Reinstall shadow after PAM
authorHugo Villeneuve <hugo@hugovil.com>
Sat, 3 Aug 2013 14:46:57 +0000 (10:46 -0400)
committerHugo Villeneuve <hugo@hugovil.com>
Wed, 7 Aug 2013 17:49:45 +0000 (13:49 -0400)
12 files changed:
stage3/hv-install-1
stage3/misc/shadow-pam.d/chage [new file with mode: 0644]
stage3/misc/shadow-pam.d/login [new file with mode: 0644]
stage3/misc/shadow-pam.d/other [new file with mode: 0644]
stage3/misc/shadow-pam.d/passwd [new file with mode: 0644]
stage3/misc/shadow-pam.d/su [new file with mode: 0644]
stage3/misc/shadow-pam.d/system-account [new file with mode: 0644]
stage3/misc/shadow-pam.d/system-auth [new file with mode: 0644]
stage3/misc/shadow-pam.d/system-password [new file with mode: 0644]
stage3/misc/shadow-pam.d/system-session [new file with mode: 0644]
stage3/packages-update
stage3/pkg/shadow [new file with mode: 0644]

index b6e004d..0b318a8 100755 (executable)
@@ -12,6 +12,7 @@ ipkg -m acnb ${REISERFSPROGS}
 ipkg -m acnb ${POPT}
 CFLAGS="${CFLAGS} -fPIC" ipkg -m acnb ${LIBTIRPC}
 ipkg ${PAM}
+ipkg ${SHADOW}
 ipkg -m noac ${OPENSSL}
 ipkg ${WGET} "--with-ssl=openssl"
 ipkg -m noac ${PCIUTILS}
diff --git a/stage3/misc/shadow-pam.d/chage b/stage3/misc/shadow-pam.d/chage
new file mode 100644 (file)
index 0000000..70d1535
--- /dev/null
@@ -0,0 +1,14 @@
+#Begin /etc/pam.d/chage
+
+# always allow root
+auth      sufficient  pam_rootok.so
+
+# include system defaults for auth account and session
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+
+# Always permit for authentication updates
+password  required    pam_permit.so
+
+# End /etc/pam.d/chage
diff --git a/stage3/misc/shadow-pam.d/login b/stage3/misc/shadow-pam.d/login
new file mode 100644 (file)
index 0000000..8ceae58
--- /dev/null
@@ -0,0 +1,45 @@
+# Begin /etc/pam.d/login
+
+# Set failure delay before next prompt to 3 seconds
+auth      optional    pam_faildelay.so  delay=3000000
+
+# Check to make sure that the user is allowed to login
+auth      requisite   pam_nologin.so
+
+# Check to make sure that root is allowed to login
+# Disabled by default. You will need to create /etc/securetty
+# file for this module to function. See man 5 securetty.
+#auth      required    pam_securetty.so
+
+# Additional group memberships - disabled by default
+#auth      optional    pam_group.so
+
+# include the default auth settings
+auth      include     system-auth
+
+# check access for the user
+account   required    pam_access.so
+
+# include the default account settings
+account   include     system-account
+
+# Set default environment variables for the user
+session   required    pam_env.so
+
+# Set resource limits for the user
+session   required    pam_limits.so
+
+# Display date of last login - Disabled by default
+#session   optional    pam_lastlog.so
+
+# Display the message of the day - Disabled by default
+#session   optional    pam_motd.so
+
+# Check user's mail - Disabled by default
+#session   optional    pam_mail.so      standard quiet
+
+# include the default session and password settings
+session   include     system-session
+password  include     system-password
+
+# End /etc/pam.d/login
diff --git a/stage3/misc/shadow-pam.d/other b/stage3/misc/shadow-pam.d/other
new file mode 100644 (file)
index 0000000..1f7940b
--- /dev/null
@@ -0,0 +1,12 @@
+# Begin /etc/pam.d/other
+
+auth        required        pam_warn.so
+auth        required        pam_deny.so
+account     required        pam_warn.so
+account     required        pam_deny.so
+password    required        pam_warn.so
+password    required        pam_deny.so
+session     required        pam_warn.so
+session     required        pam_deny.so
+
+# End /etc/pam.d/other
diff --git a/stage3/misc/shadow-pam.d/passwd b/stage3/misc/shadow-pam.d/passwd
new file mode 100644 (file)
index 0000000..1663659
--- /dev/null
@@ -0,0 +1,5 @@
+# Begin /etc/pam.d/passwd
+
+password  include     system-password
+
+# End /etc/pam.d/passwd
diff --git a/stage3/misc/shadow-pam.d/su b/stage3/misc/shadow-pam.d/su
new file mode 100644 (file)
index 0000000..65e3f30
--- /dev/null
@@ -0,0 +1,16 @@
+# Begin /etc/pam.d/su
+
+# always allow root
+auth      sufficient  pam_rootok.so
+auth      include     system-auth
+
+# include the default account settings
+account   include     system-account
+
+# Set default environment variables for the service user
+session   required    pam_env.so
+
+# include system session defaults
+session   include     system-session
+
+# End /etc/pam.d/su
diff --git a/stage3/misc/shadow-pam.d/system-account b/stage3/misc/shadow-pam.d/system-account
new file mode 100644 (file)
index 0000000..8a4945c
--- /dev/null
@@ -0,0 +1,5 @@
+# Begin /etc/pam.d/system-account
+
+account   required    pam_unix.so
+
+# End /etc/pam.d/system-account
diff --git a/stage3/misc/shadow-pam.d/system-auth b/stage3/misc/shadow-pam.d/system-auth
new file mode 100644 (file)
index 0000000..1694ac7
--- /dev/null
@@ -0,0 +1,5 @@
+# Begin /etc/pam.d/system-auth
+
+auth      required    pam_unix.so
+
+# End /etc/pam.d/system-auth
diff --git a/stage3/misc/shadow-pam.d/system-password b/stage3/misc/shadow-pam.d/system-password
new file mode 100644 (file)
index 0000000..c2a1684
--- /dev/null
@@ -0,0 +1,7 @@
+# Begin /etc/pam.d/system-password
+
+# use sha512 hash for encryption, use shadow, and try to use any previously
+# defined authentication token (chosen password) set by any prior module
+password  required    pam_unix.so       sha512 shadow try_first_pass
+
+# End /etc/pam.d/system-password
diff --git a/stage3/misc/shadow-pam.d/system-session b/stage3/misc/shadow-pam.d/system-session
new file mode 100644 (file)
index 0000000..7e1d8c8
--- /dev/null
@@ -0,0 +1,5 @@
+# Begin /etc/pam.d/system-session
+
+session   required    pam_unix.so
+
+# End /etc/pam.d/system-session
index cb99a2e..de074d9 100755 (executable)
@@ -8,6 +8,9 @@ source ../functions/main
 
 update_packages_init ${*}
 
+# These packages were already downloaded for stage2:
+lpkg 2 ${SHADOW}
+
 # These packages are only for stage3
 fpkg -m gnu ${WHICH}
 fpkg -e "tar.gz" ${BASHCOMPLETION} "http://www.caliban.org/files/bash"
diff --git a/stage3/pkg/shadow b/stage3/pkg/shadow
new file mode 100644 (file)
index 0000000..63850f0
--- /dev/null
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+hvconfig_pre()
+{
+    CONFIGURE_OPTS="\
+        ${CONFIGURE_OPTS} \
+        --without-selinux"
+
+    cd ${LFS_TMP}/${PACKAGE}
+
+    # Disable the installation of the groups program and its man page, as
+    # Coreutils provides a better version.
+    sed -i 's/groups$(EXEEXT) //' src/Makefile.in
+    find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
+
+    # Instead of using the default crypt method, use the more secure SHA-512 method
+    # of password encryption, which also allows passwords longer than 8 characters.
+    # It is also necessary to change the obsolete /var/spool/mail location for user
+    # mailboxes that Shadow uses by default to the /var/mail location used currently:
+    sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
+        -e 's@/var/spool/mail@/var/mail@' /etc/login.defs
+}
+
+hvbuild_post()
+{
+    # Expands PATH to /usr/local/bin for normal and root user and to
+    # /usr/local/sbin for root user only:
+    sed -i -e 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@' \
+        -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' /etc/login.defs
+
+    # Move some misplaced symlinks/programs to their proper locations.
+    mv /usr/bin/passwd /bin
+
+    # Disable creation of mailbox files by useradd:
+    sed -i 's/yes/no/' /etc/default/useradd
+
+    # Configure Linux-PAM:
+    install -v -m644 /etc/login.defs /etc/login.defs.orig
+    for FUNCTION in FAIL_DELAY FAILLOG_ENAB \
+        LASTLOG_ENAB \
+        MAIL_CHECK_ENAB \
+        OBSCURE_CHECKS_ENAB \
+        PORTTIME_CHECKS_ENAB \
+        QUOTAS_ENAB \
+        CONSOLE MOTD_FILE \
+        FTMP_FILE NOLOGINS_FILE \
+        ENV_HZ PASS_MIN_LEN \
+        SU_WHEEL_ONLY \
+        CRACKLIB_DICTPATH \
+        PASS_CHANGE_TRIES \
+        PASS_ALWAYS_WARN \
+        CHFN_AUTH ENCRYPT_METHOD \
+        ENVIRON_FILE
+    do
+        sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
+    done
+
+    install -v -m644 ${SCRDIR}/misc/shadow-pam.d/* /etc/pam.d/
+
+    for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
+        groupmems groupmod newusers useradd userdel usermod
+    do
+        install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
+        sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
+    done
+
+    # Configuring Login Access
+    # Instead of using the /etc/login.access file for controlling access to the
+    # system, Linux-PAM uses the pam_access.so module along with the
+    # /etc/security/access.conf file. Rename the /etc/login.access file:
+    [ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}
+
+    # Configuring Resource Limits
+    # Instead of using the /etc/limits file for limiting usage of system
+    # resources, Linux-PAM uses the pam_limits.so module along with the
+    # /etc/security/limits.conf file. Rename the /etc/limits file:
+    [ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}
+}