summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPedro Alvarez <pedro.alvarez@codethink.co.uk>2015-05-05 11:25:43 (GMT)
committerBaserock Gerrit <gerrit@baserock.org>2015-05-07 14:09:14 (GMT)
commitef619b6115513dd36923c39190f907b55b0a4825 (patch)
tree1b813683e225c9ce5a718e0e331220e8b8b98371
parentebf9125fb758c9b0fb74277e8babb5c4669534d6 (diff)
downloaddefinitions-ef619b6115513dd36923c39190f907b55b0a4825.tar.gz
Configure shadow to work with PAM.
Also modify some /etc/pam.d files: - Make the requirement on pam_selinux.so optional in shadow default pam.d configuration files. - Modify 'system-auth' when installing systemd to add pam_deny.so, so that login attempts with wrong passwords fail now that shadow is configured to use PAM. Change-Id: I7110d27b6b46ce33eeaeae904dea854deb46c759
-rw-r--r--strata/core/shadow.morph9
-rw-r--r--strata/foundation/systemd.morph5
2 files changed, 11 insertions, 3 deletions
diff --git a/strata/core/shadow.morph b/strata/core/shadow.morph
index 34ec619..c8715a7 100644
--- a/strata/core/shadow.morph
+++ b/strata/core/shadow.morph
@@ -6,13 +6,11 @@ configure-commands:
- |
./autogen.sh --with-selinux=no \
--sysconfdir=/etc \
- --with-pam=yes \
+ --with-libpam=yes \
--prefix="$PREFIX" \
--bindir=/bin
post-install-commands:
# Disable things handled by pam instead
-- rm "$DESTDIR/etc/limits"
-- rm "$DESTDIR/etc/login.access"
- |
for OPTION in FAIL_DELAY \
FAILLOG_ENAB \
@@ -48,3 +46,8 @@ post-install-commands:
else
echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs"
fi
+
+# The default pam.d config files have pam_selinux.so as a requirement, even
+# when shadow is configured '--with-selinux=no'. We change this default config
+# to make this requirement optional.
+- sed -i -e 's/\(.*\)required\(.*pam_selinux.so.*\)/\1optional\2/' "$DESTDIR"/etc/pam.d/*
diff --git a/strata/foundation/systemd.morph b/strata/foundation/systemd.morph
index efca734..5dc48e7 100644
--- a/strata/foundation/systemd.morph
+++ b/strata/foundation/systemd.morph
@@ -39,3 +39,8 @@ post-install-commands:
EOF
# Use the pam config systemd provides
- cp -a "$DESTDIR/$PREFIX"/share/factory/etc/pam.d/* "$DESTDIR/etc/pam.d"
+
+# Add pam_deny.so to the default systemd-auth pam.d config file. Without
+# it, if shadow is configured to use PAM, it would be possible to login
+# to a system with the wrong password.
+- echo 'auth requisite pam_deny.so' >> "$DESTDIR"/etc/pam.d/system-auth