Browse code
shadow: enable loginuid session support
To address https://github.com/vmware/photon/issues/737
Extra:
Move PAM configuration files into git repo
Change-Id: Ifa45e724e6967d2455e8acf135a720db3f514a27
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5056
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Xiaolin Li <xiaolinl@vmware.com>
Alexey Makhalov authored on 2018/04/21 07:36:07Showing 12 changed files
- SPECS/shadow/pam.d/chage
- SPECS/shadow/pam.d/chpasswd
- SPECS/shadow/pam.d/login
- SPECS/shadow/pam.d/other
- SPECS/shadow/pam.d/passwd
- SPECS/shadow/pam.d/sshd
- SPECS/shadow/pam.d/su
- SPECS/shadow/pam.d/system-account
- SPECS/shadow/pam.d/system-auth
- SPECS/shadow/pam.d/system-password
- SPECS/shadow/pam.d/system-session
- SPECS/shadow/shadow.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,14 @@ |
| 0 |
+#Begin /etc/pam.d/chage |
|
| 1 |
+ |
|
| 2 |
+# always allow root |
|
| 3 |
+auth sufficient pam_rootok.so |
|
| 4 |
+ |
|
| 5 |
+# include system defaults for auth account and session |
|
| 6 |
+auth include system-auth |
|
| 7 |
+account include system-account |
|
| 8 |
+session include system-session |
|
| 9 |
+ |
|
| 10 |
+# Always permit for authentication updates |
|
| 11 |
+password required pam_permit.so |
|
| 12 |
+ |
|
| 13 |
+# End /etc/pam.d/chage |
| 0 | 14 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,13 @@ |
| 0 |
+#Begin /etc/pam.d/chage |
|
| 1 |
+ |
|
| 2 |
+# always allow root |
|
| 3 |
+auth sufficient pam_rootok.so |
|
| 4 |
+ |
|
| 5 |
+# include system defaults for auth account and session |
|
| 6 |
+auth include system-auth |
|
| 7 |
+account include system-account |
|
| 8 |
+session include system-session |
|
| 9 |
+ |
|
| 10 |
+password include system-password |
|
| 11 |
+ |
|
| 12 |
+# End /etc/pam.d/chage |
| 0 | 13 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,45 @@ |
| 0 |
+# Begin /etc/pam.d/login |
|
| 1 |
+ |
|
| 2 |
+# Set failure delay before next prompt to 3 seconds |
|
| 3 |
+auth optional pam_faildelay.so delay=3000000 |
|
| 4 |
+ |
|
| 5 |
+# Check to make sure that the user is allowed to login |
|
| 6 |
+auth requisite pam_nologin.so |
|
| 7 |
+ |
|
| 8 |
+# Check to make sure that root is allowed to login |
|
| 9 |
+# Disabled by default. You will need to create /etc/securetty |
|
| 10 |
+# file for this module to function. See man 5 securetty. |
|
| 11 |
+#auth required pam_securetty.so |
|
| 12 |
+ |
|
| 13 |
+# Additional group memberships - disabled by default |
|
| 14 |
+#auth optional pam_group.so |
|
| 15 |
+ |
|
| 16 |
+# include the default auth settings |
|
| 17 |
+auth include system-auth |
|
| 18 |
+ |
|
| 19 |
+# check access for the user |
|
| 20 |
+account required pam_access.so |
|
| 21 |
+ |
|
| 22 |
+# include the default account settings |
|
| 23 |
+account include system-account |
|
| 24 |
+ |
|
| 25 |
+# Set default environment variables for the user |
|
| 26 |
+session required pam_env.so |
|
| 27 |
+ |
|
| 28 |
+# Set resource limits for the user |
|
| 29 |
+session required pam_limits.so |
|
| 30 |
+ |
|
| 31 |
+# Display date of last login - Disabled by default |
|
| 32 |
+#session optional pam_lastlog.so |
|
| 33 |
+ |
|
| 34 |
+# Display the message of the day - Disabled by default |
|
| 35 |
+#session optional pam_motd.so |
|
| 36 |
+ |
|
| 37 |
+# Check user's mail - Disabled by default |
|
| 38 |
+#session optional pam_mail.so standard quiet |
|
| 39 |
+ |
|
| 40 |
+# include the default session and password settings |
|
| 41 |
+session include system-session |
|
| 42 |
+password include system-password |
|
| 43 |
+ |
|
| 44 |
+# End /etc/pam.d/login |
| 0 | 45 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,12 @@ |
| 0 |
+# Begin /etc/pam.d/other |
|
| 1 |
+ |
|
| 2 |
+auth required pam_warn.so |
|
| 3 |
+auth required pam_deny.so |
|
| 4 |
+account required pam_warn.so |
|
| 5 |
+account required pam_deny.so |
|
| 6 |
+password required pam_warn.so |
|
| 7 |
+password required pam_deny.so |
|
| 8 |
+session required pam_warn.so |
|
| 9 |
+session required pam_deny.so |
|
| 10 |
+ |
|
| 11 |
+# End /etc/pam.d/other |
| 0 | 9 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,16 @@ |
| 0 |
+# Begin /etc/pam.d/su |
|
| 1 |
+ |
|
| 2 |
+# always allow root |
|
| 3 |
+auth sufficient pam_rootok.so |
|
| 4 |
+auth include system-auth |
|
| 5 |
+ |
|
| 6 |
+# include the default account settings |
|
| 7 |
+account include system-account |
|
| 8 |
+ |
|
| 9 |
+# Set default environment variables for the service user |
|
| 10 |
+session required pam_env.so |
|
| 11 |
+ |
|
| 12 |
+# include system session defaults |
|
| 13 |
+session include system-session |
|
| 14 |
+ |
|
| 15 |
+# End /etc/pam.d/su |
| 0 | 5 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,8 @@ |
| 0 |
+# Begin /etc/pam.d/system-password |
|
| 1 |
+ |
|
| 2 |
+# use sha512 hash for encryption, use shadow, and try to use any previously |
|
| 3 |
+# defined authentication token (chosen password) set by any prior module |
|
| 4 |
+password requisite pam_cracklib.so |
|
| 5 |
+password required pam_unix.so sha512 shadow try_first_pass |
|
| 6 |
+ |
|
| 7 |
+# End /etc/pam.d/system-password |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Programs for handling passwords in a secure way |
| 2 | 2 |
Name: shadow |
| 3 | 3 |
Version: 4.2.1 |
| 4 |
-Release: 14%{?dist}
|
|
| 4 |
+Release: 15%{?dist}
|
|
| 5 | 5 |
URL: http://pkg-shadow.alioth.debian.org/ |
| 6 | 6 |
License: BSD |
| 7 | 7 |
Group: Applications/System |
| ... | ... |
@@ -9,8 +9,17 @@ Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://pkg-shadow.alioth.debian.org/releases/%{name}-%{version}.tar.xz
|
| 11 | 11 |
%define sha1 shadow=0917cbadd4ce0c7c36670e5ecd37bbed92e6d82d |
| 12 |
-Source1: PAM-Configuration-Files-1.5.tar.gz |
|
| 13 |
-%define sha1 PAM=08052511f985e3b3072c194ac1287e036d9299fb |
|
| 12 |
+Source1: chage |
|
| 13 |
+Source2: chpasswd |
|
| 14 |
+Source3: login |
|
| 15 |
+Source4: other |
|
| 16 |
+Source5: passwd |
|
| 17 |
+Source6: sshd |
|
| 18 |
+Source7: su |
|
| 19 |
+Source8: system-account |
|
| 20 |
+Source9: system-auth |
|
| 21 |
+Source10: system-password |
|
| 22 |
+Source11: system-session |
|
| 14 | 23 |
Patch0: chkname-allowcase.patch |
| 15 | 24 |
Patch1: shadow-4.2.1-CVE-2016-6252-fix.patch |
| 16 | 25 |
Patch2: shadow-4.2.1-CVE-2017-12424.patch |
| ... | ... |
@@ -41,7 +50,6 @@ These are the additional language files of shadow. |
| 41 | 41 |
|
| 42 | 42 |
%prep |
| 43 | 43 |
%setup -q -n %{name}-%{version}
|
| 44 |
-%setup -q -T -D -a 1 |
|
| 45 | 44 |
%patch0 -p1 |
| 46 | 45 |
%patch1 -p1 |
| 47 | 46 |
%patch2 -p1 |
| ... | ... |
@@ -94,9 +102,18 @@ done |
| 94 | 94 |
|
| 95 | 95 |
sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/" %{buildroot}/etc/login.defs
|
| 96 | 96 |
|
| 97 |
-pushd PAM-Configuration-Files |
|
| 98 |
-install -vm644 * %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 99 |
-popd |
|
| 97 |
+install -vm644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 98 |
+install -vm644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 99 |
+install -vm644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 100 |
+install -vm644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 101 |
+install -vm644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 102 |
+install -vm644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 103 |
+install -vm644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 104 |
+install -vm644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 105 |
+install -vm644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 106 |
+install -vm644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 107 |
+install -vm644 %{SOURCE11} %{buildroot}%{_sysconfdir}/pam.d/
|
|
| 108 |
+ |
|
| 100 | 109 |
for PROGRAM in chfn chgpasswd chsh groupadd groupdel \ |
| 101 | 110 |
groupmems groupmod newusers useradd userdel usermod |
| 102 | 111 |
do |
| ... | ... |
@@ -152,6 +169,9 @@ make %{?_smp_mflags} check
|
| 152 | 152 |
%defattr(-,root,root) |
| 153 | 153 |
|
| 154 | 154 |
%changelog |
| 155 |
+* Fri Apr 20 2018 Alexey Makhalov <amakhalov@vmware.com> 4.2.1-15 |
|
| 156 |
+- Move pam.d config file to here for better tracking. |
|
| 157 |
+- Add pam_loginuid module as optional in a session. |
|
| 155 | 158 |
* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.2.1-14 |
| 156 | 159 |
- Added -tools subpackage |
| 157 | 160 |
- Main package requires -tools or toybox |