diff options
author | Paul Sherwood <paul.sherwood@codethink.co.uk> | 2015-09-25 08:47:49 +0000 |
---|---|---|
committer | Paul Sherwood <paul.sherwood@codethink.co.uk> | 2015-09-26 08:27:41 +0100 |
commit | 3a2f641e4e70e76ffa77629c6208970c1a7af667 (patch) | |
tree | e6635788976c616017c05b5ea93432f9b2dc769e /baserock/strata/core/shadow.morph | |
parent | c844667a718e8640d9ae2b7640a3b0dc0fb53b0e (diff) | |
download | definitions-baserock/ps/reorganise-definitions.tar.gz |
Proposed re-org of definitions repobaserock/ps/reorganise-definitions
Diffstat (limited to 'baserock/strata/core/shadow.morph')
-rw-r--r-- | baserock/strata/core/shadow.morph | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/baserock/strata/core/shadow.morph b/baserock/strata/core/shadow.morph new file mode 100644 index 00000000..cdb1ff75 --- /dev/null +++ b/baserock/strata/core/shadow.morph @@ -0,0 +1,55 @@ +name: shadow +kind: chunk +build-system: autotools +pre-configure-commands: +- autoreconf -vfi +configure-commands: +# Installing to /bin so that they overwrite busybox login. +- | + ./configure --with-selinux=no \ + --sysconfdir=/etc \ + --with-libpam=yes \ + --prefix="$PREFIX" \ + --bindir=/bin +post-install-commands: +# Disable things handled by pam instead +- | + for OPTION in FAIL_DELAY \ + FAILLOG_ENAB \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + OBSCURE_CHECKS_ENAB \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + CONSOLE MOTD_FILE \ + FTMP_FILE \ + NOLOGINS_FILE \ + ENV_HZ \ + PASS_MIN_LEN \ + SU_WHEEL_ONLY \ + CRACKLIB_DICTPATH \ + PASS_CHANGE_TRIES \ + PASS_ALWAYS_WARN \ + CHFN_AUTH \ + ENVIRON_FILE + do + sed -i -e "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \ + "$DESTDIR/etc/login.defs" + done +# ENCRYPT_METHOD is handled specially with PAM, it will use the default as +# provided in login.defs, but it may be overridden in the pam.d config. +# We do not currently override this though, and it's better to guard oursleves +# against accidentally reducing password security by forgetting to include the +# algorithm as an argument to the PAM module, so ENCRYPT_METHOD is configured +# here, rather than in PAM. +- | + if grep -q '[\s#]ENCRYPT_METHOD' "$DESTDIR/etc/login.defs"; then + sed -i -e '/^[\s#]*ENCRYPT_METHOD /s/.*/ENCRYPT_METHOD SHA512/g' "$DESTDIR/etc/login.defs" + else + echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs" + fi + +# The default pam.d config files have pam_selinux.so as a requirement, even +# when shadow is configured '--with-selinux=no'. We change this default config +# to make this requirement optional. +- sed -i -e 's/\(.*\)required\(.*pam_selinux.so.*\)/\1optional\2/' "$DESTDIR"/etc/pam.d/* |