Re: [ptxdist] [PATCH] linux-pam: add new package

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Sat, Feb 10, 2018 at 03:09:15PM +0100, Andreas Schmidt wrote:
> Signed-off-by: Andreas Schmidt <mail@schmidt-andreas.de>
> ---
> Hi,
> this patch should add Linux-PAM libraries, modules, minimal
> configuration and Linux-PAM applications to ptxdist.
> 
> I search for similar patches in mailinglist archive and found two. Sadly
> both patches never were done. The patches / posts are:
> 
> 1) [ptxdist] [PATCHv7] linux-pam: this patch add Linux-PAM support to
> ptxdist. Posted by Oliver Graute on Thu, Oct 22, 2015 at 04:04:15PM
> +0200
> 2) [ptxdist] [PATCH 2/3] Adding the Linux-PAM package. Posted by Joseph
> A. Lutz on Nov 30, 2010 at 05:06:33PM -0600
> 
> If Oliver Graute and/or Joseph A. Lutz wont to be add as signed-off-by,
> let me know it. 
> 
> For this patch I try to fix/implement all relevant comments in
> appropriate mail-threads for patches, mentioned above. I improved
> obsolete things and add a minimal configuration files. But for one part
> I need some help.
> 
> In Kconfig file for two modules help description is messing:
> 1) For LINUX_PAM_SEPERMIT
> 2) For LINUX_PAM_STRESS
> 
> I search for documentation on Linux-PAM homepage, but I did nothing
> found. Can some one help and write the help description or send a link
> where I can find some information?
> 
> I added Copyright by me to make file header, like it is in other make
> files. Is it right? I'm not firm with such stuff :(
> 
> I'm looking forward for constructive comments!

What exactly is the your use-case? What can I do with this rule, the way it
is now? I'm not an export on PAM. The only use-case I'm familiar with, is
to use PAM for user authentication. In this case I would expect a some kind
of integration with busybox (/bin/login) and systemd.

In general, I try to avoid adding options blindly for everything. Some
basic rules:
- try to provide options for use-cases not files. This works in some cases
  (e.g. 'nfs server' or 'nfs client') but not so well in others (gstreamer
  plugins). A lot of PAM modules are probably have this problem.
- If it adds an external dependency: add an option for it
- If it's small just install it unconditionally unless that can be
  problematic.
  This is probably true for the basic modules.
- If you think it's probably not useful for embedded, then ignore it. We
  can add more options later.
  Maybe some of the programs?


> ---
>  projectroot/etc/pam.conf              |  15 +
>  projectroot/etc/pam.d/common-account  |   9 +
>  projectroot/etc/pam.d/common-auth     |  10 +
>  projectroot/etc/pam.d/common-password |  12 +
>  projectroot/etc/pam.d/common-session  |  10 +
>  projectroot/etc/pam.d/other           |   8 +
>  projectroot/etc/securetty             |  12 +
>  projectroot/etc/shells                |   1 +

Where do these files come from?

>  rules/linux-pam.in                    | 533 ++++++++++++++++++++++++++++++++++
>  rules/linux-pam.make                  | 182 ++++++++++++
>  10 files changed, 792 insertions(+)
>  create mode 100644 projectroot/etc/pam.conf
>  create mode 100644 projectroot/etc/pam.d/common-account
>  create mode 100644 projectroot/etc/pam.d/common-auth
>  create mode 100644 projectroot/etc/pam.d/common-password
>  create mode 100644 projectroot/etc/pam.d/common-session
>  create mode 100644 projectroot/etc/pam.d/other
>  create mode 100644 projectroot/etc/securetty
>  create mode 100644 projectroot/etc/shells
>  create mode 100644 rules/linux-pam.in
>  create mode 100644 rules/linux-pam.make
> 
> diff --git a/projectroot/etc/pam.conf b/projectroot/etc/pam.conf
> new file mode 100644
> index 000000000..0f1a6111b
> --- /dev/null
> +++ b/projectroot/etc/pam.conf
> @@ -0,0 +1,15 @@
> +#
> +# other - The default security level
> +#
> +
> +other account required pam_warn.so
> +other account required pam_permit.so
> +
> +other auth required pam_warn.so
> +other auth required pam_permit.so
> +
> +other password required pam_warn.so
> +other password required pam_permit.so
> +
> +other session required pam_warn.so
> +other session required pam_permit.so
> diff --git a/projectroot/etc/pam.d/common-account b/projectroot/etc/pam.d/common-account
> new file mode 100644
> index 000000000..667ca1ded
> --- /dev/null
> +++ b/projectroot/etc/pam.d/common-account
> @@ -0,0 +1,9 @@
> +#
> +# /etc/pam.d/common-account - authorization settings common to all services
> +#
> +# This file is included from other service-specific PAM config files,
> +# and should contain a list of the authorization modules that define
> +# the central access policy for use on the system.
> +
> +account required pam_warn.so
> +account required pam_permit.so
> diff --git a/projectroot/etc/pam.d/common-auth b/projectroot/etc/pam.d/common-auth
> new file mode 100644
> index 000000000..afa99728c
> --- /dev/null
> +++ b/projectroot/etc/pam.d/common-auth
> @@ -0,0 +1,10 @@
> +#
> +# /etc/pam.d/common-auth - authentication settings common to all services
> +#
> +# This file is included from other service-specific PAM config files,
> +# and should contain a list of the authentication modules that define
> +# the central authentication scheme for use on the system
> +# (e.g., /etc/shadow, LDAP, Kerberos, etc.).
> +
> +auth required pam_warn.so
> +auth required pam_permit.so
> diff --git a/projectroot/etc/pam.d/common-password b/projectroot/etc/pam.d/common-password
> new file mode 100644
> index 000000000..08b160038
> --- /dev/null
> +++ b/projectroot/etc/pam.d/common-password
> @@ -0,0 +1,12 @@
> +#
> +# /etc/pam.d/common-password - password-related modules common to all services
> +#
> +# This file is included from other service-specific PAM config files,
> +# and should contain a list of modules that define the services to be
> +# used to change user passwords.
> +
> +# Currently no password changes are allowed durring the authentication process
> +# because we do not know how it will react with the ldap server if at all
> +
> +password required pam_warn.so
> +password required pam_permit.so
> diff --git a/projectroot/etc/pam.d/common-session b/projectroot/etc/pam.d/common-session
> new file mode 100644
> index 000000000..0067dda62
> --- /dev/null
> +++ b/projectroot/etc/pam.d/common-session
> @@ -0,0 +1,10 @@
> +#
> +# /etc/pam.d/common-session - session-related modules common to all services
> +#
> +# This file is included from other service-specific PAM config files,
> +# and should contain a list of modules that define tasks to be performed
> +# at the start and end of sessions of *any* kind (both interactive and
> +# non-interactive).
> +
> +session required pam_warn.so
> +session required pam_permit.so
> diff --git a/projectroot/etc/pam.d/other b/projectroot/etc/pam.d/other
> new file mode 100644
> index 000000000..b111f7422
> --- /dev/null
> +++ b/projectroot/etc/pam.d/other
> @@ -0,0 +1,8 @@
> +#
> +# other - The default security level
> +#
> +
> +account include common-account # Include the standard account controls
> +auth include common-auth # Include the standard auth controls
> +password include common-password # Include the standard passwd controls
> +session include common-session # Include the standard session controls
> diff --git a/projectroot/etc/securetty b/projectroot/etc/securetty
> new file mode 100644
> index 000000000..2040401c0
> --- /dev/null
> +++ b/projectroot/etc/securetty
> @@ -0,0 +1,12 @@
> +tty0
> +tty1
> +tty2
> +tty3
> +tty4
> +tty5
> +tty6
> +tty7
> +ttyS0
> +ttyS1
> +ttyO0
> +ttyO1
> diff --git a/projectroot/etc/shells b/projectroot/etc/shells
> new file mode 100644
> index 000000000..c2cdaa0f2
> --- /dev/null
> +++ b/projectroot/etc/shells
> @@ -0,0 +1 @@
> +/bin/sh
> diff --git a/rules/linux-pam.in b/rules/linux-pam.in
> new file mode 100644
> index 000000000..4aa7dcf7d
> --- /dev/null
> +++ b/rules/linux-pam.in
> @@ -0,0 +1,533 @@
> +## SECTION=shell_and_console
> +
> +menuconfig LINUX_PAM
> +	tristate
> +	prompt "linux-pam"

add spaces at the end to align the '-->' in menuconfig.

> +	select FLEX
> +	select DB if LINUX_PAM_USERDB
> +	select LIBSELINUX if LINUX_PAM_SELINUX

Align the 'if' with tabs.


> +	help
> +	  Linux-PAM is a free implementation of the following DCE-RFC from
> +	  Sunsoft. PAM provides a way to develop programs that are
> +	  independent of authentication scheme. These programs need
> +	  "authentication modules" to be attatched to them at run-time
> +	  in order to work. Which authentication module is to be attatched
> +	  is dependent upon the local system setup and is at the discretion.
> +
> +if LINUX_PAM
> +
> +menu "PAM modules"
> +
> +config LINUX_PAM_ACCESS
> +	bool
> +	prompt "PAM access module"
> +	help
> +	  The pam_access PAM module is mainly for access
> +	  management. It provides logdaemon style login access
> +	  control based on login names, host or domain names,
> +	  internet addresses or network numbers, or on terminal
> +	  line names in case of non-networked logins.
> +
> +config LINUX_PAM_DEBUG
> +	bool
> +	prompt "PAM debug module"
> +	help
> +	  The pam_debug PAM module is intended as a debugging
> +	  aide for determining how the PAM stack is operating.
> +
> +config LINUX_PAM_DENY
> +	bool
> +	prompt "PAM deny module"
> +	help
> +	  This module can be used to deny access. It always
> +	  indicates a failure to the application through the PAM
> +	  framework. It might be suitable for using for default
> +	  (the OTHER) entries.
> +
> +config LINUX_PAM_ECHO
> +	bool
> +	prompt "PAM echo module"
> +	help
> +	  The pam_echo PAM module is for printing text messages
> +	  to inform user about special things.
> +
> +config LINUX_PAM_ENV
> +	bool
> +	prompt "PAM env module"
> +	help
> +	  The pam_env PAM module allows the (un)setting of
> +	  environment variables. Supported is the use of
> +	  previously set environment variables as well as
> +	  PAM_ITEMs such as PAM_RHOSTS.
> +
> +config LINUX_PAM_EXEC
> +	bool
> +	prompt "PAM exec module"
> +	help
> +	  pam_exec is a PAM module that can be used to run an
> +	  external command.
> +
> +config LINUX_PAM_FAILDELAY
> +	bool
> +	prompt "PAM faildelay module"
> +	help
> +	  pam_faildelay is a PAM module that can be used to set
> +	  the delay on failure per-application.
> +	  If no delay is given, pam_faildelay will use the value
> +	  of FAIL_DELAY from /etc/login.defs. 
> +
> +config LINUX_PAM_FILTER
> +	bool
> +	prompt "PAM filter module"
> +	help
> +	  This module is intended to be a platform for providing
> +	  access to all of the input/output that passes between
> +	  the user and the application. It is only suitable for
> +	  tty-based and (stdin/stdout) applications.
> +	  To function this module requires filters to be
> +	  installed on the system. The single filter provided
> +	  with the module simply transposes upper and lower case
> +	  letters in the input and output streams. (This can be
> +	  very annoying and is not kind to termcap based editors).
> +
> +config LINUX_PAM_FILTER_UPPERLOWER
> +	bool
> +	prompt "upperLOWER program"
> +	depends on LINUX_PAM_FILTER
> +	default n
> +	help
> +	  This is a sample filter program, for use with
> +	  pam_filter. This filter simply transposes upper
> +	  and lower case letters, it is intended for
> +	  demonstration purposes and it serves no purpose
> +	  other than to annoy the user...
> +
> +config LINUX_PAM_FTP
> +	bool
> +	prompt "PAM ftp module"
> +	help
> +	  pam_ftp is a PAM module which provides a pluggable
> +	  anonymous ftp mode of access.
> +	  This module is not safe and easily spoofable.
> +
> +config LINUX_PAM_GROUP
> +	bool
> +	prompt "PAM group module"
> +	help
> +	  The pam_group PAM module does not authenticate the
> +	  user, but instead it grants group memberships (in the
> +	  credential setting phase of the authentication module)
> +	  to the user. Such memberships are based on the service
> +	  they are applying for.
> +
> +config LINUX_PAM_ISSUE
> +	bool
> +	prompt "PAM issue module"
> +	help
> +	  pam_issue is a PAM module to prepend an issue file to
> +	  the username prompt. It also by default parses escape
> +	  codes in the issue file similar to some common getty's
> +	  (using \x format).
> +
> +config LINUX_PAM_KEYINIT
> +	bool
> +	prompt "PAM keyinit module"
> +	help
> +	  The pam_keyinit PAM module ensures that the invoking
> +	  process has a session keyring other than the user
> +	  default session keyring.
> +
> +config LINUX_PAM_LASTLOG
> +	bool
> +	prompt "PAM lastlog module"
> +	help
> +	  pam_lastlog is a PAM module to display a line of
> +	  information about the last login of the user. In
> +	  addition, the module maintains the /var/log/lastlog
> +	  file.
> +
> +config LINUX_PAM_LIMITS
> +	bool
> +	prompt "PAM limits module"
> +	help
> +	  The pam_limits PAM module sets limits on the system
> +	  resources that can be obtained in a user-session.
> +	  Users of uid=0 are affected by this limits, too.
> +	  The module must not be called by a multithreaded
> +	  application.
> +
> +config LINUX_PAM_LISTFILE
> +	bool
> +	prompt "PAM listfile module"
> +	help
> +	  pam_listfile is a PAM module which provides a way to
> +	  deny or allow services based on an arbitrary file.
> +	  No credentials are awarded by this module.
> +
> +config LINUX_PAM_LOCALUSER
> +	bool
> +	prompt "PAM localuser module"
> +	help
> +	  pam_localuser is a PAM module to help implementing
> +	  site-wide login policies, where they typically include
> +	  a subset of the network's users and a few accounts
> +	  that are local to a particular workstation. Using
> +	  pam_localuser and pam_wheel or pam_listfile is an
> +	  effective way to restrict access to either local users
> +	  and/or a subset of the network's users.
> +	  This could also be implemented using pam_listfile.so
> +	  and a very short awk script invoked by cron, but it's
> +	  common enough to have been separated out. 
> +
> +config LINUX_PAM_LOGINUID
> +	bool
> +	prompt "PAM loginuid module"
> +	help
> +	  The pam_loginuid module sets the loginuid process
> +	  attribute for the process that was authenticated. This
> +	  is necessary for applications to be correctly audited.
> +	  This PAM module should only be used for entry point
> +	  applications like: login, sshd, gdm, vsftpd, crond and
> +	  atd. There are probably other entry point applications
> +	  besides these. You should not use it for applications
> +	  like sudo or su as that defeats the purpose by
> +	  changing the loginuid to the account they just
> +	  switched to.
> +
> +config LINUX_PAM_MAIL
> +	bool
> +	prompt "PAM mail module"
> +	help
> +	  The pam_mail PAM module provides the "you have new
> +	  mail" service to the user. It can be plugged into any
> +	  application that has credential or session hooks. It
> +	  gives a single message indicating the newness of any
> +	  mail it finds in the user's mail folder. This module
> +	  also sets the PAM environment variable, MAIL, to the
> +	  user's mail directory.
> +
> +config LINUX_PAM_MKHOMEDIR
> +	bool
> +	prompt "PAM mkhomedir module"
> +	help
> +	  The pam_mkhomedir PAM module will create a users home
> +	  directory if it does not exist when the session begins.
> +	  This allows users to be present in central database
> +	  (such as NIS, kerberos or LDAP) without using a
> +	  distributed file system or pre-creating a large number
> +	  of directories. The skeleton directory (usually
> +	  /etc/skel/) is used to copy default files and also
> +	  set's a umask for the creation.
> +	  The new users home directory will not be removed after
> +	  logout of the user.
> +
> +config LINUX_PAM_MKHOMEDIR_MKHOMEDIR_HELPER
> +	bool
> +	prompt "mkhomedir_helper program"
> +	depends on LINUX_PAM_MKHOMEDIR
> +	help
> +	  mkhomedir_helper - Helper binary that creates home
> +	  directories. mkhomedir_helper is a helper program
> +	  for the pam_mkhomedir module that creates home
> +	  directories and populates them with contents of the
> +	  specified skel directory.
> +
> +config LINUX_PAM_MOTD
> +	bool
> +	prompt "PAM motd module"
> +	help
> +	  pam_motd is a PAM module that can be used to display
> +	  arbitrary motd (message of the day) files after a
> +	  succesful login. By default the /etc/motd file is
> +	  shown. The message size is limited to 64KB.
> +
> +config LINUX_PAM_NAMESPACE
> +	bool
> +	prompt "PAM namespace module"
> +	help
> +	  This module allows setup of private namespaces with
> +	  polyinstantiated directories. Directories can be
> +	  polyinstantiated based on user name or, in the case of
> +	  SELinux, user name, sensitivity level or complete
> +	  security context.
> +
> +config LINUX_PAM_NOLOGIN
> +	bool
> +	prompt "PAM netlogin module"
> +	help
> +	  pam_nologin is a PAM module that prevents users from
> +	  logging into the system when /etc/nologin exists. The
> +	  contents of the /etc/nologin file are displayed to the
> +	  user. The pam_nologin module has no effect on the root
> +	  user's ability to log in.
> +
> +config LINUX_PAM_PERMIT
> +	bool
> +	prompt "PAM permit module"
> +	default y
> +	help
> +	  pam_permit is a PAM module that always permit access.
> +	  It does nothing else.
> +	  This module is very dangerous. It should be used with
> +	  extreme caution.
> +
> +config LINUX_PAM_PWHISTORY
> +	bool
> +	prompt "PAM pwhistory module"
> +	help
> +	  This module saves the last passwords for each user in
> +	  order to force password change history and keep the
> +	  user from alternating between the same password too
> +	  frequently. 
> +
> +config LINUX_PAM_RHOSTS
> +	bool
> +	prompt "PAM rhost module"
> +	help
> +	  This module performs the standard network
> +	  authentication for services, as used by traditional
> +	  implementations of rlogin  and rsh etc.
> +
> +config LINUX_PAM_ROOTOK
> +	bool
> +	prompt "PAM rootok module"
> +	default y
> +	help
> +	  pam_rootok is a PAM module that authenticates the user
> +	  if their UID is 0. Applications that are created
> +	  setuid-root generally retain the UID of the user but
> +	  run with the authority of an enhanced effective-UID.
> +	  It is the real UID  that is checked.
> +
> +config LINUX_PAM_SECURETTY
> +	bool
> +	prompt "PAM securetty module"
> +	help
> +	  pam_securetty is a PAM module that allows root logins
> +	  only if the user is logging in on a "secure" tty, as
> +	  defined by the listing in /etc/securetty.
> +	  pam_securetty also checks to make sure that
> +	  /etc/securetty is a plain file and not world writable.
> +
> +config LINUX_PAM_SELINUX
> +	bool
> +	prompt "PAM selinux module"

This should not have a prompt. If selinux is enabled globally, then the
support should always be enabled.

> +	depends on GLOBAL_SELINUX
> +	help
> +	  pam_selinux sets up the default security context for the next 
> +	  shell.
> +
> +config LINUX_PAM_SEPERMIT
> +	bool
> +	prompt "PAM sepermit module"
> +	depends on LINUX_PAM_SELINUX
> +
> +config LINUX_PAM_SHELLS
> +	bool
> +	prompt "PAM shells module"
> +	help
> +	  pam_shells is a PAM module that only allows access to
> +	  the system if the users shell is listed in /etc/shells.
> +
> +config LINUX_PAM_STRESS
> +	bool
> +	prompt "PAM stress module"
> +
> +config LINUX_PAM_SUCCEED_IF
> +	bool
> +	prompt "PAM succeed_if module"
> +	help
> +	  pam_succeed_if.so is designed to succeed or fail
> +	  authentication based on characteristics of the account
> +	  belonging to the user being authenticated. One use is
> +	  to select whether to load other modules based on this
> +	  test.
> +
> +config LINUX_PAM_TALLY
> +	bool
> +	prompt "PAM tally module"
> +	help
> +	  This module maintains a count of attempted accesses,
> +	  can reset count on success, can deny access if too
> +	  many attempts fail.
> +
> +config LINUX_PAM_TALLY_PAM_TALLY
> +	bool
> +	prompt "pam_tally program"
> +	depends on LINUX_PAM_TALLY
> +	help
> +	  pam_tally - The login counter (tallying) module.
> +	  pam_tally is an (optional) application which can be
> +	  used to interrogate and manipulate the counter file.
> +	  It can display users?? counts, set individual counts,
> +	  or clear all counts. Setting artificially high
> +	  counts may be useful for blocking users without
> +	  changing their passwords. The faillog command can be
> +	  used instead of pam_tally to to maintain the counter
> +	  file.
> +
> +config LINUX_PAM_TALLY2
> +	bool
> +	prompt "PAM tally2 module"
> +	help
> +	  This module maintains a count of attempted accesses,
> +	  can reset count on success, can deny access if too
> +	  many attempts fail.
> +
> +config LINUX_PAM_TALLY2_PAM_TALLY2
> +	bool
> +	prompt "pam_tally2 program"
> +	depends on LINUX_PAM_TALLY2
> +	help
> +	  pam_tally2 - The login counter (tallying) module.
> +	  pam_tally2 is an (optional) application which can
> +	  be used to interrogate and manipulate the counter
> +	  file. It can display users?? counts, set individual
> +	  counts, or clear all counts. Setting artificially
> +	  high counts may be useful for blocking users without
> +	  changing their passwords.
> +
> +config LINUX_PAM_TIME
> +	bool
> +	prompt "PAM time module"
> +	help
> +	  The pam_time PAM module does not authenticate the user,
> +	  but instead it restricts access to a system and or
> +	  specific applications at various times of the day and
> +	  on specific days or over various terminal lines. This
> +	  module can be configured to deny access to (individual)
> +	  users based on their name, the time of day, the day of
> +	  week, the service they are applying for and their
> +	  terminal from which they are making their request.
> +
> +config LINUX_PAM_TIMESTAMP
> +	bool
> +	prompt "PAM timestamp module"
> +	help
> +	  pam_timestamp caches successful authentication attempts,
> +	  and allows you to use a recent successful attempt as the
> +	  basis for authentication. This is similar mechanism
> +	  which is used in sudo.
> +
> +config LINUX_PAM_TIMESTAMP_TIMESTAMP_CHECK
> +	bool
> +	prompt "pam_timestamp_check program"
> +	depends on LINUX_PAM_TIMESTAMP
> +	help
> +	  pam_timestamp_check - Check to see if the default
> +	  timestamp is valid.
> +
> +config LINUX_PAM_UMASK
> +	bool
> +	prompt "PAM umask module"
> +	help
> +	  pam_umask is a PAM module to set the file mode
> +	  creation mask of the current environment. The umask
> +	  affects the default permissions assigned to newly
> +	  created files.
> +
> +config LINUX_PAM_UNIX
> +	bool
> +	prompt "PAM unix module"
> +	default y
> +	help
> +	  This is the standard Unix authentication module.
> +	  It uses standard calls from the system's libraries
> +	  to retrieve and set account information as well as
> +	  authentication. Usually this is obtained from the
> +	  /etc/passwd and the /etc/shadow file as well if
> +	  shadow is enabled.
> +
> +config LINUX_PAM_UNIX_UNIX_UPDATE
> +	bool
> +	prompt "unix_update program"
> +	depends on LINUX_PAM_UNIX
> +	help
> +	  unix_update - Helper binary that updates the password
> +	  of a given user. The purpose of the helper is to enable
> +	  tighter confinement of login and password changing
> +	  services. The helper is thus called only when SELinux
> +	  is enabled and in the enforcing mode on the system.
> +
> +config LINUX_PAM_UNIX_UNIX_CHKPWD
> +	bool
> +	prompt "unix_chkpwd program"
> +	depends on LINUX_PAM_UNIX
> +	help
> +	  unix_chkpwd - Helper binary that verifies the password
> +	  of the current user.
> +
> +config LINUX_PAM_USERDB
> +	bool
> +	prompt "PAM userdb module"
> +	help
> +	  The pam_userdb module is used to verify a
> +	  username/password pair against values stored in a
> +	  Berkeley DB database. The database is indexed by
> +	  the username, and the data fields corresponding to
> +	  the username keys are the passwords.
> +
> +config LINUX_PAM_WARN
> +	bool
> +	prompt "PAM warn module"
> +	default y
> +	help
> +	  pam_warn is a PAM module that logs the service,
> +	  terminal, user, remote user and remote host to
> +	  syslog(3). The items are not probed for, but instead
> +	  obtained from the standard PAM items. The module
> +	  always returns PAM_IGNORE, indicating that it does not
> +	  want to affect the authentication process.
> +
> +config LINUX_PAM_WHEEL
> +	bool
> +	prompt "PAM wheel module"
> +	default y
> +	help
> +	  The pam_wheel PAM module is used to enforce the
> +	  so-called wheel group. By default it permits root
> +	  access to the system if the applicant user is a member
> +	  of the wheel group. If no group with this name exist,
> +	  the module is using the group with the group-ID 0.
> +
> +config LINUX_PAM_XAUTH
> +	bool
> +	prompt "PAM xauth module"
> +	default y
> +	help
> +	  The pam_xauth PAM module is designed to forward xauth
> +	  keys (sometimes referred to as "cookies") between users.
> +
> +endmenu
> +
> +config LINUX_PAM_LOCKING
> +	bool
> +	default n
> +	prompt "Locking"
> +	help
> +	 Configure libpam to observe a global authentication lock.

I don't think this should be configurable. Just use a sane default.

> +
> +config LINUX_PAM_MAILSPOOL
> +	string
> +	prompt "Mail spool path"
> +	help
> +	  Alternative path to mail spool directory or
> +	  leave empty for default path (/var/spool/mail).

No option for this. Just use the default.

> +
> +config LINUX_PAM_RANDOMDEV
> +	bool
> +	default y
> +	prompt "Random decive"
> +	help
> +	  Say yes for using random device.
> +
> +config LINUX_PAM_RANDOMDEV_PATH
> +	string
> +	prompt "Random device path"
> +	depends on LINUX_PAM_RANDOMDEV
> +	help
> +	  Specify random device or leave empty for
> +	  default device path (/dev/urandom).

No, just set it to /dev/urandom, or whatever other linux distros are doing.

> +
> +endif
> +
> diff --git a/rules/linux-pam.make b/rules/linux-pam.make
> new file mode 100644
> index 000000000..a651c8a6f
> --- /dev/null
> +++ b/rules/linux-pam.make
> @@ -0,0 +1,182 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2018 by Andreas Schmidt <mail@schmidt-andreas.de>
> +#
> +# See CREDITS for details about who has contributed to this project.
> +#
> +# For information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LINUX_PAM) += linux-pam
> +
> +#
> +# Paths and names
> +#
> +LINUX_PAM_VERSION      := 1.3.0
> +LINUX_PAM_MD5          := da4b2289b7cfb19583d54e9eaaef1c3a
> +LINUX_PAM              := Linux-PAM-$(LINUX_PAM_VERSION)
> +LINUX_PAM_SUFFIX       := tar.bz2
> +LINUX_PAM_URL          := http://www.linux-pam.org/library/$(LINUX_PAM).$(LINUX_PAM_SUFFIX)
> +LINUX_PAM_SOURCE       := $(SRCDIR)/$(LINUX_PAM).$(LINUX_PAM_SUFFIX)
> +LINUX_PAM_DIR          := $(BUILDDIR)/$(LINUX_PAM)
> +LINUX_PAM_LICENSE      := GPL, BSD
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +LINUX_PAM_MOD-  =
> +LINUX_PAM_ETC- =
> +LINUX_PAM_SBIN- =
> +LINUX_PAM_FILTER- =
> +
> +
> +# PAM modules without "pam_" prefix
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ACCESS)     += access
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_DEBUG)      += debug
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_DENY)       += deny
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ECHO)       += echo
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ENV)        += env
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_EXEC)       += exec
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FAILDELAY)  += faildelay
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FILTER)     += filter
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_FTP)        += ftp
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_GROUP)      += group
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ISSUE)      += issue
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_KEYINIT)    += keyinit
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LASTLOG)    += lastlog
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LIMITS)     += limits
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LISTFILE)   += listfile
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LOCALUSER)  += localuser
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_LOGINUID)   += loginuid
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MAIL)       += mail
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MKHOMEDIR)  += mkhomedir
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_MOTD)       += motd
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_NAMESPACE)  += namespace
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_NOLOGIN)    += nologin
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_PERMIT)     += permit
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_PWHISTORY)  += pwhistory
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_RHOSTS)     += rhosts
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_ROOTOK)     += rootok
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SECURETTY)  += securetty
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SELINUX)    += selinux
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SEPERMIT)   += sepermit
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SHELLS)     += shells
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_STRESS)     += stress
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_SUCCEED_IF) += succeed_if
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TALLY)      += tally
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TALLY2)     += tally2
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TIME)       += time
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_TIMESTAMP)  += timestamp
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_UMASK)      += umask
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_UNIX)       += unix
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_USERDB)     += userdb
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_WARN)       += warn
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_WHEEL)      += wheel
> +LINUX_PAM_MOD-$(PTXCONF_LINUX_PAM_XAUTH)      += xauth
> +
> +# Configuration files related to /etc
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ACCESS)    += security/access.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ENV)       += security/pam_env.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_GROUP)     += security/group.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_LIMITS)    += security/limits.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_NAMESPACE) += security/namespace.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_NAMESPACE) += security/namespace.init
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_TIME)      += security/time.conf
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_ENV)       += environment
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_SECURETTY) += securetty 
> +LINUX_PAM_ETC-$(PTXCONF_LINUX_PAM_SHELLS)    += shells
> +
> +# Programs in /usr/sbin
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_MKHOMEDIR_MKHOMEDIR_HELPER) += mkhomedir_helper
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TALLY_PAM_TALLY)            += pam_tally
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TALLY2_PAM_TALLY2)          += pam_tally2
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_TIMESTAMP_TIMESTAMP_CHECK)  += pam_timestamp_check
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_UNIX_UNIX_UPDATE)           += unix_update
> +LINUX_PAM_SBIN-$(PTXCONF_LINUX_PAM_UNIX_UNIX_CHKPWD)           += unix_chkpwd
> +
> +# PAM filters
> +LINUX_PAM_FILTER-$(PTXCONF_LINUX_PAM_FILTER_UPPERLOWER) += upperLOWER
> +
> +# Prepare variables
> +MAILSPOOL=$(call ptx/ifdef, PTXCONF_LINUX_PAM_MAILSPOOL, $(PTXCONF_LINUX_PAM_MAILSPOOL), /var/spool/mail)
> +RANDOMDEV=$(call ptx/ifdef, PTXCONF_LINUX_PAM_RANDOMDEV, \
> +			$(call ptx/ifdef, PTXCONF_LINUX_PAM_RANDOMDEV_PATH, $(PTXCONF_LINUX_PAM_RANDOMDEV_PATH), yes), no)
> +#
> +# autoconf
> +#
> +LINUX_PAM_CONF_TOOL    := autoconf
> +LINUX_PAM_CONF_OPT := \
> +	$(CROSS_AUTOCONF_USR) \
> +	$(GLOBAL_LARGE_FILE_OPTION) \
> +	--bindir=/usr/bin \
> +	--sbindir=/usr/sbin \
> +	--disable-silent-rules \
> +	--disable-dependency-tracking \
> +	--disable-libtool-lock \
> +	--disable-pie \
> +	--disable-prelude \
> +	--disable-debug \
> +	--enable-securedir=/usr/lib/security \
> +	--$(call ptx/endis, PTXCONF_LINUX_PAM_LOCKING)-pamlocking \
> +	--enable-read-both-confs \
> +	--disable-lckpwdf \
> +	--disable-cracklib \
> +	--disable-audit \
> +	--enable-db=$(call ptx/ifdef, PTXCONF_LINUX_PAM_USERDB, yes, no) \
> +	--disable-nis \
> +	--$(call ptx/endis, PTXCONF_LINUX_PAM_SELINUX)-selinux \
> +	--disable-regenerate-docu \
> +	--disable-nls \
> +	--disable-rpath \
> +	--with-mailspool="$(MAILSPOOL)" \
> +	--with-randomdev=$(RANDOMDEV)
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/linux-pam.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, linux-pam)
> +	@$(call install_fixup, linux-pam,PRIORITY,optional)
> +	@$(call install_fixup, linux-pam,SECTION,base)
> +	@$(call install_fixup, linux-pam,AUTHOR,"Andreas Schmidt <mail@schmidt-andreas.de>")
> +	@$(call install_fixup, linux-pam,DESCRIPTION,missing)
> +
> +	@$(call install_lib, linux-pam, 0, 0, 0644, libpam)
> +	@$(call install_lib, linux-pam, 0, 0, 0644, libpam_misc)
> +	@$(call install_lib, linux-pam, 0, 0, 0644, libpamc)
> +
> +	@$(foreach module, $(LINUX_PAM_MOD-y), \
> +		$(call install_copy, linux-pam, 0, 0, 0644, -, /usr/lib/security/pam_$(module).so);)

Use $(ptx/nl) instead of ';'. This way errors are not ignored. The same for
all loops below.

Michael

> +
> +	@$(foreach conf, $(LINUX_PAM_ETC-y), \
> +		$(call install_alternative, linux-pam, 0, 0, 0644, /etc/$(conf));)
> +
> +	@$(foreach app, $(LINUX_PAM_SBIN-y), \
> +		$(call install_copy, linux-pam, 0, 0, 0755, -, /usr/sbin/$(app));)
> +
> +	@$(foreach file, $(LINUX_PAM_FILTER-y), \
> +		$(call install_copy, linux-pam, 0, 0, 0755, -, /usr/lib/security/pam_filter/$(file));)
> +
> +	@$(call install_copy, linux-pam, 0, 0, 0755, $(MAILSPOOL))
> +
> +	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.conf)
> +	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/other)
> +	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-account)
> +	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-auth)
> +	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-password)
> +	@$(call install_alternative, linux-pam, 0, 0, 0644, /etc/pam.d/common-session)
> +
> +	@$(call install_finish, linux-pam)
> +	
> +	@$(call touch)
> +
> +# vim: syntax=make
> +
> -- 
> 2.16.1

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de