diff options
| -rw-r--r-- | strata/core/shadow.morph | 9 | ||||
| -rw-r--r-- | strata/foundation/systemd.morph | 5 |
2 files changed, 11 insertions, 3 deletions
diff --git a/strata/core/shadow.morph b/strata/core/shadow.morph index 34ec6197..c8715a7d 100644 --- a/strata/core/shadow.morph +++ b/strata/core/shadow.morph @@ -6,13 +6,11 @@ configure-commands: - | ./autogen.sh --with-selinux=no \ --sysconfdir=/etc \ - --with-pam=yes \ + --with-libpam=yes \ --prefix="$PREFIX" \ --bindir=/bin post-install-commands: # Disable things handled by pam instead -- rm "$DESTDIR/etc/limits" -- rm "$DESTDIR/etc/login.access" - | for OPTION in FAIL_DELAY \ FAILLOG_ENAB \ @@ -48,3 +46,8 @@ post-install-commands: else echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs" fi + +# The default pam.d config files have pam_selinux.so as a requirement, even +# when shadow is configured '--with-selinux=no'. We change this default config +# to make this requirement optional. +- sed -i -e 's/\(.*\)required\(.*pam_selinux.so.*\)/\1optional\2/' "$DESTDIR"/etc/pam.d/* diff --git a/strata/foundation/systemd.morph b/strata/foundation/systemd.morph index efca734f..5dc48e70 100644 --- a/strata/foundation/systemd.morph +++ b/strata/foundation/systemd.morph @@ -39,3 +39,8 @@ post-install-commands: EOF # Use the pam config systemd provides - cp -a "$DESTDIR/$PREFIX"/share/factory/etc/pam.d/* "$DESTDIR/etc/pam.d" + +# Add pam_deny.so to the default systemd-auth pam.d config file. Without +# it, if shadow is configured to use PAM, it would be possible to login +# to a system with the wrong password. +- echo 'auth requisite pam_deny.so' >> "$DESTDIR"/etc/pam.d/system-auth |