From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from ns1.lah-a2.de ([84.19.186.99] helo=lah-a2.de) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1erTrF-0002wv-25 for ptxdist@pengutronix.de; Thu, 01 Mar 2018 20:27:13 +0100 Received: from [192.168.0.25] (p508514AE.dip0.t-ipconnect.de [80.133.20.174]) by lah-a2.de (Postfix) with ESMTPSA id 7A47B408B1D1 for ; Thu, 1 Mar 2018 20:24:51 +0100 (CET) References: <20180210140915.7809-1-mail@schmidt-andreas.de> <20180221153707.wheqlqrkvqysxlgm@pengutronix.de> From: Andreas Schmidt Message-ID: Date: Thu, 1 Mar 2018 20:27:10 +0100 MIME-Version: 1.0 In-Reply-To: <20180221153707.wheqlqrkvqysxlgm@pengutronix.de> Subject: Re: [ptxdist] [PATCH] linux-pam: add new package List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: multipart/mixed; boundary="===============0269755124==" Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============0269755124== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5Fh2aRLejeIN5zpV39oRVyFblwBoAGio7" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --5Fh2aRLejeIN5zpV39oRVyFblwBoAGio7 Content-Type: multipart/mixed; boundary="1Yc0kGa9KF3rSuetX7MFYmUQl7QxdELum"; protected-headers="v1" From: Andreas Schmidt To: ptxdist@pengutronix.de Message-ID: Subject: Re: [ptxdist] [PATCH] linux-pam: add new package References: <20180210140915.7809-1-mail@schmidt-andreas.de> <20180221153707.wheqlqrkvqysxlgm@pengutronix.de> In-Reply-To: <20180221153707.wheqlqrkvqysxlgm@pengutronix.de> --1Yc0kGa9KF3rSuetX7MFYmUQl7QxdELum Content-Type: multipart/mixed; boundary="------------B430BE55E29619ABE9A478F9" Content-Language: en-GB This is a multi-part message in MIME format. --------------B430BE55E29619ABE9A478F9 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Michael, On 21.02.2018 16:37, Michael Olbrich wrote: > On Sat, Feb 10, 2018 at 03:09:15PM +0100, Andreas Schmidt wrote: >> Signed-off-by: Andreas Schmidt >> --- >> Hi, >> this patch should add Linux-PAM libraries, modules, minimal >> configuration and Linux-PAM applications to ptxdist. >> >> [...] >> >> I'm looking forward for constructive comments! > What exactly is the your use-case? What can I do with this rule, the wa= y it > is now? I'm not an export on PAM. The only use-case I'm familiar with, = is > to use PAM for user authentication. In this case I would expect a some = kind > of integration with busybox (/bin/login) and systemd. PAM can, but must not, use for authentication management. I used it in some projects to set rules for creation of new password and authentication while =C2=A0login. I am not expert in PAM too, but you can set restriction / li= mits for files or file access or other resources (e.g. pam_limit) and many other things, mentioned in documentation of linux-pam. > In general, I try to avoid adding options blindly for everything. Some > basic rules: > - try to provide options for use-cases not files. This works in some ca= ses > (e.g. 'nfs server' or 'nfs client') but not so well in others (gstrea= mer > plugins). A lot of PAM modules are probably have this problem. Ok, I will try to clean it up. But I am not sure if I have the whole overview of all important use-cases. > - If it adds an external dependency: add an option for it Yes, will do it so. > - If it's small just install it unconditionally unless that can be > problematic. > This is probably true for the basic modules. Ok, I think many modules can be add by default, because they needed in most use-cases. > - If you think it's probably not useful for embedded, then ignore it. W= e > can add more options later. > Maybe some of the programs? Ok, e.g. mkhomedir module is in most embedded system useless because the users are fix and whose homedirs are created on build process, if homedir needed at all. Thanks for comments, I will create new patch. Or do you think that linux-= pam not needed be most users of ptxdist? >> --- >> projectroot/etc/pam.conf | 15 + >> projectroot/etc/pam.d/common-account | 9 + >> projectroot/etc/pam.d/common-auth | 10 + >> projectroot/etc/pam.d/common-password | 12 + >> projectroot/etc/pam.d/common-session | 10 + >> projectroot/etc/pam.d/other | 8 + >> projectroot/etc/securetty | 12 + >> projectroot/etc/shells | 1 + > Where do these files come from? =46rom mentioned patches, edited by me. I will rework them too. I guess they are not consistent, yet. >> rules/linux-pam.in | 533 +++++++++++++++++++++++++= +++++++++ >> rules/linux-pam.make | 182 ++++++++++++ >> 10 files changed, 792 insertions(+) >> create mode 100644 projectroot/etc/pam.conf >> create mode 100644 projectroot/etc/pam.d/common-account >> create mode 100644 projectroot/etc/pam.d/common-auth >> create mode 100644 projectroot/etc/pam.d/common-password >> create mode 100644 projectroot/etc/pam.d/common-session >> create mode 100644 projectroot/etc/pam.d/other >> create mode 100644 projectroot/etc/securetty >> create mode 100644 projectroot/etc/shells >> create mode 100644 rules/linux-pam.in >> create mode 100644 rules/linux-pam.make [...] >> diff --git a/projectroot/etc/shells b/projectroot/etc/shells >> new file mode 100644 >> index 000000000..c2cdaa0f2 >> --- /dev/null >> +++ b/projectroot/etc/shells >> @@ -0,0 +1 @@ >> +/bin/sh >> diff --git a/rules/linux-pam.in b/rules/linux-pam.in >> new file mode 100644 >> index 000000000..4aa7dcf7d >> --- /dev/null >> +++ b/rules/linux-pam.in >> @@ -0,0 +1,533 @@ >> +## SECTION=3Dshell_and_console >> + >> +menuconfig LINUX_PAM >> + tristate >> + prompt "linux-pam" > add spaces at the end to align the '-->' in menuconfig. Ok >> + select FLEX >> + select DB if LINUX_PAM_USERDB >> + select LIBSELINUX if LINUX_PAM_SELINUX > Align the 'if' with tabs. Ok >> + help >> + Linux-PAM is a free implementation of the following DCE-RFC from >> + Sunsoft. PAM provides a way to develop programs that are >> + independent of authentication scheme. These programs need >> + "authentication modules" to be attatched to them at run-time >> + in order to work. Which authentication module is to be attatched >> + is dependent upon the local system setup and is at the discretion.= >> + >> +if LINUX_PAM >> + >> +menu "PAM modules" >> + >> +config LINUX_PAM_ACCESS >> + bool >> + prompt "PAM access module" >> + help >> + The pam_access PAM module is mainly for access >> + management. It provides logdaemon style login access >> + control based on login names, host or domain names, >> + internet addresses or network numbers, or on terminal >> + line names in case of non-networked logins. >> + [...] >> +config LINUX_PAM_SECURETTY >> + bool >> + prompt "PAM securetty module" >> + help >> + pam_securetty is a PAM module that allows root logins >> + only if the user is logging in on a "secure" tty, as >> + defined by the listing in /etc/securetty. >> + pam_securetty also checks to make sure that >> + /etc/securetty is a plain file and not world writable. >> + >> +config LINUX_PAM_SELINUX >> + bool >> + prompt "PAM selinux module" > This should not have a prompt. If selinux is enabled globally, then the= > support should always be enabled. Ok >> + depends on GLOBAL_SELINUX >> + help >> + pam_selinux sets up the default security context for the next=20 >> + shell. >> + >> +config LINUX_PAM_SEPERMIT >> + bool >> + prompt "PAM sepermit module" >> + depends on LINUX_PAM_SELINUX >> + >> +config LINUX_PAM_SHELLS >> + bool >> + prompt "PAM shells module" >> + help >> + pam_shells is a PAM module that only allows access to >> + the system if the users shell is listed in /etc/shells. >> + [...] >> + >> +config LINUX_PAM_LOCKING >> + bool >> + default n >> + prompt "Locking" >> + help >> + Configure libpam to observe a global authentication lock. > I don't think this should be configurable. Just use a sane default. Ok > >> + >> +config LINUX_PAM_MAILSPOOL >> + string >> + prompt "Mail spool path" >> + help >> + Alternative path to mail spool directory or >> + leave empty for default path (/var/spool/mail). > No option for this. Just use the default. Ok >> + >> +config LINUX_PAM_RANDOMDEV >> + bool >> + default y >> + prompt "Random decive" >> + help >> + Say yes for using random device. >> + >> +config LINUX_PAM_RANDOMDEV_PATH >> + string >> + prompt "Random device path" >> + depends on LINUX_PAM_RANDOMDEV >> + help >> + Specify random device or leave empty for >> + default device path (/dev/urandom). > No, just set it to /dev/urandom, or whatever other linux distros are do= ing. Ok > >> + >> +endif >> + >> diff --git a/rules/linux-pam.make b/rules/linux-pam.make >> new file mode 100644 >> index 000000000..a651c8a6f >> --- /dev/null >> +++ b/rules/linux-pam.make >> @@ -0,0 +1,182 @@ >> +# -*-makefile-*- >> +# >> +# Copyright (C) 2018 by Andreas Schmidt >> +# >> +# See CREDITS for details about who has contributed to this project. >> +# >> +# For information about the PTXdist project and license conditions >> +# see the README file. >> +# >> + >> +# >> +# We provide this package >> +# >> +PACKAGES-$(PTXCONF_LINUX_PAM) +=3D linux-pam >> + >> +# >> +# Paths and names >> +# [...] >> + >> +# -------------------------------------------------------------------= --------- >> +# Target-Install >> +# -------------------------------------------------------------------= --------- >> + >> +$(STATEDIR)/linux-pam.targetinstall: >> + @$(call targetinfo) >> + >> + @$(call install_init, linux-pam) >> + @$(call install_fixup, linux-pam,PRIORITY,optional) >> + @$(call install_fixup, linux-pam,SECTION,base) >> + @$(call install_fixup, linux-pam,AUTHOR,"Andreas Schmidt ") >> + @$(call install_fixup, linux-pam,DESCRIPTION,missing) >> + >> + @$(call install_lib, linux-pam, 0, 0, 0644, libpam) >> + @$(call install_lib, linux-pam, 0, 0, 0644, libpam_misc) >> + @$(call install_lib, linux-pam, 0, 0, 0644, libpamc) >> + >> + @$(foreach module, $(LINUX_PAM_MOD-y), \ >> + $(call install_copy, linux-pam, 0, 0, 0644, -, /usr/lib/security/pa= m_$(module).so);) > Use $(ptx/nl) instead of ';'. This way errors are not ignored. The same= for > all loops below. Ok > Michael Thank you! Regards, Andreas [...] --------------B430BE55E29619ABE9A478F9 Content-Type: application/pgp-keys; name="0xBEA6DEA0.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0xBEA6DEA0.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFoVzj0BEAC5E6pGpizTI3xk7aMAUAjR0ffORE9J18BXVbyujwWb6AVQ9uyK mQFzHxr2GXh6oNjklTy39K7L+xanKjMzYRyn+kH3f0wWEpkMAaEHAxKy5Os3rYBZ 9H/PmoXBjhBGf4vKqXbdQQzTUjwLXQWUKGY4c263CRszr/zzY230djHxXMeRaHvJ qipkn6xwnsKKgurc6pQva72dHEHl10TBBUcDnCc7wiK6sjk2yCpWRWHiP7XC3PBb mdkOvBHEYSzT26NhTb/dvXkcIOLasGeLvjIFznnfqPU2+TeFWJQKKVBxGe83hkif Dt7RTcmjqPPA+e33b+m7IZ043CPiyFl+wf9msE9mRb4CpAE8h0iRHHlsTIjSaEGW /oFyBrezADgbEnrGr2N/djUA5fUQ1u5pJngBi/Tw0IV/uguFTaBhGhvveNBsbl0V muKcguf86zjmXYv0G7BBdvR483xZd8zMmqE6J1cKw3Hb7Lfwf+amf2BvWxB760Ip v5Bn4YPG51M7kxt0acKy9aaM3ZiCAbhniISpckn+LQ4jYYHxDGQpMTXsvTPZJ6OQ mMYcqnvdnMlwIp1LkyfCCkjDeKofqeOX6alLTgiND9ykBdrWx6C8rp5NiB3Xg7W2 ILKkEweHwCcB4uJXnquA4Qva8k6vK4lnc2W8e3C/Z1eM4n+3RqSnfyPWgwARAQAB tClBbmRyZWFzIFNjaG1pZHQgPG1haWxAc2NobWlkdC1hbmRyZWFzLmRlPokCNwQT AQgAIQUCWhXOPQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRD+4KYRvqbe oC5uEAC009CbC2pUfOZllJsXF8PfnXn0WSM28apMQ7gESSTc/AUbmcSY9/UryQYM NCYXDP8c8WvC+14K9islXwZdS6u/C7xXQ56fg3aRTNa44KBC3oH+OUC/LaMMiV1K dP4O3IMc6hpmO5RUKiu0h4UYBJTUKtmtfTQGcbNUr++upgi5QvJ91SlJjc67ogK8 MJM3F7B6p1VB2BbBEyoPj2K9Wt90b7WFHBAVHd5nzL/eZU9YGGeT9zZEkdrXq+qH XxI0u9o+qYFLzgI2uwp5DXNaqMjsEXasSVsZ24heZFSiT7IuiI2OA+I5iSkNLdt2 kyJ8AOZ/Zi/6fS2+GpgV3WTmJ8dIfb0+c/KEvDeavGCuoFPpicCU2PyhRFJbsEdi t5zUGHJcO6VnPF2mTGRGDifh+Gg9UN3xG++bL7cfwS/zBhCTGF1RfGoe9F64odzU awxDCQ+ipf9yhF5L20lJ1LZbsw10pKE7pa4fta/wbsmw4dzydCuW5Ei8o0CyvOvF wxc1TVZxtZLkTXafhUKWwILEh2bdp3Zgs5xHIPYKM0jcxaxeMMdOkT3nh9a76zzp 3ZwlHEvhmNbsSSoUV4zKde4rGPXfLqJ8IhspwgQJxJRSbYmNn5w+wnUBmD+JDj2C A9iNsD4Rh68M20ftxTwK9AQ7aTLgj0xwGTMYX2x7dvhmdJjhpLkCDQRaFc49ARAA 1b2IcTplLw4DnpeeDIa5plYT3hQFcWSrirVXODE1AW/+Vc+hAhPP9QUckNawHvHj zh3ulkJ7E5JSqmuMuD322GLNhnpEwecPyQ7nOudIZpYXXqaHFTckJ0PvU5mVv6no VPprBEsNj3ivQWP9sJ6Y3DPVj+RnS5gfy6AifxSpzJEisOxOqRJ59rOz/g8dfr9/ W/LrvAtRVUZB79dR2JyU+7GvIxPIoT3UUGwmz8WH5nJixUB9BpwAQLD0EirAT6lA NT5fqMtRN0u4vysLqcqozTPouMSv9j//x1Abnz31/fWFhsFL2tJZWC1/6sidu8gD eowaorMwdbS8r1ommHdQZU1r3GZvyy00X2cr9eBlWbjGWBlUHuqePiJGP38i4RxA u7tLXZv9n3lYaIa9f7vtp13EIg4BGv/LwgiY1vf1JLRuPfJfLKAqvwzmQQPLtPAv 4dL0NSizDY5yUUrKnKKrP5La6Dlzmk5oqKTpyHbj7gaJNc6nqJcNcF3WnZM3jN58 ONx69RY9pq5JQPz19CSeB5k9euYl8FinA2mDx0caBsizJPtpWurBaqdB19AUYusr yZd+s3RCVya+yXV+jaqNRy386LP6fsRUtf2eiezRIg+HKeNLOvNeWlTM3Tqp6fU2 i/T69HKGFuyvJPe3YdYQrC+MUJe3/BnvNyK2yOG9x3cAEQEAAYkCHwQYAQgACQUC WhXOPQIbDAAKCRD+4KYRvqbeoH0ED/9ksr4v1WhCvAPARF0WWfB7VUlhJQcTRHMp mDM1Wm+XinFksYfkCDieABlyxVqT4wFSqRvQUbxhMyH5JnHf/JdX1zWGNeLIZ3ml hn0g2iVEEW3Xkp3nLIdJ6tJK7uGCFqCVKYlvUOUSZO0FF+iM0EDE8y++go1Z3tIE zInJKtEbQVDafXNseOC2fC7t17KLLntapM5EDVxXHG6cwtiM5+1+/EaiUV3qvsq6 kLQQlcw+teCuxWxodKnx+fgnzkQCfcrtVWY/gYUdSi/FMA9BLXsbGvKAH0r1zOtp Gzl+Dy/X0r+8qnVanPhZNvvh0PcuOv+ngKp8IFvlxshNkKFoz/QtvvIzZxkXFrkg 3kD4htpo7ssNfss1cg/KPDimEietwMwqXyFvgfTdCwK/InXLXTug1rNRjxkFlx7m 6MjUe1J20eolV1yzk6Xy1Uum84mbvkIPkJ2tUx1s/cBCfNNVOyqedj/I3KeQC+B4 Kh9flnDRY6kTX8RkvRKAmvEJZ51lfv9HsQBjk2JPcEidTlpWXGksddvpw4xjJAji P88RFFsuqRQvom9yx/YKf/+TaZbR1DnNCMbNuI3IqN5TnFY8Cv2ao8Br5JQaUqzl FQkKDKTjXDwCNoR/5EWGSnpRVLEwWnPISbKUnJPXlVxpsAgEOsd1izmeBdS/jaC/ v9nRtbJIJQ=3D=3D =3DAjyc -----END PGP PUBLIC KEY BLOCK----- --------------B430BE55E29619ABE9A478F9-- --1Yc0kGa9KF3rSuetX7MFYmUQl7QxdELum-- --5Fh2aRLejeIN5zpV39oRVyFblwBoAGio7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJamFQOAAoJEP7gphG+pt6gjfIQAKTZ28H1pNHevVxvdccR06Qg pI2mpd8l4JIZot+s8BSyLbTLta0+ez8QP2mtDbt2wPewgV+lyr7r3QmNRdU99Pu3 yxYd8vkQjwQDJmZnTgCJBaM3l2wjvlnbCGym8fg9/YEKeI5Ld9r1dIrx2ml+ui/l WNu9l1eKKtRm+nb5XVFVmjZdpv/+zFC5mKQwKRUKW/dRuxZMWXKDE1C5RaFDyHmS mnVzKjzTylOVMKAhU0kzAZAuH0fBhsQO0L9lejNAV196ct9C3+BB8hkAEphEMjRD SPbX0oZ0IZgd2m4LcoBeDXW6vaFSIGpUEzE5rDr/ShBnWapx0XEyi+0j/ICJETib d7I36k0Vv5njHdtChfz6yT06yTiyz8mdMtpB/jaRiDFadsBuFlUmFrUKBBVjjFyl Zq2MqZKG/uvBuPHMVTSnoLfNMIkXC+0g5bkThwZeSgl2iqg1WVVH65+R0XuNTQP/ Br3gqVmX1Z66RGRYf4ha2OEjAnXzXPpTbJ2rTiu4yO7pQFi2lOOw55C+8M+2hLYO iK04420vmsF9P6tKXB3mVfwVgGptAX2q4E9w6OuhQybMoVKGs10MKMOEi8EIHdvd sABe2mLUP8S0DTNgTy9yWYjCSm/zI9z82MiMIYZhLYRKyx8gu1Rv/TcSNOpBT+Ha kR4MV708dJqTyPSaiPwV =/Sh0 -----END PGP SIGNATURE----- --5Fh2aRLejeIN5zpV39oRVyFblwBoAGio7-- --===============0269755124== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KcHR4ZGlzdCBt YWlsaW5nIGxpc3QKcHR4ZGlzdEBwZW5ndXRyb25peC5kZQ== --===============0269755124==--