10 files changed, 255 insertions, 0 deletions
diff --git a/install-files/gnome/etc/pam.d/gdm b/install-files/gnome/etc/pam.d/gdm
new file mode 100644
index 00000000..42036102
--- /dev/null
+++ b/install-files/gnome/etc/pam.d/gdm
@@ -0,0 +1,15 @@
+# Baserock customized /etc/pam.d/gdm
+#
+
+auth     requisite      pam_nologin.so
+auth     required       pam_env.so
+
+auth     required       pam_succeed_if.so uid >= 1000 quiet
+auth     include        system-auth
+
+account  include        system-auth
+password include        system-auth
+
+session  optional       pam_keyinit.so force revoke
+session  include        system-auth
+session  required       pam_loginuid.so
diff --git a/install-files/gnome/etc/pam.d/gdm-autologin b/install-files/gnome/etc/pam.d/gdm-autologin
new file mode 100644
index 00000000..c99449ac
--- /dev/null
+++ b/install-files/gnome/etc/pam.d/gdm-autologin
@@ -0,0 +1,17 @@
+# Baserock customized /etc/pam.d/gdm-autologin
+#
+
+auth     requisite      pam_nologin.so
+auth     required       pam_env.so
+
+auth     required       pam_succeed_if.so uid >= 1000 quiet
+auth     required       pam_permit.so
+auth     optional       pam_gnome_keyring.so
+
+account  include        system-auth
+password include        system-auth
+
+session  required       pam_loginuid.so
+session  optional       pam_keyinit.so force revoke
+session  required       pam_namespace.so
+session  include        system-auth
diff --git a/install-files/gnome/etc/pam.d/gdm-launch-environment b/install-files/gnome/etc/pam.d/gdm-launch-environment
new file mode 100644
index 00000000..f63c80fa
--- /dev/null
+++ b/install-files/gnome/etc/pam.d/gdm-launch-environment
@@ -0,0 +1,11 @@
+# Baserock customized /etc/pam.d/gdm-launch-environment
+#
+
+auth     required       pam_env.so
+auth     optional       pam_permit.so
+
+account  include        system-auth
+password include        system-auth
+
+session  optional       pam_keyinit.so force revoke
+session  include        system-auth
diff --git a/install-files/gnome/etc/pam.d/gdm-password b/install-files/gnome/etc/pam.d/gdm-password
new file mode 100644
index 00000000..798d40a6
--- /dev/null
+++ b/install-files/gnome/etc/pam.d/gdm-password
@@ -0,0 +1,24 @@
+# Baserock customized /etc/pam.d/gdm-password
+#
+# This configuration ensures that the default keyring
+# is unlocked at gdm login time, and also that the
+# authentication token is used to update the keyring
+# when the password is set.
+
+auth     requisite      pam_nologin.so
+auth     required       pam_env.so
+
+auth     required       pam_succeed_if.so uid >= 1000 quiet
+auth     substack       system-auth
+auth     optional       pam_gnome_keyring.so
+
+account  include        system-auth
+password substack       system-auth
+password optional       pam_gnome_keyring.so use_authtok
+
+session  required       pam_limits.so
+session  required       pam_loginuid.so
+session  optional       pam_keyinit.so force revoke
+session  required       pam_namespace.so
+session  substack       system-auth
+session  optional       pam_gnome_keyring.so auto_start
diff --git a/install-files/gnome/etc/pam.d/passwd b/install-files/gnome/etc/pam.d/passwd
new file mode 100644
index 00000000..e0c98057
--- /dev/null
+++ b/install-files/gnome/etc/pam.d/passwd
@@ -0,0 +1,10 @@
+# Baserock customized /etc/pam.d/passwd
+#
+# This configuration ensures authentication token
+# is used to update the keyring when the password is set
+# using the regular passwd mechanism
+
+auth            include         system-auth
+account         include         system-auth
+password        substack        system-auth
+password        optional        pam_gnome_keyring.so use_authtok
diff --git a/install-files/gnome/etc/pam.d/system-auth b/install-files/gnome/etc/pam.d/system-auth
new file mode 100644
index 00000000..73d3968c
--- /dev/null
+++ b/install-files/gnome/etc/pam.d/system-auth
@@ -0,0 +1,19 @@
+# Baserock customized /etc/pam.d/system-auth
+#
+# This configuration is modified from the upstream
+# systemd provided file mostly because the upstream file
+# tries to pass the invalid 'try_authtok' option to the
+# pam_unix.so module.
+
+auth     sufficient pam_unix.so nullok try_first_pass
+auth     requisite  pam_deny.so
+
+account  required   pam_nologin.so
+account  sufficient pam_unix.so
+
+password sufficient pam_unix.so nullok sha512 shadow try_first_pass
+password required   pam_deny.so
+
+-session optional   pam_loginuid.so
+-session optional   pam_systemd.so
+session  sufficient pam_unix.so
diff --git a/install-files/gnome/etc/securetty b/install-files/gnome/etc/securetty
new file mode 100644
index 00000000..e3dfb6c4
--- /dev/null
+++ b/install-files/gnome/etc/securetty
@@ -0,0 +1,8 @@
+tty1
+#tty2
+#tty3
+#tty4
+#tty5
+#tty6
+#tty7
+#tty8
diff --git a/install-files/gnome/etc/ssh/sshd_config b/install-files/gnome/etc/ssh/sshd_config
new file mode 100644
index 00000000..aaab3cca
--- /dev/null
+++ b/install-files/gnome/etc/ssh/sshd_config
@@ -0,0 +1,135 @@
+#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox		# Default for new installations.
+PermitUserEnvironment yes
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+AcceptEnv LANG LC_*
diff --git a/install-files/gnome/manifest b/install-files/gnome/manifest
new file mode 100644
index 00000000..d72a5e89
--- /dev/null
+++ b/install-files/gnome/manifest
@@ -0,0 +1,9 @@
+0100644 0 0 /etc/securetty
+overwrite 0100644 0 0 /etc/ssh/sshd_config
+overwrite 0100644 0 0 /etc/pam.d/passwd
+overwrite 0100644 0 0 /etc/pam.d/system-auth
+overwrite 0100644 0 0 /etc/pam.d/gdm
+overwrite 0100644 0 0 /etc/pam.d/gdm-password
+overwrite 0100644 0 0 /etc/pam.d/gdm-autologin
+overwrite 0100644 0 0 /etc/pam.d/gdm-launch-environment
+0100644 0 0 /usr/share/polkit-1/rules.d/geoclue-2.0.rules
diff --git a/install-files/gnome/usr/share/polkit-1/rules.d/geoclue-2.0.rules b/install-files/gnome/usr/share/polkit-1/rules.d/geoclue-2.0.rules
new file mode 100644
index 00000000..aeb42345
--- /dev/null
+++ b/install-files/gnome/usr/share/polkit-1/rules.d/geoclue-2.0.rules
@@ -0,0 +1,7 @@
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.ModemManager1.Device.Control" ||
+         action.id == "org.freedesktop.ModemManager1.Location") &&
+        subject.user == "geoclue") {
+        return polkit.Result.YES;
+    }
+});