To address https://github.com/vmware/photon/issues/737
Extra:
Move PAM configuration files into git repo
Change-Id: Ifa45e724e6967d2455e8acf135a720db3f514a27
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5056
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Xiaolin Li <xiaolinl@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,14 @@ |
0 |
+#Begin /etc/pam.d/chage |
|
1 |
+ |
|
2 |
+# always allow root |
|
3 |
+auth sufficient pam_rootok.so |
|
4 |
+ |
|
5 |
+# include system defaults for auth account and session |
|
6 |
+auth include system-auth |
|
7 |
+account include system-account |
|
8 |
+session include system-session |
|
9 |
+ |
|
10 |
+# Always permit for authentication updates |
|
11 |
+password required pam_permit.so |
|
12 |
+ |
|
13 |
+# End /etc/pam.d/chage |
0 | 14 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,13 @@ |
0 |
+#Begin /etc/pam.d/chage |
|
1 |
+ |
|
2 |
+# always allow root |
|
3 |
+auth sufficient pam_rootok.so |
|
4 |
+ |
|
5 |
+# include system defaults for auth account and session |
|
6 |
+auth include system-auth |
|
7 |
+account include system-account |
|
8 |
+session include system-session |
|
9 |
+ |
|
10 |
+password include system-password |
|
11 |
+ |
|
12 |
+# End /etc/pam.d/chage |
0 | 13 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,45 @@ |
0 |
+# Begin /etc/pam.d/login |
|
1 |
+ |
|
2 |
+# Set failure delay before next prompt to 3 seconds |
|
3 |
+auth optional pam_faildelay.so delay=3000000 |
|
4 |
+ |
|
5 |
+# Check to make sure that the user is allowed to login |
|
6 |
+auth requisite pam_nologin.so |
|
7 |
+ |
|
8 |
+# Check to make sure that root is allowed to login |
|
9 |
+# Disabled by default. You will need to create /etc/securetty |
|
10 |
+# file for this module to function. See man 5 securetty. |
|
11 |
+#auth required pam_securetty.so |
|
12 |
+ |
|
13 |
+# Additional group memberships - disabled by default |
|
14 |
+#auth optional pam_group.so |
|
15 |
+ |
|
16 |
+# include the default auth settings |
|
17 |
+auth include system-auth |
|
18 |
+ |
|
19 |
+# check access for the user |
|
20 |
+account required pam_access.so |
|
21 |
+ |
|
22 |
+# include the default account settings |
|
23 |
+account include system-account |
|
24 |
+ |
|
25 |
+# Set default environment variables for the user |
|
26 |
+session required pam_env.so |
|
27 |
+ |
|
28 |
+# Set resource limits for the user |
|
29 |
+session required pam_limits.so |
|
30 |
+ |
|
31 |
+# Display date of last login - Disabled by default |
|
32 |
+#session optional pam_lastlog.so |
|
33 |
+ |
|
34 |
+# Display the message of the day - Disabled by default |
|
35 |
+#session optional pam_motd.so |
|
36 |
+ |
|
37 |
+# Check user's mail - Disabled by default |
|
38 |
+#session optional pam_mail.so standard quiet |
|
39 |
+ |
|
40 |
+# include the default session and password settings |
|
41 |
+session include system-session |
|
42 |
+password include system-password |
|
43 |
+ |
|
44 |
+# End /etc/pam.d/login |
0 | 45 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,12 @@ |
0 |
+# Begin /etc/pam.d/other |
|
1 |
+ |
|
2 |
+auth required pam_warn.so |
|
3 |
+auth required pam_deny.so |
|
4 |
+account required pam_warn.so |
|
5 |
+account required pam_deny.so |
|
6 |
+password required pam_warn.so |
|
7 |
+password required pam_deny.so |
|
8 |
+session required pam_warn.so |
|
9 |
+session required pam_deny.so |
|
10 |
+ |
|
11 |
+# End /etc/pam.d/other |
0 | 9 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,16 @@ |
0 |
+# Begin /etc/pam.d/su |
|
1 |
+ |
|
2 |
+# always allow root |
|
3 |
+auth sufficient pam_rootok.so |
|
4 |
+auth include system-auth |
|
5 |
+ |
|
6 |
+# include the default account settings |
|
7 |
+account include system-account |
|
8 |
+ |
|
9 |
+# Set default environment variables for the service user |
|
10 |
+session required pam_env.so |
|
11 |
+ |
|
12 |
+# include system session defaults |
|
13 |
+session include system-session |
|
14 |
+ |
|
15 |
+# End /etc/pam.d/su |
0 | 5 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,8 @@ |
0 |
+# Begin /etc/pam.d/system-password |
|
1 |
+ |
|
2 |
+# use sha512 hash for encryption, use shadow, and try to use any previously |
|
3 |
+# defined authentication token (chosen password) set by any prior module |
|
4 |
+password requisite pam_cracklib.so |
|
5 |
+password required pam_unix.so sha512 shadow try_first_pass |
|
6 |
+ |
|
7 |
+# End /etc/pam.d/system-password |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Programs for handling passwords in a secure way |
2 | 2 |
Name: shadow |
3 | 3 |
Version: 4.2.1 |
4 |
-Release: 14%{?dist} |
|
4 |
+Release: 15%{?dist} |
|
5 | 5 |
URL: http://pkg-shadow.alioth.debian.org/ |
6 | 6 |
License: BSD |
7 | 7 |
Group: Applications/System |
... | ... |
@@ -9,8 +9,17 @@ Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://pkg-shadow.alioth.debian.org/releases/%{name}-%{version}.tar.xz |
11 | 11 |
%define sha1 shadow=0917cbadd4ce0c7c36670e5ecd37bbed92e6d82d |
12 |
-Source1: PAM-Configuration-Files-1.5.tar.gz |
|
13 |
-%define sha1 PAM=08052511f985e3b3072c194ac1287e036d9299fb |
|
12 |
+Source1: chage |
|
13 |
+Source2: chpasswd |
|
14 |
+Source3: login |
|
15 |
+Source4: other |
|
16 |
+Source5: passwd |
|
17 |
+Source6: sshd |
|
18 |
+Source7: su |
|
19 |
+Source8: system-account |
|
20 |
+Source9: system-auth |
|
21 |
+Source10: system-password |
|
22 |
+Source11: system-session |
|
14 | 23 |
Patch0: chkname-allowcase.patch |
15 | 24 |
Patch1: shadow-4.2.1-CVE-2016-6252-fix.patch |
16 | 25 |
Patch2: shadow-4.2.1-CVE-2017-12424.patch |
... | ... |
@@ -41,7 +50,6 @@ These are the additional language files of shadow. |
41 | 41 |
|
42 | 42 |
%prep |
43 | 43 |
%setup -q -n %{name}-%{version} |
44 |
-%setup -q -T -D -a 1 |
|
45 | 44 |
%patch0 -p1 |
46 | 45 |
%patch1 -p1 |
47 | 46 |
%patch2 -p1 |
... | ... |
@@ -94,9 +102,18 @@ done |
94 | 94 |
|
95 | 95 |
sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/" %{buildroot}/etc/login.defs |
96 | 96 |
|
97 |
-pushd PAM-Configuration-Files |
|
98 |
-install -vm644 * %{buildroot}%{_sysconfdir}/pam.d/ |
|
99 |
-popd |
|
97 |
+install -vm644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/ |
|
98 |
+install -vm644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/ |
|
99 |
+install -vm644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/ |
|
100 |
+install -vm644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/ |
|
101 |
+install -vm644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/ |
|
102 |
+install -vm644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/ |
|
103 |
+install -vm644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/ |
|
104 |
+install -vm644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/ |
|
105 |
+install -vm644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/ |
|
106 |
+install -vm644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/ |
|
107 |
+install -vm644 %{SOURCE11} %{buildroot}%{_sysconfdir}/pam.d/ |
|
108 |
+ |
|
100 | 109 |
for PROGRAM in chfn chgpasswd chsh groupadd groupdel \ |
101 | 110 |
groupmems groupmod newusers useradd userdel usermod |
102 | 111 |
do |
... | ... |
@@ -152,6 +169,9 @@ make %{?_smp_mflags} check |
152 | 152 |
%defattr(-,root,root) |
153 | 153 |
|
154 | 154 |
%changelog |
155 |
+* Fri Apr 20 2018 Alexey Makhalov <amakhalov@vmware.com> 4.2.1-15 |
|
156 |
+- Move pam.d config file to here for better tracking. |
|
157 |
+- Add pam_loginuid module as optional in a session. |
|
155 | 158 |
* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.2.1-14 |
156 | 159 |
- Added -tools subpackage |
157 | 160 |
- Main package requires -tools or toybox |