and a very short awk script invoked by cron, but it's
+ common enough to have been separated out.
+
+config LINUX_PAM_LOGINUID
+ bool
+ prompt "PAM loginuid module"
+ help
+ The pam_loginuid module sets the loginuid process
+ attribute for the process that was authenticated. This
+ is necessary for applications to be correctly audited.
+ This PAM module should only be used for entry point
+ applications like: login, sshd, gdm, vsftpd, crond and
+ atd. There are probably other entry point applications
+ besides these. You should not use it for applications
+ like sudo or su as that defeats the purpose by
+ changing the loginuid to the account they just
+ switched to.
+
+config LINUX_PAM_MAIL
+ bool
+ prompt "PAM mail module"
+ help
+ The pam_mail PAM module provides the "you have new
+ mail" service to the user. It can be plugged into any
+ application that has credential or session hooks. It
+ gives a single message indicating the newness of any
+ mail it finds in the user's mail folder. This module
+ also sets the PAM environment variable, MAIL, to the
+ user's mail directory.
+
+config LINUX_PAM_MKHOMEDIR
+ bool
+ prompt "PAM mkhomedir module"
+ help
+ The pam_mkhomedir PAM module will create a users home
+ directory if it does not exist when the session begins.
+ This allows users to be present in central database
+ (such as NIS, kerberos or LDAP) without using a
+ distributed file system or pre-creating a large number
+ of directories. The skeleton directory (usually
+ /etc/skel/) is used to copy default files and also
+ set's a umask for the creation.
+ The new users home directory will not be removed after
+ logout of the user.
+
+config LINUX_PAM_MKHOMEDIR_MKHOMEDIR_HELPER
+ bool
+ prompt "mkhomedir_helper program"
+ depends on LINUX_PAM_MKHOMEDIR
+ help
+ mkhomedir_helper - Helper binary that creates home
+ directories. mkhomedir_helper is a helper program
+ for the pam_mkhomedir module that creates home
+ directories and populates them with contents of the
+ specified skel directory.
+
+config LINUX_PAM_MOTD
+ bool
+ prompt "PAM motd module"
+ help
+ pam_motd is a PAM module that can be used to display
+ arbitrary motd (message of the day) files after a
+ succesful login. By default the /etc/motd file is
+ shown. The message size is limited to 64KB.
+
+config LINUX_PAM_NAMESPACE
+ bool
+ prompt "PAM namespace module"
+ help
+ This module allows setup of private namespaces with
+ polyinstantiated directories. Directories can be
+ polyinstantiated based on user name or, in the case of
+ SELinux, user name, sensitivity level or complete
+ security context.
+
+config LINUX_PAM_NOLOGIN
+ bool
+ prompt "PAM netlogin module"
+ help
+ pam_nologin is a PAM module that prevents users from
+ logging into the system when /etc/nologin exists. The
+ contents of the /etc/nologin file are displayed to the
+ user. The pam_nologin module has no effect on the root
+ user's ability to log in.
+
+config LINUX_PAM_PERMIT
+ bool
+ prompt "PAM permit module"
+ default y
+ help
+ pam_permit is a PAM module that always permit access.
+ It does nothing else.
+ This module is very dangerous. It should be used with
+ extreme caution.
+
+config LINUX_PAM_PWHISTORY
+ bool
+ prompt "PAM pwhistory module"
+ help
+ This module saves the last passwords for each user in
+ order to force password change history and keep the
+ user from alternating between the same password too
+ frequently.
+
+config LINUX_PAM_RHOSTS
+ bool
+ prompt "PAM rhost module"
+ help
+ This module performs the standard network
+ authentication for services, as used by traditional
+ implementations of rlogin and rsh etc.
+
+config LINUX_PAM_ROOTOK
+ bool
+ prompt "PAM rootok module"
+ default y
+ help
+ pam_rootok is a PAM module that authenticates the user
+ if their UID is 0. Applications that are created
+ setuid-root generally retain the UID of the user but
+ run with the authority of an enhanced effective-UID.
+ It is the real UID that is checked.
+
+config LINUX_PAM_SECURETTY
+ bool
+ prompt "PAM securetty module"
+ help
+ pam_securetty is a PAM module that allows root logins
+ only if the user is logging in on a "secure" tty, as
+ defined by the listing in /etc/securetty.
+ pam_securetty also checks to make sure that
+ /etc/securetty is a plain file and not world writable.
+
+config LINUX_PAM_SELINUX
+ bool
+ prompt "PAM selinux module"
+ depends on GLOBAL_SELINUX
+ help
+ pam_selinux sets up the default security context for the next
+ shell.
+
+config LINUX_PAM_SEPERMIT
+ bool
+ prompt "PAM sepermit module"
+ depends on LINUX_PAM_SELINUX
+
+config LINUX_PAM_SHELLS
+ bool
+ prompt "PAM shells module"
+ help
+ pam_shells is a PAM module that only allows access to
+ the system if the users shell is listed in /etc/shells.
+
+config LINUX_PAM_STRESS
+ bool
+ prompt "PAM stress module"
+
+config LINUX_PAM_SUCCEED_IF
+ bool
+ prompt "PAM succeed_if module"
+ help
+ pam_succeed_if.so is designed to succeed or fail
+ authentication based on characteristics of the account
+ belonging to the user being authenticated. One use is
+ to select whether to load other modules based on this
+ test.
+
+config LINUX_PAM_TALLY
+ bool
+ prompt "PAM tally module"
+ help
+ This module maintains a count of attempted accesses,
+ can reset count on success, can deny access if too
+ many attempts fail.
+
+config LINUX_PAM_TALLY_PAM_TALLY
+ bool
+ prompt "pam_tally program"
+ depends on LINUX_PAM_TALLY
+ help
+ pam_tally - The login counter (tallying) module.
+ pam_tally is an (optional) application which can be
+ used to interrogate and manipulate the counter file.
+ It can display users?? counts, set individual counts,
+ or clear all counts. Setting artificially high
+ counts may be useful for blocking users without
+ changing their passwords. The faillog command can be
+ used instead of pam_tally to to maintain the counter
+ file.
+
+config LINUX_PAM_TALLY2
+ bool
+ prompt "PAM tally2 module"
+ help
+ This module maintains a count of attempted accesses,
+ can reset count on success, can deny access if too
+ many attempts fail.
+
+config LINUX_PAM_TALLY2_PAM_TALLY2
+ bool
+ prompt "pam_tally2 program"
+ depends on LINUX_PAM_TALLY2
+ help
+ pam_tally2 - The login counter (tallying) module.
+ pam_tally2 is an (optional) application which can
+ be used to interrogate and manipulate the counter
+ file. It can display users?? counts, set individual
+ counts, or clear all counts. Setting artificially
+ high counts may be useful for blocking users without
+ changing their passwords.
+
+config LINUX_PAM_TIME
+ bool
+ prompt "PAM time module"
+ help
+ The pam_time PAM module does not authenticate the user,
+ but instead it restricts access to a system and or
+ specific applications at various times of the day and
+ on specific days or over various terminal lines. This
+ module can be configured to deny access to (individual)
+ users based on their name, the time of day, the day of
+ week, the service they are applying for and their
+ terminal from which they are making their request.
+
+config LINUX_PAM_TIMESTAMP
+ bool
+ prompt "PAM timestamp module"
+ help
+ pam_timestamp caches successful authentication attempts,
+ and allows you to use a recent successful attempt as the
+ basis for authentication. This is similar mechanism
+ which is used in sudo.
+
+config LINUX_PAM_TIMESTAMP_TIMESTAMP_CHECK
+ bool
+ prompt "pam_timestamp_check program"
+ depends on LINUX_PAM_TIMESTAMP
+ help
+ pam_timestamp_check - Check to see if the default
+ timestamp is valid.
+
+config LINUX_PAM_UMASK
+ bool
+ prompt "PAM umask module"
+ help
+ pam_umask is a PAM module to set the file mode
+ creation mask of the current environment. The umask
+ affects the default permissions assigned to newly
+ created files.
+
+config LINUX_PAM_UNIX
+ bool
+ prompt "PAM unix module"
+ default y
+ help
+ This is the standard Unix authentication module.
+ It uses standard calls from the system's libraries
+ to retrieve and set account information as well as
+ authentication. Usually this is obtained from the
+ /etc/passwd and the /etc/shadow file as well if
+ shadow is enabled.
+
+config LINUX_PAM_UNIX_UNIX_UPDATE
+ bool
+ prompt "unix_update program"
+ depends on LINUX_PAM_UNIX
+ help
+ unix_update - Helper binary that updates the password
+ of a given user. The purpose of the helper is to enable
+ tighter confinement of login and password changing
+ services. The helper is thus called only when SELinux
+ is enabled and in the enforcing mode on the system.
+
+config LINUX_PAM_UNIX_UNIX_CHKPWD
+ bool
+ prompt "unix_chkpwd program"
+ depends on LINUX_PAM_UNIX
+ help
+ unix_chkpwd - Helper binary that verifies the password
+ of the current user.
+
+config LINUX_PAM_USERDB
+ bool
+ prompt "PAM userdb module"
+ help
+ The pam_userdb module is used to verify a
+ username/password pair against values stored in a
+ Berkeley DB database. The database is indexed by
+ the username, and the data fields corresponding to
+ the username keys are the passwords.
+
+config LINUX_PAM_WARN
+ bool
+ prompt "PAM warn module"
+ default y
+ help
+ pam_warn is a PAM module that logs the service,
+ terminal, user, remote user and remote host to
+ syslog(3). The items are not probed for, but instead
+ obtained from the standard PAM items. The module
+ always returns PAM_IGNORE, indicating that it does not
+ want to affect the authentication process.
+
+config LINUX_PAM_WHEEL
+ bool
+ prompt "PAM wheel module"
+ default y
+ help
+ The pam_wheel PAM module is used to enforce the
+ so-called wheel group. By default it permits root
+ access to the system if the applicant user is a member
+ of the wheel group. If no group with this name exist,
+ the module is using the group with the group-ID 0.
+
+config LINUX_PAM_XAUTH
+ bool
+ prompt "PAM xauth module"
+ default y
+ help
+ The pam_xauth PAM module is designed to forward xauth
+ keys (sometimes referred to as "cookies") between users.
+
+endmenu
+
+config LINUX_PAM_LOCKING
+ bool
+ default n
+ prompt "Locking"
+ help
+ Configure libpam to observe a global authentication lock.
+
+config LINUX_PAM_MAILSPOOL
+ string
+ prompt "Mail spool path"
+ help
+ Alternative path to mail spool directory or
+ leave empty for default path (/var/spool/mail).
+
+config LINUX_PAM_RANDOMDEV
+ bool
+ default y
+ prompt "Random decive"
+ help
+ Say yes for using random device.
+
+config LINUX_PAM_RANDOMDEV_PATH
+ string
+ prompt "Random device path"
+ depends on LINUX_PAM_RANDOMDEV
+ help
+ Specify random device or leave empty for
+ default device path (/dev/urandom).
+
+endif
+
diff --git a/rules/linux-pam.make b/rules/linux-pam.make
new file mode 100644
index 000000000..a651c8a6f
--- /dev/null
+++ b/rules/linux-pam.make
@@ -0,0 +1,182 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2018 by Andreas Schmidt <mail@schmidt-andreas.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LINUX_PAM) += linux-pam
+
+#
+# Paths and names
+#
+LINUX_PAM_VERSION := 1.3.0
+LINUX_PAM_MD5 := da4b2289b7cfb19583d54e9eaaef1c3a
+LINUX_PAM := Linux-PAM-$(LINUX_PAM_VERSION)
+LINUX_PAM_SUFFIX := tar.bz2
+LINUX_PAM_URL := http://www.linux-pam.org/library/$(LINUX_PAM).$(LINUX_PAM_SUFFIX)
+LINUX_PAM_SOURCE := $(SRCDIR)/$(LINUX_PAM).$(LINUX_PAM_SUFFIX)
+LINUX_PAM_DIR := $(BUILDDIR)/$(LINUX_PAM)
+LINUX_PAM_LICENSE := GPL, BSD
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+LINUX_PAM_MOD- =
+LINUX_PAM_ETC- =
+LINUX_PAM_SBIN- =
+LINUX_PAM_FILTER- =
+
+
+# PAM modules without "pam_" prefix
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ACCESS) += access
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_DEBUG) += debug
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_DENY) += deny
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ECHO) += echo
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ENV) += env
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_EXEC) += exec
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FAILDELAY) += faildelay
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FILTER) += filter
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FTP) += ftp
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_GROUP) += group
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ISSUE) += issue
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_KEYINIT) += keyinit
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LASTLOG) += lastlog
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LIMITS) += limits
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LISTFILE) += listfile
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LOCALUSER) += localuser
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LOGINUID) += loginuid
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MAIL) += mail
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MKHOMEDIR) += mkhomedir
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MOTD) += motd
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_NAMESPACE) += namespace
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_NOLOGIN) += nologin
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_PERMIT) += permit
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_PWHISTORY) += pwhistory
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_RHOSTS) += rhosts
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ROOTOK) += rootok
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SECURETTY) += securetty
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SELINUX) += selinux
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SEPERMIT) += sepermit
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SHELLS) += shells
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_STRESS) += stress
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SUCCEED_IF) += succeed_if
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TALLY) += tally
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TALLY2) += tally2
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TIME) += time
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TIMESTAMP) += timestamp
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_UMASK) += umask
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_UNIX) += unix
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_USERDB) += userdb
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_WARN) += warn
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_WHEEL) += wheel
+LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_XAUTH) += xauth
+
+# Configuration files related to /etc
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ACCESS) += security/access.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ENV) += security/pam_env.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_GROUP) += security/group.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_LIMITS) += security/limits.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_NAMESPACE) += security/namespace.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_NAMESPACE) += security/namespace.init
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_TIME) += security/time.conf
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ENV) += environment
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_SECURETTY) += securetty
+LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_SHELLS) += shells
+
+# Programs in /usr/sbin
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_MKHOMEDIR_MKHOMEDIR_HELPER) += mkhomedir_helper
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TALLY_PAM_TALLY) += pam_tally
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TALLY2_PAM_TALLY2) += pam_tally2
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TIMESTAMP_TIMESTAMP_CHECK) += pam_timestamp_check
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_UNIX_UNIX_UPDATE) += unix_update
+LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_UNIX_UNIX_CHKPWD) += unix_chkpwd
+
+# PAM filters
+LINUX_PAM_FILTER-$(PTXCONF_LINUX_PAM_FILTER_UPPERLOWER) += upperLOWER
+
+# Prepare variables
+MAILSPOOL=$(call ptx/ifdef, PTXCONF_LINUX_PAM_MAILSPOOL, $(PTXCONF_LINUX_PAM_MAILSPOOL), /var/spool/mail)
+RANDOMDEV=$(call ptx/ifdef, PTXCONF_LINUX_PAM_RANDOMDEV, \
+ $(call ptx/ifdef, PTXCONF_LINUX_PAM_RANDOMDEV_PATH, $(PTXCONF_LINUX_PAM_RANDOMDEV_PATH), yes), no)
+#
+# autoconf
+#
+LINUX_PAM_CONF_TOOL := autoconf
+LINUX_PAM_CONF_OPT := \
+ $(CROSS_AUTOCONF_USR) \
+ $(GLOBAL_LARGE_FILE_OPTION) \
+ --bindir=/usr/bin \
+ --sbindir=/usr/sbin \
+ --disable-silent-rules \
+ --disable-dependency-tracking \
+ --disable-libtool-lock \
+ --disable-pie \
+ --disable-prelude \
+ --disable-debug \
+ --enable-securedir=/usr/lib/security \
+ --$(call ptx/endis, PTXCONF_LINUX_PAM_LOCKING)-pamlocking \
+ --enable-read-both-confs \
+ --disable-lckpwdf \
+ --disable-cracklib \
+ --disable-audit \
+ --enable-db=$(call ptx/ifdef, PTXCONF_LINUX_PAM_USERDB, yes, no) \
+ --disable-nis \
+ --$(call ptx/endis, PTXCONF_LINUX_PAM_SELINUX)-selinux \
+ --disable-regenerate-docu \
+ --disable-nls \
+ --disable-rpath \
+ --with-mailspool="$(MAILSPOOL)" \
+ --with-randomdev=$(RANDOMDEV)
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/linux-pam.targetinstall:
+ @$(call targetinfo)
+
+ @$(call install_init, linux-pam)
+ @$(call install_fixup, linux-pam,PRIORITY,optional)
+ @$(call install_fixup, linux-pam,SECTION,base)
+ @$(call install_fixup, linux-pam,AUTHOR,"Andreas Schmidt <mail@schmidt-andreas.de>")
+ @$(call install_fixup, linux-pam,DESCRIPTION,missing)
+
+ @$(call install_lib, linux-pam, 0, 0, 0644, libpam)
+ @$(call install_lib, linux-pam, 0, 0, 0644, libpam_misc)
+ @$(call install_lib, linux-pam, 0, 0, 0644, libpamc)
+
+ @$(foreach module, $(LINUX_PAM_MOD-y), \
+ $(call install_copy, linux-pam, 0, 0, 0644, -, /usr/lib/security/pam_$(module).so);)
+
+ @$(foreach conf, $(LINUX_PAM_ETC-y), \
+ $(call install_alternative, linux-pam, 0, 0, 0644, /etc/$(conf));)
+
+ @$(foreach app, $(LINUX_PAM_SBIN-y), \
+ $(call install_copy, linux-pam, 0, 0, 0755, -, /usr/sbin/$(app));)
+
+ @$(foreach file, $(LINUX_PAM_FILTER-y), \
+ $(call install_copy, linux-pam, 0, 0, 0755, -, /usr/lib/security/pam_filter/$(file));)
+
+ @$(call install_copy, linux-pam, 0, 0, 0755, $(MAILSPOOL))
+
+ @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.conf)
+ @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/other)
+ @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-account)
+ @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-auth)
+ @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-password)
+ @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-session)
+
+ @$(call install_finish, linux-pam)
+
+ @$(call touch)
+
+# vim: syntax=make
+
--
2.16.1
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] [PATCH] linux-pam: add new package
2018-02-10 14:09 [ptxdist] [PATCH] linux-pam: add new package Andreas Schmidt
@ 2018-02-21 15:37 ` Michael Olbrich
2018-03-01 19:27 ` Andreas Schmidt
0 siblings, 1 reply; 3+ messages in thread
From: Michael Olbrich @ 2018-02-21 15:37 UTC (permalink / raw)
To: ptxdist
On Sat, Feb 10, 2018 at 03:09:15PM +0100, Andreas Schmidt wrote:
> Signed-off-by: Andreas Schmidt <mail@schmidt-andreas.de>
> ---
> Hi,
> this patch should add Linux-PAM libraries, modules, minimal
> configuration and Linux-PAM applications to ptxdist.
>
> I search for similar patches in mailinglist archive and found two. Sadly
> both patches never were done. The patches / posts are:
>
> 1) [ptxdist] [PATCHv7] linux-pam: this patch add Linux-PAM support to
> ptxdist. Posted by Oliver Graute on Thu, Oct 22, 2015 at 04:04:15PM
> +0200
> 2) [ptxdist] [PATCH 2/3] Adding the Linux-PAM package. Posted by Joseph
> A. Lutz on Nov 30, 2010 at 05:06:33PM -0600
>
> If Oliver Graute and/or Joseph A. Lutz wont to be add as signed-off-by,
> let me know it.
>
> For this patch I try to fix/implement all relevant comments in
> appropriate mail-threads for patches, mentioned above. I improved
> obsolete things and add a minimal configuration files. But for one part
> I need some help.
>
> In Kconfig file for two modules help description is messing:
> 1) For LINUX_PAM_SEPERMIT
> 2) For LINUX_PAM_STRESS
>
> I search for documentation on Linux-PAM homepage, but I did nothing
> found. Can some one help and write the help description or send a link
> where I can find some information?
>
> I added Copyright by me to make file header, like it is in other make
> files. Is it right? I'm not firm with such stuff :(
>
> I'm looking forward for constructive comments!
What exactly is the your use-case? What can I do with this rule, the way it
is now? I'm not an export on PAM. The only use-case I'm familiar with, is
to use PAM for user authentication. In this case I would expect a some kind
of integration with busybox (/bin/login) and systemd.
In general, I try to avoid adding options blindly for everything. Some
basic rules:
- try to provide options for use-cases not files. This works in some cases
(e.g. 'nfs server' or 'nfs client') but not so well in others (gstreamer
plugins). A lot of PAM modules are probably have this problem.
- If it adds an external dependency: add an option for it
- If it's small just install it unconditionally unless that can be
problematic.
This is probably true for the basic modules.
- If you think it's probably not useful for embedded, then ignore it. We
can add more options later.
Maybe some of the programs?
> ---
> projectroot/etc/pam.conf | 15 +
> projectroot/etc/pam.d/common-account | 9 +
> projectroot/etc/pam.d/common-auth | 10 +
> projectroot/etc/pam.d/common-password | 12 +
> projectroot/etc/pam.d/common-session | 10 +
> projectroot/etc/pam.d/other | 8 +
> projectroot/etc/securetty | 12 +
> projectroot/etc/shells | 1 +
Where do these files come from?
> rules/linux-pam.in | 533 ++++++++++++++++++++++++++++++++++
> rules/linux-pam.make | 182 ++++++++++++
> 10 files changed, 792 insertions(+)
> create mode 100644 projectroot/etc/pam.conf
> create mode 100644 projectroot/etc/pam.d/common-account
> create mode 100644 projectroot/etc/pam.d/common-auth
> create mode 100644 projectroot/etc/pam.d/common-password
> create mode 100644 projectroot/etc/pam.d/common-session
> create mode 100644 projectroot/etc/pam.d/other
> create mode 100644 projectroot/etc/securetty
> create mode 100644 projectroot/etc/shells
> create mode 100644 rules/linux-pam.in
> create mode 100644 rules/linux-pam.make
>
> diff --git a/projectroot/etc/pam.conf b/projectroot/etc/pam.conf
> new file mode 100644
> index 000000000..0f1a6111b
> --- /dev/null
> +++ b/projectroot/etc/pam.conf
> @@ -0,0 +1,15 @@
> +#
> +# other - The default security level
> +#
> +
> +other account required pam_warn.so
> +other account required pam_permit.so
> +
> +other auth required pam_warn.so
> +other auth required pam_permit.so
> +
> +other password required pam_warn.so
> +other password required pam_permit.so
> +
> +other session required pam_warn.so
> +other session required pam_permit.so
> diff --git a/projectroot/etc/pam.d/common-account b/projectroot/etc/pam.d/common-account
> new file mode 100644
> index 000000000..667ca1ded
> --- /dev/null
> +++ b/projectroot/etc/pam.d/common-account
> @@ -0,0 +1,9 @@
> +#
> +# /etc/pam.d/common-account - authorization settings common to all services
> +#
> +# This file is included from other service-specific PAM config files,
> +# and should contain a list of the authorization modules that define
> +# the central access policy for use on the system.
> +
> +account required pam_warn.so
> +account required pam_permit.so
> diff --git a/projectroot/etc/pam.d/common-auth b/projectroot/etc/pam.d/common-auth
> new file mode 100644
> index 000000000..afa99728c
> --- /dev/null
> +++ b/projectroot/etc/pam.d/common-auth
> @@ -0,0 +1,10 @@
> +#
> +# /etc/pam.d/common-auth - authentication settings common to all services
> +#
> +# This file is included from other service-specific PAM config files,
> +# and should contain a list of the authentication modules that define
> +# the central authentication scheme for use on the system
> +# (e.g., /etc/shadow, LDAP, Kerberos, etc.).
> +
> +auth required pam_warn.so
> +auth required pam_permit.so
> diff --git a/projectroot/etc/pam.d/common-password b/projectroot/etc/pam.d/common-password
> new file mode 100644
> index 000000000..08b160038
> --- /dev/null
> +++ b/projectroot/etc/pam.d/common-password
> @@ -0,0 +1,12 @@
> +#
> +# /etc/pam.d/common-password - password-related modules common to all services
> +#
> +# This file is included from other service-specific PAM config files,
> +# and should contain a list of modules that define the services to be
> +# used to change user passwords.
> +
> +# Currently no password changes are allowed durring the authentication process
> +# because we do not know how it will react with the ldap server if at all
> +
> +password required pam_warn.so
> +password required pam_permit.so
> diff --git a/projectroot/etc/pam.d/common-session b/projectroot/etc/pam.d/common-session
> new file mode 100644
> index 000000000..0067dda62
> --- /dev/null
> +++ b/projectroot/etc/pam.d/common-session
> @@ -0,0 +1,10 @@
> +#
> +# /etc/pam.d/common-session - session-related modules common to all services
> +#
> +# This file is included from other service-specific PAM config files,
> +# and should contain a list of modules that define tasks to be performed
> +# at the start and end of sessions of *any* kind (both interactive and
> +# non-interactive).
> +
> +session required pam_warn.so
> +session required pam_permit.so
> diff --git a/projectroot/etc/pam.d/other b/projectroot/etc/pam.d/other
> new file mode 100644
> index 000000000..b111f7422
> --- /dev/null
> +++ b/projectroot/etc/pam.d/other
> @@ -0,0 +1,8 @@
> +#
> +# other - The default security level
> +#
> +
> +account include common-account # Include the standard account controls
> +auth include common-auth # Include the standard auth controls
> +password include common-password # Include the standard passwd controls
> +session include common-session # Include the standard session controls
> diff --git a/projectroot/etc/securetty b/projectroot/etc/securetty
> new file mode 100644
> index 000000000..2040401c0
> --- /dev/null
> +++ b/projectroot/etc/securetty
> @@ -0,0 +1,12 @@
> +tty0
> +tty1
> +tty2
> +tty3
> +tty4
> +tty5
> +tty6
> +tty7
> +ttyS0
> +ttyS1
> +ttyO0
> +ttyO1
> diff --git a/projectroot/etc/shells b/projectroot/etc/shells
> new file mode 100644
> index 000000000..c2cdaa0f2
> --- /dev/null
> +++ b/projectroot/etc/shells
> @@ -0,0 +1 @@
> +/bin/sh
> diff --git a/rules/linux-pam.in b/rules/linux-pam.in
> new file mode 100644
> index 000000000..4aa7dcf7d
> --- /dev/null
> +++ b/rules/linux-pam.in
> @@ -0,0 +1,533 @@
> +## SECTION=shell_and_console
> +
> +menuconfig LINUX_PAM
> + tristate
> + prompt "linux-pam"
add spaces at the end to align the '-->' in menuconfig.
> + select FLEX
> + select DB if LINUX_PAM_USERDB
> + select LIBSELINUX if LINUX_PAM_SELINUX
Align the 'if' with tabs.
> + help
> + Linux-PAM is a free implementation of the following DCE-RFC from
> + Sunsoft. PAM provides a way to develop programs that are
> + independent of authentication scheme. These programs need
> + "authentication modules" to be attatched to them at run-time
> + in order to work. Which authentication module is to be attatched
> + is dependent upon the local system setup and is at the discretion.
> +
> +if LINUX_PAM
> +
> +menu "PAM modules"
> +
> +config LINUX_PAM_ACCESS
> + bool
> + prompt "PAM access module"
> + help
> + The pam_access PAM module is mainly for access
> + management. It provides logdaemon style login access
> + control based on login names, host or domain names,
> + internet addresses or network numbers, or on terminal
> + line names in case of non-networked logins.
> +
> +config LINUX_PAM_DEBUG
> + bool
> + prompt "PAM debug module"
> + help
> + The pam_debug PAM module is intended as a debugging
> + aide for determining how the PAM stack is operating.
> +
> +config LINUX_PAM_DENY
> + bool
> + prompt "PAM deny module"
> + help
> + This module can be used to deny access. It always
> + indicates a failure to the application through the PAM
> + framework. It might be suitable for using for default
> + (the OTHER) entries.
> +
> +config LINUX_PAM_ECHO
> + bool
> + prompt "PAM echo module"
> + help
> + The pam_echo PAM module is for printing text messages
> + to inform user about special things.
> +
> +config LINUX_PAM_ENV
> + bool
> + prompt "PAM env module"
> + help
> + The pam_env PAM module allows the (un)setting of
> + environment variables. Supported is the use of
> + previously set environment variables as well as
> + PAM_ITEMs such as PAM_RHOSTS.
> +
> +config LINUX_PAM_EXEC
> + bool
> + prompt "PAM exec module"
> + help
> + pam_exec is a PAM module that can be used to run an
> + external command.
> +
> +config LINUX_PAM_FAILDELAY
> + bool
> + prompt "PAM faildelay module"
> + help
> + pam_faildelay is a PAM module that can be used to set
> + the delay on failure per-application.
> + If no delay is given, pam_faildelay will use the value
> + of FAIL_DELAY from /etc/login.defs.
> +
> +config LINUX_PAM_FILTER
> + bool
> + prompt "PAM filter module"
> + help
> + This module is intended to be a platform for providing
> + access to all of the input/output that passes between
> + the user and the application. It is only suitable for
> + tty-based and (stdin/stdout) applications.
> + To function this module requires filters to be
> + installed on the system. The single filter provided
> + with the module simply transposes upper and lower case
> + letters in the input and output streams. (This can be
> + very annoying and is not kind to termcap based editors).
> +
> +config LINUX_PAM_FILTER_UPPERLOWER
> + bool
> + prompt "upperLOWER program"
> + depends on LINUX_PAM_FILTER
> + default n
> + help
> + This is a sample filter program, for use with
> + pam_filter. This filter simply transposes upper
> + and lower case letters, it is intended for
> + demonstration purposes and it serves no purpose
> + other than to annoy the user...
> +
> +config LINUX_PAM_FTP
> + bool
> + prompt "PAM ftp module"
> + help
> + pam_ftp is a PAM module which provides a pluggable
> + anonymous ftp mode of access.
> + This module is not safe and easily spoofable.
> +
> +config LINUX_PAM_GROUP
> + bool
> + prompt "PAM group module"
> + help
> + The pam_group PAM module does not authenticate the
> + user, but instead it grants group memberships (in the
> + credential setting phase of the authentication module)
> + to the user. Such memberships are based on the service
> + they are applying for.
> +
> +config LINUX_PAM_ISSUE
> + bool
> + prompt "PAM issue module"
> + help
> + pam_issue is a PAM module to prepend an issue file to
> + the username prompt. It also by default parses escape
> + codes in the issue file similar to some common getty's
> + (using \x format).
> +
> +config LINUX_PAM_KEYINIT
> + bool
> + prompt "PAM keyinit module"
> + help
> + The pam_keyinit PAM module ensures that the invoking
> + process has a session keyring other than the user
> + default session keyring.
> +
> +config LINUX_PAM_LASTLOG
> + bool
> + prompt "PAM lastlog module"
> + help
> + pam_lastlog is a PAM module to display a line of
> + information about the last login of the user. In
> + addition, the module maintains the /var/log/lastlog
> + file.
> +
> +config LINUX_PAM_LIMITS
> + bool
> + prompt "PAM limits module"
> + help
> + The pam_limits PAM module sets limits on the system
> + resources that can be obtained in a user-session.
> + Users of uid=0 are affected by this limits, too.
> + The module must not be called by a multithreaded
> + application.
> +
> +config LINUX_PAM_LISTFILE
> + bool
> + prompt "PAM listfile module"
> + help
> + pam_listfile is a PAM module which provides a way to
> + deny or allow services based on an arbitrary file.
> + No credentials are awarded by this module.
> +
> +config LINUX_PAM_LOCALUSER
> + bool
> + prompt "PAM localuser module"
> + help
> + pam_localuser is a PAM module to help implementing
> + site-wide login policies, where they typically include
> + a subset of the network's users and a few accounts
> + that are local to a particular workstation. Using
> + pam_localuser and pam_wheel or pam_listfile is an
> + effective way to restrict access to either local users
> + and/or a subset of the network's users.
> + This could also be implemented using pam_listfile.so
> + and a very short awk script invoked by cron, but it's
> + common enough to have been separated out.
> +
> +config LINUX_PAM_LOGINUID
> + bool
> + prompt "PAM loginuid module"
> + help
> + The pam_loginuid module sets the loginuid process
> + attribute for the process that was authenticated. This
> + is necessary for applications to be correctly audited.
> + This PAM module should only be used for entry point
> + applications like: login, sshd, gdm, vsftpd, crond and
> + atd. There are probably other entry point applications
> + besides these. You should not use it for applications
> + like sudo or su as that defeats the purpose by
> + changing the loginuid to the account they just
> + switched to.
> +
> +config LINUX_PAM_MAIL
> + bool
> + prompt "PAM mail module"
> + help
> + The pam_mail PAM module provides the "you have new
> + mail" service to the user. It can be plugged into any
> + application that has credential or session hooks. It
> + gives a single message indicating the newness of any
> + mail it finds in the user's mail folder. This module
> + also sets the PAM environment variable, MAIL, to the
> + user's mail directory.
> +
> +config LINUX_PAM_MKHOMEDIR
> + bool
> + prompt "PAM mkhomedir module"
> + help
> + The pam_mkhomedir PAM module will create a users home
> + directory if it does not exist when the session begins.
> + This allows users to be present in central database
> + (such as NIS, kerberos or LDAP) without using a
> + distributed file system or pre-creating a large number
> + of directories. The skeleton directory (usually
> + /etc/skel/) is used to copy default files and also
> + set's a umask for the creation.
> + The new users home directory will not be removed after
> + logout of the user.
> +
> +config LINUX_PAM_MKHOMEDIR_MKHOMEDIR_HELPER
> + bool
> + prompt "mkhomedir_helper program"
> + depends on LINUX_PAM_MKHOMEDIR
> + help
> + mkhomedir_helper - Helper binary that creates home
> + directories. mkhomedir_helper is a helper program
> + for the pam_mkhomedir module that creates home
> + directories and populates them with contents of the
> + specified skel directory.
> +
> +config LINUX_PAM_MOTD
> + bool
> + prompt "PAM motd module"
> + help
> + pam_motd is a PAM module that can be used to display
> + arbitrary motd (message of the day) files after a
> + succesful login. By default the /etc/motd file is
> + shown. The message size is limited to 64KB.
> +
> +config LINUX_PAM_NAMESPACE
> + bool
> + prompt "PAM namespace module"
> + help
> + This module allows setup of private namespaces with
> + polyinstantiated directories. Directories can be
> + polyinstantiated based on user name or, in the case of
> + SELinux, user name, sensitivity level or complete
> + security context.
> +
> +config LINUX_PAM_NOLOGIN
> + bool
> + prompt "PAM netlogin module"
> + help
> + pam_nologin is a PAM module that prevents users from
> + logging into the system when /etc/nologin exists. The
> + contents of the /etc/nologin file are displayed to the
> + user. The pam_nologin module has no effect on the root
> + user's ability to log in.
> +
> +config LINUX_PAM_PERMIT
> + bool
> + prompt "PAM permit module"
> + default y
> + help
> + pam_permit is a PAM module that always permit access.
> + It does nothing else.
> + This module is very dangerous. It should be used with
> + extreme caution.
> +
> +config LINUX_PAM_PWHISTORY
> + bool
> + prompt "PAM pwhistory module"
> + help
> + This module saves the last passwords for each user in
> + order to force password change history and keep the
> + user from alternating between the same password too
> + frequently.
> +
> +config LINUX_PAM_RHOSTS
> + bool
> + prompt "PAM rhost module"
> + help
> + This module performs the standard network
> + authentication for services, as used by traditional
> + implementations of rlogin and rsh etc.
> +
> +config LINUX_PAM_ROOTOK
> + bool
> + prompt "PAM rootok module"
> + default y
> + help
> + pam_rootok is a PAM module that authenticates the user
> + if their UID is 0. Applications that are created
> + setuid-root generally retain the UID of the user but
> + run with the authority of an enhanced effective-UID.
> + It is the real UID that is checked.
> +
> +config LINUX_PAM_SECURETTY
> + bool
> + prompt "PAM securetty module"
> + help
> + pam_securetty is a PAM module that allows root logins
> + only if the user is logging in on a "secure" tty, as
> + defined by the listing in /etc/securetty.
> + pam_securetty also checks to make sure that
> + /etc/securetty is a plain file and not world writable.
> +
> +config LINUX_PAM_SELINUX
> + bool
> + prompt "PAM selinux module"
This should not have a prompt. If selinux is enabled globally, then the
support should always be enabled.
> + depends on GLOBAL_SELINUX
> + help
> + pam_selinux sets up the default security context for the next
> + shell.
> +
> +config LINUX_PAM_SEPERMIT
> + bool
> + prompt "PAM sepermit module"
> + depends on LINUX_PAM_SELINUX
> +
> +config LINUX_PAM_SHELLS
> + bool
> + prompt "PAM shells module"
> + help
> + pam_shells is a PAM module that only allows access to
> + the system if the users shell is listed in /etc/shells.
> +
> +config LINUX_PAM_STRESS
> + bool
> + prompt "PAM stress module"
> +
> +config LINUX_PAM_SUCCEED_IF
> + bool
> + prompt "PAM succeed_if module"
> + help
> + pam_succeed_if.so is designed to succeed or fail
> + authentication based on characteristics of the account
> + belonging to the user being authenticated. One use is
> + to select whether to load other modules based on this
> + test.
> +
> +config LINUX_PAM_TALLY
> + bool
> + prompt "PAM tally module"
> + help
> + This module maintains a count of attempted accesses,
> + can reset count on success, can deny access if too
> + many attempts fail.
> +
> +config LINUX_PAM_TALLY_PAM_TALLY
> + bool
> + prompt "pam_tally program"
> + depends on LINUX_PAM_TALLY
> + help
> + pam_tally - The login counter (tallying) module.
> + pam_tally is an (optional) application which can be
> + used to interrogate and manipulate the counter file.
> + It can display users?? counts, set individual counts,
> + or clear all counts. Setting artificially high
> + counts may be useful for blocking users without
> + changing their passwords. The faillog command can be
> + used instead of pam_tally to to maintain the counter
> + file.
> +
> +config LINUX_PAM_TALLY2
> + bool
> + prompt "PAM tally2 module"
> + help
> + This module maintains a count of attempted accesses,
> + can reset count on success, can deny access if too
> + many attempts fail.
> +
> +config LINUX_PAM_TALLY2_PAM_TALLY2
> + bool
> + prompt "pam_tally2 program"
> + depends on LINUX_PAM_TALLY2
> + help
> + pam_tally2 - The login counter (tallying) module.
> + pam_tally2 is an (optional) application which can
> + be used to interrogate and manipulate the counter
> + file. It can display users?? counts, set individual
> + counts, or clear all counts. Setting artificially
> + high counts may be useful for blocking users without
> + changing their passwords.
> +
> +config LINUX_PAM_TIME
> + bool
> + prompt "PAM time module"
> + help
> + The pam_time PAM module does not authenticate the user,
> + but instead it restricts access to a system and or
> + specific applications at various times of the day and
> + on specific days or over various terminal lines. This
> + module can be configured to deny access to (individual)
> + users based on their name, the time of day, the day of
> + week, the service they are applying for and their
> + terminal from which they are making their request.
> +
> +config LINUX_PAM_TIMESTAMP
> + bool
> + prompt "PAM timestamp module"
> + help
> + pam_timestamp caches successful authentication attempts,
> + and allows you to use a recent successful attempt as the
> + basis for authentication. This is similar mechanism
> + which is used in sudo.
> +
> +config LINUX_PAM_TIMESTAMP_TIMESTAMP_CHECK
> + bool
> + prompt "pam_timestamp_check program"
> + depends on LINUX_PAM_TIMESTAMP
> + help
> + pam_timestamp_check - Check to see if the default
> + timestamp is valid.
> +
> +config LINUX_PAM_UMASK
> + bool
> + prompt "PAM umask module"
> + help
> + pam_umask is a PAM module to set the file mode
> + creation mask of the current environment. The umask
> + affects the default permissions assigned to newly
> + created files.
> +
> +config LINUX_PAM_UNIX
> + bool
> + prompt "PAM unix module"
> + default y
> + help
> + This is the standard Unix authentication module.
> + It uses standard calls from the system's libraries
> + to retrieve and set account information as well as
> + authentication. Usually this is obtained from the
> + /etc/passwd and the /etc/shadow file as well if
> + shadow is enabled.
> +
> +config LINUX_PAM_UNIX_UNIX_UPDATE
> + bool
> + prompt "unix_update program"
> + depends on LINUX_PAM_UNIX
> + help
> + unix_update - Helper binary that updates the password
> + of a given user. The purpose of the helper is to enable
> + tighter confinement of login and password changing
> + services. The helper is thus called only when SELinux
> + is enabled and in the enforcing mode on the system.
> +
> +config LINUX_PAM_UNIX_UNIX_CHKPWD
> + bool
> + prompt "unix_chkpwd program"
> + depends on LINUX_PAM_UNIX
> + help
> + unix_chkpwd - Helper binary that verifies the password
> + of the current user.
> +
> +config LINUX_PAM_USERDB
> + bool
> + prompt "PAM userdb module"
> + help
> + The pam_userdb module is used to verify a
> + username/password pair against values stored in a
> + Berkeley DB database. The database is indexed by
> + the username, and the data fields corresponding to
> + the username keys are the passwords.
> +
> +config LINUX_PAM_WARN
> + bool
> + prompt "PAM warn module"
> + default y
> + help
> + pam_warn is a PAM module that logs the service,
> + terminal, user, remote user and remote host to
> + syslog(3). The items are not probed for, but instead
> + obtained from the standard PAM items. The module
> + always returns PAM_IGNORE, indicating that it does not
> + want to affect the authentication process.
> +
> +config LINUX_PAM_WHEEL
> + bool
> + prompt "PAM wheel module"
> + default y
> + help
> + The pam_wheel PAM module is used to enforce the
> + so-called wheel group. By default it permits root
> + access to the system if the applicant user is a member
> + of the wheel group. If no group with this name exist,
> + the module is using the group with the group-ID 0.
> +
> +config LINUX_PAM_XAUTH
> + bool
> + prompt "PAM xauth module"
> + default y
> + help
> + The pam_xauth PAM module is designed to forward xauth
> + keys (sometimes referred to as "cookies") between users.
> +
> +endmenu
> +
> +config LINUX_PAM_LOCKING
> + bool
> + default n
> + prompt "Locking"
> + help
> + Configure libpam to observe a global authentication lock.
I don't think this should be configurable. Just use a sane default.
> +
> +config LINUX_PAM_MAILSPOOL
> + string
> + prompt "Mail spool path"
> + help
> + Alternative path to mail spool directory or
> + leave empty for default path (/var/spool/mail).
No option for this. Just use the default.
> +
> +config LINUX_PAM_RANDOMDEV
> + bool
> + default y
> + prompt "Random decive"
> + help
> + Say yes for using random device.
> +
> +config LINUX_PAM_RANDOMDEV_PATH
> + string
> + prompt "Random device path"
> + depends on LINUX_PAM_RANDOMDEV
> + help
> + Specify random device or leave empty for
> + default device path (/dev/urandom).
No, just set it to /dev/urandom, or whatever other linux distros are doing.
> +
> +endif
> +
> diff --git a/rules/linux-pam.make b/rules/linux-pam.make
> new file mode 100644
> index 000000000..a651c8a6f
> --- /dev/null
> +++ b/rules/linux-pam.make
> @@ -0,0 +1,182 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2018 by Andreas Schmidt <mail@schmidt-andreas.de>
> +#
> +# See CREDITS for details about who has contributed to this project.
> +#
> +# For information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LINUX_PAM) += linux-pam
> +
> +#
> +# Paths and names
> +#
> +LINUX_PAM_VERSION := 1.3.0
> +LINUX_PAM_MD5 := da4b2289b7cfb19583d54e9eaaef1c3a
> +LINUX_PAM := Linux-PAM-$(LINUX_PAM_VERSION)
> +LINUX_PAM_SUFFIX := tar.bz2
> +LINUX_PAM_URL := http://www.linux-pam.org/library/$(LINUX_PAM).$(LINUX_PAM_SUFFIX)
> +LINUX_PAM_SOURCE := $(SRCDIR)/$(LINUX_PAM).$(LINUX_PAM_SUFFIX)
> +LINUX_PAM_DIR := $(BUILDDIR)/$(LINUX_PAM)
> +LINUX_PAM_LICENSE := GPL, BSD
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +LINUX_PAM_MOD- =
> +LINUX_PAM_ETC- =
> +LINUX_PAM_SBIN- =
> +LINUX_PAM_FILTER- =
> +
> +
> +# PAM modules without "pam_" prefix
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ACCESS) += access
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_DEBUG) += debug
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_DENY) += deny
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ECHO) += echo
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ENV) += env
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_EXEC) += exec
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FAILDELAY) += faildelay
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FILTER) += filter
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FTP) += ftp
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_GROUP) += group
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ISSUE) += issue
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_KEYINIT) += keyinit
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LASTLOG) += lastlog
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LIMITS) += limits
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LISTFILE) += listfile
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LOCALUSER) += localuser
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LOGINUID) += loginuid
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MAIL) += mail
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MKHOMEDIR) += mkhomedir
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MOTD) += motd
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_NAMESPACE) += namespace
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_NOLOGIN) += nologin
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_PERMIT) += permit
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_PWHISTORY) += pwhistory
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_RHOSTS) += rhosts
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ROOTOK) += rootok
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SECURETTY) += securetty
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SELINUX) += selinux
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SEPERMIT) += sepermit
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SHELLS) += shells
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_STRESS) += stress
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SUCCEED_IF) += succeed_if
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TALLY) += tally
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TALLY2) += tally2
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TIME) += time
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TIMESTAMP) += timestamp
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_UMASK) += umask
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_UNIX) += unix
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_USERDB) += userdb
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_WARN) += warn
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_WHEEL) += wheel
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_XAUTH) += xauth
> +
> +# Configuration files related to /etc
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ACCESS) += security/access.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ENV) += security/pam_env.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_GROUP) += security/group.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_LIMITS) += security/limits.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_NAMESPACE) += security/namespace.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_NAMESPACE) += security/namespace.init
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_TIME) += security/time.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ENV) += environment
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_SECURETTY) += securetty
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_SHELLS) += shells
> +
> +# Programs in /usr/sbin
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_MKHOMEDIR_MKHOMEDIR_HELPER) += mkhomedir_helper
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TALLY_PAM_TALLY) += pam_tally
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TALLY2_PAM_TALLY2) += pam_tally2
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TIMESTAMP_TIMESTAMP_CHECK) += pam_timestamp_check
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_UNIX_UNIX_UPDATE) += unix_update
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_UNIX_UNIX_CHKPWD) += unix_chkpwd
> +
> +# PAM filters
> +LINUX_PAM_FILTER-$(PTXCONF_LINUX_PAM_FILTER_UPPERLOWER) += upperLOWER
> +
> +# Prepare variables
> +MAILSPOOL=$(call ptx/ifdef, PTXCONF_LINUX_PAM_MAILSPOOL, $(PTXCONF_LINUX_PAM_MAILSPOOL), /var/spool/mail)
> +RANDOMDEV=$(call ptx/ifdef, PTXCONF_LINUX_PAM_RANDOMDEV, \
> + $(call ptx/ifdef, PTXCONF_LINUX_PAM_RANDOMDEV_PATH, $(PTXCONF_LINUX_PAM_RANDOMDEV_PATH), yes), no)
> +#
> +# autoconf
> +#
> +LINUX_PAM_CONF_TOOL := autoconf
> +LINUX_PAM_CONF_OPT := \
> + $(CROSS_AUTOCONF_USR) \
> + $(GLOBAL_LARGE_FILE_OPTION) \
> + --bindir=/usr/bin \
> + --sbindir=/usr/sbin \
> + --disable-silent-rules \
> + --disable-dependency-tracking \
> + --disable-libtool-lock \
> + --disable-pie \
> + --disable-prelude \
> + --disable-debug \
> + --enable-securedir=/usr/lib/security \
> + --$(call ptx/endis, PTXCONF_LINUX_PAM_LOCKING)-pamlocking \
> + --enable-read-both-confs \
> + --disable-lckpwdf \
> + --disable-cracklib \
> + --disable-audit \
> + --enable-db=$(call ptx/ifdef, PTXCONF_LINUX_PAM_USERDB, yes, no) \
> + --disable-nis \
> + --$(call ptx/endis, PTXCONF_LINUX_PAM_SELINUX)-selinux \
> + --disable-regenerate-docu \
> + --disable-nls \
> + --disable-rpath \
> + --with-mailspool="$(MAILSPOOL)" \
> + --with-randomdev=$(RANDOMDEV)
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/linux-pam.targetinstall:
> + @$(call targetinfo)
> +
> + @$(call install_init, linux-pam)
> + @$(call install_fixup, linux-pam,PRIORITY,optional)
> + @$(call install_fixup, linux-pam,SECTION,base)
> + @$(call install_fixup, linux-pam,AUTHOR,"Andreas Schmidt <mail@schmidt-andreas.de>")
> + @$(call install_fixup, linux-pam,DESCRIPTION,missing)
> +
> + @$(call install_lib, linux-pam, 0, 0, 0644, libpam)
> + @$(call install_lib, linux-pam, 0, 0, 0644, libpam_misc)
> + @$(call install_lib, linux-pam, 0, 0, 0644, libpamc)
> +
> + @$(foreach module, $(LINUX_PAM_MOD-y), \
> + $(call install_copy, linux-pam, 0, 0, 0644, -, /usr/lib/security/pam_$(module).so);)
Use $(ptx/nl) instead of ';'. This way errors are not ignored. The same for
all loops below.
Michael
> +
> + @$(foreach conf, $(LINUX_PAM_ETC-y), \
> + $(call install_alternative, linux-pam, 0, 0, 0644, /etc/$(conf));)
> +
> + @$(foreach app, $(LINUX_PAM_SBIN-y), \
> + $(call install_copy, linux-pam, 0, 0, 0755, -, /usr/sbin/$(app));)
> +
> + @$(foreach file, $(LINUX_PAM_FILTER-y), \
> + $(call install_copy, linux-pam, 0, 0, 0755, -, /usr/lib/security/pam_filter/$(file));)
> +
> + @$(call install_copy, linux-pam, 0, 0, 0755, $(MAILSPOOL))
> +
> + @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.conf)
> + @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/other)
> + @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-account)
> + @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-auth)
> + @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-password)
> + @$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-session)
> +
> + @$(call install_finish, linux-pam)
> +
> + @$(call touch)
> +
> +# vim: syntax=make
> +
> --
> 2.16.1
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] [PATCH] linux-pam: add new package
2018-02-21 15:37 ` Michael Olbrich
@ 2018-03-01 19:27 ` Andreas Schmidt
0 siblings, 0 replies; 3+ messages in thread
From: Andreas Schmidt @ 2018-03-01 19:27 UTC (permalink / raw)
To: ptxdist
[-- Attachment #1.1.1.1: Type: text/plain, Size: 8773 bytes --]
Hi Michael,
On 21.02.2018 16:37, Michael Olbrich wrote:
> On Sat, Feb 10, 2018 at 03:09:15PM +0100, Andreas Schmidt wrote:
>> Signed-off-by: Andreas Schmidt <mail@schmidt-andreas.de>
>> ---
>> Hi,
>> this patch should add Linux-PAM libraries, modules, minimal
>> configuration and Linux-PAM applications to ptxdist.
>>
>> [...]
>>
>> I'm looking forward for constructive comments!
> What exactly is the your use-case? What can I do with this rule, the way it
> is now? I'm not an export on PAM. The only use-case I'm familiar with, is
> to use PAM for user authentication. In this case I would expect a some kind
> of integration with busybox (/bin/login) and systemd.
PAM can, but must not, use for authentication management. I used it in
some projects to set rules for creation of new password and
authentication while
login. I am not expert in PAM too, but you can set restriction / limits
for files or file
access or other resources (e.g. pam_limit) and many other things,
mentioned in documentation
of linux-pam.
> In general, I try to avoid adding options blindly for everything. Some
> basic rules:
> - try to provide options for use-cases not files. This works in some cases
> (e.g. 'nfs server' or 'nfs client') but not so well in others (gstreamer
> plugins). A lot of PAM modules are probably have this problem.
Ok, I will try to clean it up. But I am not sure if I have the whole
overview
of all important use-cases.
> - If it adds an external dependency: add an option for it
Yes, will do it so.
> - If it's small just install it unconditionally unless that can be
> problematic.
> This is probably true for the basic modules.
Ok, I think many modules can be add by default, because they needed in
most use-cases.
> - If you think it's probably not useful for embedded, then ignore it. We
> can add more options later.
> Maybe some of the programs?
Ok, e.g. mkhomedir module is in most embedded system useless because
the users are fix and whose homedirs are created on build process, if
homedir
needed at all.
Thanks for comments, I will create new patch. Or do you think that linux-pam
not needed be most users of ptxdist?
>> ---
>> projectroot/etc/pam.conf | 15 +
>> projectroot/etc/pam.d/common-account | 9 +
>> projectroot/etc/pam.d/common-auth | 10 +
>> projectroot/etc/pam.d/common-password | 12 +
>> projectroot/etc/pam.d/common-session | 10 +
>> projectroot/etc/pam.d/other | 8 +
>> projectroot/etc/securetty | 12 +
>> projectroot/etc/shells | 1 +
> Where do these files come from?
From mentioned patches, edited by me.
I will rework them too. I guess they are not consistent, yet.
>> rules/linux-pam.in | 533 ++++++++++++++++++++++++++++++++++
>> rules/linux-pam.make | 182 ++++++++++++
>> 10 files changed, 792 insertions(+)
>> create mode 100644 projectroot/etc/pam.conf
>> create mode 100644 projectroot/etc/pam.d/common-account
>> create mode 100644 projectroot/etc/pam.d/common-auth
>> create mode 100644 projectroot/etc/pam.d/common-password
>> create mode 100644 projectroot/etc/pam.d/common-session
>> create mode 100644 projectroot/etc/pam.d/other
>> create mode 100644 projectroot/etc/securetty
>> create mode 100644 projectroot/etc/shells
>> create mode 100644 rules/linux-pam.in
>> create mode 100644 rules/linux-pam.make
[...]
>> diff --git a/projectroot/etc/shells b/projectroot/etc/shells
>> new file mode 100644
>> index 000000000..c2cdaa0f2
>> --- /dev/null
>> +++ b/projectroot/etc/shells
>> @@ -0,0 +1 @@
>> +/bin/sh
>> diff --git a/rules/linux-pam.in b/rules/linux-pam.in
>> new file mode 100644
>> index 000000000..4aa7dcf7d
>> --- /dev/null
>> +++ b/rules/linux-pam.in
>> @@ -0,0 +1,533 @@
>> +## SECTION=shell_and_console
>> +
>> +menuconfig LINUX_PAM
>> + tristate
>> + prompt "linux-pam"
> add spaces at the end to align the '-->' in menuconfig.
Ok
>> + select FLEX
>> + select DB if LINUX_PAM_USERDB
>> + select LIBSELINUX if LINUX_PAM_SELINUX
> Align the 'if' with tabs.
Ok
>> + help
>> + Linux-PAM is a free implementation of the following DCE-RFC from
>> + Sunsoft. PAM provides a way to develop programs that are
>> + independent of authentication scheme. These programs need
>> + "authentication modules" to be attatched to them at run-time
>> + in order to work. Which authentication module is to be attatched
>> + is dependent upon the local system setup and is at the discretion.
>> +
>> +if LINUX_PAM
>> +
>> +menu "PAM modules"
>> +
>> +config LINUX_PAM_ACCESS
>> + bool
>> + prompt "PAM access module"
>> + help
>> + The pam_access PAM module is mainly for access
>> + management. It provides logdaemon style login access
>> + control based on login names, host or domain names,
>> + internet addresses or network numbers, or on terminal
>> + line names in case of non-networked logins.
>> +
[...]
>> +config LINUX_PAM_SECURETTY
>> + bool
>> + prompt "PAM securetty module"
>> + help
>> + pam_securetty is a PAM module that allows root logins
>> + only if the user is logging in on a "secure" tty, as
>> + defined by the listing in /etc/securetty.
>> + pam_securetty also checks to make sure that
>> + /etc/securetty is a plain file and not world writable.
>> +
>> +config LINUX_PAM_SELINUX
>> + bool
>> + prompt "PAM selinux module"
> This should not have a prompt. If selinux is enabled globally, then the
> support should always be enabled.
Ok
>> + depends on GLOBAL_SELINUX
>> + help
>> + pam_selinux sets up the default security context for the next
>> + shell.
>> +
>> +config LINUX_PAM_SEPERMIT
>> + bool
>> + prompt "PAM sepermit module"
>> + depends on LINUX_PAM_SELINUX
>> +
>> +config LINUX_PAM_SHELLS
>> + bool
>> + prompt "PAM shells module"
>> + help
>> + pam_shells is a PAM module that only allows access to
>> + the system if the users shell is listed in /etc/shells.
>> +
[...]
>> +
>> +config LINUX_PAM_LOCKING
>> + bool
>> + default n
>> + prompt "Locking"
>> + help
>> + Configure libpam to observe a global authentication lock.
> I don't think this should be configurable. Just use a sane default.
Ok
>
>> +
>> +config LINUX_PAM_MAILSPOOL
>> + string
>> + prompt "Mail spool path"
>> + help
>> + Alternative path to mail spool directory or
>> + leave empty for default path (/var/spool/mail).
> No option for this. Just use the default.
Ok
>> +
>> +config LINUX_PAM_RANDOMDEV
>> + bool
>> + default y
>> + prompt "Random decive"
>> + help
>> + Say yes for using random device.
>> +
>> +config LINUX_PAM_RANDOMDEV_PATH
>> + string
>> + prompt "Random device path"
>> + depends on LINUX_PAM_RANDOMDEV
>> + help
>> + Specify random device or leave empty for
>> + default device path (/dev/urandom).
> No, just set it to /dev/urandom, or whatever other linux distros are doing.
Ok
>
>> +
>> +endif
>> +
>> diff --git a/rules/linux-pam.make b/rules/linux-pam.make
>> new file mode 100644
>> index 000000000..a651c8a6f
>> --- /dev/null
>> +++ b/rules/linux-pam.make
>> @@ -0,0 +1,182 @@
>> +# -*-makefile-*-
>> +#
>> +# Copyright (C) 2018 by Andreas Schmidt <mail@schmidt-andreas.de>
>> +#
>> +# See CREDITS for details about who has contributed to this project.
>> +#
>> +# For information about the PTXdist project and license conditions
>> +# see the README file.
>> +#
>> +
>> +#
>> +# We provide this package
>> +#
>> +PACKAGES-$(PTXCONF_LINUX_PAM) += linux-pam
>> +
>> +#
>> +# Paths and names
>> +#
[...]
>> +
>> +# ----------------------------------------------------------------------------
>> +# Target-Install
>> +# ----------------------------------------------------------------------------
>> +
>> +$(STATEDIR)/linux-pam.targetinstall:
>> + @$(call targetinfo)
>> +
>> + @$(call install_init, linux-pam)
>> + @$(call install_fixup, linux-pam,PRIORITY,optional)
>> + @$(call install_fixup, linux-pam,SECTION,base)
>> + @$(call install_fixup, linux-pam,AUTHOR,"Andreas Schmidt <mail@schmidt-andreas.de>")
>> + @$(call install_fixup, linux-pam,DESCRIPTION,missing)
>> +
>> + @$(call install_lib, linux-pam, 0, 0, 0644, libpam)
>> + @$(call install_lib, linux-pam, 0, 0, 0644, libpam_misc)
>> + @$(call install_lib, linux-pam, 0, 0, 0644, libpamc)
>> +
>> + @$(foreach module, $(LINUX_PAM_MOD-y), \
>> + $(call install_copy, linux-pam, 0, 0, 0644, -, /usr/lib/security/pam_$(module).so);)
> Use $(ptx/nl) instead of ';'. This way errors are not ignored. The same for
> all loops below.
Ok
> Michael
Thank you!
Regards,
Andreas
[...]
[-- Attachment #1.1.1.2: 0xBEA6DEA0.asc --]
[-- Type: application/pgp-keys, Size: 3133 bytes --]
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
[-- Attachment #2: Type: text/plain, Size: 91 bytes --]
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-01 19:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-10 14:09 [ptxdist] [PATCH] linux-pam: add new package Andreas Schmidt
2018-02-21 15:37 ` Michael Olbrich
2018-03-01 19:27 ` Andreas Schmidt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox