diff options
Diffstat (limited to 'strata/core/shadow.morph')
-rw-r--r-- | strata/core/shadow.morph | 50 |
1 files changed, 49 insertions, 1 deletions
diff --git a/strata/core/shadow.morph b/strata/core/shadow.morph index 6887a6b3..c8715a7d 100644 --- a/strata/core/shadow.morph +++ b/strata/core/shadow.morph @@ -2,4 +2,52 @@ name: shadow kind: chunk build-system: autotools configure-commands: -- ./autogen.sh --with-selinux=no --sysconfdir=/etc +# Installing to /bin so that they overwrite busybox login. +- | + ./autogen.sh --with-selinux=no \ + --sysconfdir=/etc \ + --with-libpam=yes \ + --prefix="$PREFIX" \ + --bindir=/bin +post-install-commands: +# Disable things handled by pam instead +- | + for OPTION in FAIL_DELAY \ + FAILLOG_ENAB \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + OBSCURE_CHECKS_ENAB \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + CONSOLE MOTD_FILE \ + FTMP_FILE \ + NOLOGINS_FILE \ + ENV_HZ \ + PASS_MIN_LEN \ + SU_WHEEL_ONLY \ + CRACKLIB_DICTPATH \ + PASS_CHANGE_TRIES \ + PASS_ALWAYS_WARN \ + CHFN_AUTH \ + ENVIRON_FILE + do + sed -i -e "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \ + "$DESTDIR/etc/login.defs" + done +# ENCRYPT_METHOD is handled specially with PAM, it will use the default as +# provided in login.defs, but it may be overridden in the pam.d config. +# We do not currently override this though, and it's better to guard oursleves +# against accidentally reducing password security by forgetting to include the +# algorithm as an argument to the PAM module, so ENCRYPT_METHOD is configured +# here, rather than in PAM. +- | + if grep -q '[\s#]ENCRYPT_METHOD' "$DESTDIR/etc/login.defs"; then + sed -i -e '/^[\s#]*ENCRYPT_METHOD /s/.*/ENCRYPT_METHOD SHA512/g' "$DESTDIR/etc/login.defs" + else + echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs" + fi + +# The default pam.d config files have pam_selinux.so as a requirement, even +# when shadow is configured '--with-selinux=no'. We change this default config +# to make this requirement optional. +- sed -i -e 's/\(.*\)required\(.*pam_selinux.so.*\)/\1optional\2/' "$DESTDIR"/etc/pam.d/* |