summaryrefslogtreecommitdiff
path: root/strata/core/shadow.morph
blob: cdb1ff7509331a7117243eb7800557bca2cb538e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: shadow
kind: chunk
build-system: autotools
pre-configure-commands:
- autoreconf -vfi
configure-commands:
# Installing to /bin so that they overwrite busybox login.
- |
  ./configure  --with-selinux=no \
               --sysconfdir=/etc \
               --with-libpam=yes \
               --prefix="$PREFIX" \
               --bindir=/bin
post-install-commands:
# Disable things handled by pam instead
- |
  for OPTION in FAIL_DELAY \
                FAILLOG_ENAB \
                LASTLOG_ENAB \
                MAIL_CHECK_ENAB \
                OBSCURE_CHECKS_ENAB \
                PORTTIME_CHECKS_ENAB \
                QUOTAS_ENAB \
                CONSOLE MOTD_FILE \
                FTMP_FILE \
                NOLOGINS_FILE \
                ENV_HZ \
                PASS_MIN_LEN \
                SU_WHEEL_ONLY \
                CRACKLIB_DICTPATH \
                PASS_CHANGE_TRIES \
                PASS_ALWAYS_WARN \
                CHFN_AUTH \
                ENVIRON_FILE
  do
    sed -i -e "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \
        "$DESTDIR/etc/login.defs"
  done
# ENCRYPT_METHOD is handled specially with PAM, it will use the default as
# provided in login.defs, but it may be overridden in the pam.d config.
# We do not currently override this though, and it's better to guard oursleves
# against accidentally reducing password security by forgetting to include the
# algorithm as an argument to the PAM module, so ENCRYPT_METHOD is configured
# here, rather than in PAM.
- |
  if grep -q '[\s#]ENCRYPT_METHOD' "$DESTDIR/etc/login.defs"; then
      sed -i -e '/^[\s#]*ENCRYPT_METHOD /s/.*/ENCRYPT_METHOD SHA512/g' "$DESTDIR/etc/login.defs"
  else
      echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs"
  fi

# The default pam.d config files have pam_selinux.so as a requirement, even
# when shadow is configured '--with-selinux=no'. We change this default config
# to make this requirement optional.
- sed -i -e 's/\(.*\)required\(.*pam_selinux.so.*\)/\1optional\2/' "$DESTDIR"/etc/pam.d/*