From e941771d74ef457edb2c321a76e88a7c9a79c7f8 Mon Sep 17 00:00:00 2001 From: Hugo Villeneuve Date: Sat, 3 Aug 2013 10:46:57 -0400 Subject: [PATCH] Reinstall shadow after PAM --- stage3/hv-install-1 | 1 + stage3/misc/shadow-pam.d/chage | 14 +++++ stage3/misc/shadow-pam.d/login | 45 ++++++++++++++ stage3/misc/shadow-pam.d/other | 12 ++++ stage3/misc/shadow-pam.d/passwd | 5 ++ stage3/misc/shadow-pam.d/su | 16 +++++ stage3/misc/shadow-pam.d/system-account | 5 ++ stage3/misc/shadow-pam.d/system-auth | 5 ++ stage3/misc/shadow-pam.d/system-password | 7 +++ stage3/misc/shadow-pam.d/system-session | 5 ++ stage3/packages-update | 3 + stage3/pkg/shadow | 78 ++++++++++++++++++++++++ 12 files changed, 196 insertions(+) create mode 100644 stage3/misc/shadow-pam.d/chage create mode 100644 stage3/misc/shadow-pam.d/login create mode 100644 stage3/misc/shadow-pam.d/other create mode 100644 stage3/misc/shadow-pam.d/passwd create mode 100644 stage3/misc/shadow-pam.d/su create mode 100644 stage3/misc/shadow-pam.d/system-account create mode 100644 stage3/misc/shadow-pam.d/system-auth create mode 100644 stage3/misc/shadow-pam.d/system-password create mode 100644 stage3/misc/shadow-pam.d/system-session create mode 100644 stage3/pkg/shadow diff --git a/stage3/hv-install-1 b/stage3/hv-install-1 index b6e004d..0b318a8 100755 --- a/stage3/hv-install-1 +++ b/stage3/hv-install-1 @@ -12,6 +12,7 @@ ipkg -m acnb ${REISERFSPROGS} ipkg -m acnb ${POPT} CFLAGS="${CFLAGS} -fPIC" ipkg -m acnb ${LIBTIRPC} ipkg ${PAM} +ipkg ${SHADOW} ipkg -m noac ${OPENSSL} ipkg ${WGET} "--with-ssl=openssl" ipkg -m noac ${PCIUTILS} diff --git a/stage3/misc/shadow-pam.d/chage b/stage3/misc/shadow-pam.d/chage new file mode 100644 index 0000000..70d1535 --- /dev/null +++ b/stage3/misc/shadow-pam.d/chage @@ -0,0 +1,14 @@ +#Begin /etc/pam.d/chage + +# always allow root +auth sufficient pam_rootok.so + +# include system defaults for auth account and session +auth include system-auth +account include system-account +session include system-session + +# Always permit for authentication updates +password required pam_permit.so + +# End /etc/pam.d/chage diff --git a/stage3/misc/shadow-pam.d/login b/stage3/misc/shadow-pam.d/login new file mode 100644 index 0000000..8ceae58 --- /dev/null +++ b/stage3/misc/shadow-pam.d/login @@ -0,0 +1,45 @@ +# Begin /etc/pam.d/login + +# Set failure delay before next prompt to 3 seconds +auth optional pam_faildelay.so delay=3000000 + +# Check to make sure that the user is allowed to login +auth requisite pam_nologin.so + +# Check to make sure that root is allowed to login +# Disabled by default. You will need to create /etc/securetty +# file for this module to function. See man 5 securetty. +#auth required pam_securetty.so + +# Additional group memberships - disabled by default +#auth optional pam_group.so + +# include the default auth settings +auth include system-auth + +# check access for the user +account required pam_access.so + +# include the default account settings +account include system-account + +# Set default environment variables for the user +session required pam_env.so + +# Set resource limits for the user +session required pam_limits.so + +# Display date of last login - Disabled by default +#session optional pam_lastlog.so + +# Display the message of the day - Disabled by default +#session optional pam_motd.so + +# Check user's mail - Disabled by default +#session optional pam_mail.so standard quiet + +# include the default session and password settings +session include system-session +password include system-password + +# End /etc/pam.d/login diff --git a/stage3/misc/shadow-pam.d/other b/stage3/misc/shadow-pam.d/other new file mode 100644 index 0000000..1f7940b --- /dev/null +++ b/stage3/misc/shadow-pam.d/other @@ -0,0 +1,12 @@ +# Begin /etc/pam.d/other + +auth required pam_warn.so +auth required pam_deny.so +account required pam_warn.so +account required pam_deny.so +password required pam_warn.so +password required pam_deny.so +session required pam_warn.so +session required pam_deny.so + +# End /etc/pam.d/other diff --git a/stage3/misc/shadow-pam.d/passwd b/stage3/misc/shadow-pam.d/passwd new file mode 100644 index 0000000..1663659 --- /dev/null +++ b/stage3/misc/shadow-pam.d/passwd @@ -0,0 +1,5 @@ +# Begin /etc/pam.d/passwd + +password include system-password + +# End /etc/pam.d/passwd diff --git a/stage3/misc/shadow-pam.d/su b/stage3/misc/shadow-pam.d/su new file mode 100644 index 0000000..65e3f30 --- /dev/null +++ b/stage3/misc/shadow-pam.d/su @@ -0,0 +1,16 @@ +# Begin /etc/pam.d/su + +# always allow root +auth sufficient pam_rootok.so +auth include system-auth + +# include the default account settings +account include system-account + +# Set default environment variables for the service user +session required pam_env.so + +# include system session defaults +session include system-session + +# End /etc/pam.d/su diff --git a/stage3/misc/shadow-pam.d/system-account b/stage3/misc/shadow-pam.d/system-account new file mode 100644 index 0000000..8a4945c --- /dev/null +++ b/stage3/misc/shadow-pam.d/system-account @@ -0,0 +1,5 @@ +# Begin /etc/pam.d/system-account + +account required pam_unix.so + +# End /etc/pam.d/system-account diff --git a/stage3/misc/shadow-pam.d/system-auth b/stage3/misc/shadow-pam.d/system-auth new file mode 100644 index 0000000..1694ac7 --- /dev/null +++ b/stage3/misc/shadow-pam.d/system-auth @@ -0,0 +1,5 @@ +# Begin /etc/pam.d/system-auth + +auth required pam_unix.so + +# End /etc/pam.d/system-auth diff --git a/stage3/misc/shadow-pam.d/system-password b/stage3/misc/shadow-pam.d/system-password new file mode 100644 index 0000000..c2a1684 --- /dev/null +++ b/stage3/misc/shadow-pam.d/system-password @@ -0,0 +1,7 @@ +# Begin /etc/pam.d/system-password + +# use sha512 hash for encryption, use shadow, and try to use any previously +# defined authentication token (chosen password) set by any prior module +password required pam_unix.so sha512 shadow try_first_pass + +# End /etc/pam.d/system-password diff --git a/stage3/misc/shadow-pam.d/system-session b/stage3/misc/shadow-pam.d/system-session new file mode 100644 index 0000000..7e1d8c8 --- /dev/null +++ b/stage3/misc/shadow-pam.d/system-session @@ -0,0 +1,5 @@ +# Begin /etc/pam.d/system-session + +session required pam_unix.so + +# End /etc/pam.d/system-session diff --git a/stage3/packages-update b/stage3/packages-update index cb99a2e..de074d9 100755 --- a/stage3/packages-update +++ b/stage3/packages-update @@ -8,6 +8,9 @@ source ../functions/main update_packages_init ${*} +# These packages were already downloaded for stage2: +lpkg 2 ${SHADOW} + # These packages are only for stage3 fpkg -m gnu ${WHICH} fpkg -e "tar.gz" ${BASHCOMPLETION} "http://www.caliban.org/files/bash" diff --git a/stage3/pkg/shadow b/stage3/pkg/shadow new file mode 100644 index 0000000..63850f0 --- /dev/null +++ b/stage3/pkg/shadow @@ -0,0 +1,78 @@ +#!/bin/bash + +hvconfig_pre() +{ + CONFIGURE_OPTS="\ + ${CONFIGURE_OPTS} \ + --without-selinux" + + cd ${LFS_TMP}/${PACKAGE} + + # Disable the installation of the groups program and its man page, as + # Coreutils provides a better version. + sed -i 's/groups$(EXEEXT) //' src/Makefile.in + find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; + + # Instead of using the default crypt method, use the more secure SHA-512 method + # of password encryption, which also allows passwords longer than 8 characters. + # It is also necessary to change the obsolete /var/spool/mail location for user + # mailboxes that Shadow uses by default to the /var/mail location used currently: + sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ + -e 's@/var/spool/mail@/var/mail@' /etc/login.defs +} + +hvbuild_post() +{ + # Expands PATH to /usr/local/bin for normal and root user and to + # /usr/local/sbin for root user only: + sed -i -e 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@' \ + -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' /etc/login.defs + + # Move some misplaced symlinks/programs to their proper locations. + mv /usr/bin/passwd /bin + + # Disable creation of mailbox files by useradd: + sed -i 's/yes/no/' /etc/default/useradd + + # Configure Linux-PAM: + install -v -m644 /etc/login.defs /etc/login.defs.orig + for FUNCTION in FAIL_DELAY FAILLOG_ENAB \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + OBSCURE_CHECKS_ENAB \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + CONSOLE MOTD_FILE \ + FTMP_FILE NOLOGINS_FILE \ + ENV_HZ PASS_MIN_LEN \ + SU_WHEEL_ONLY \ + CRACKLIB_DICTPATH \ + PASS_CHANGE_TRIES \ + PASS_ALWAYS_WARN \ + CHFN_AUTH ENCRYPT_METHOD \ + ENVIRON_FILE + do + sed -i "s/^${FUNCTION}/# &/" /etc/login.defs + done + + install -v -m644 ${SCRDIR}/misc/shadow-pam.d/* /etc/pam.d/ + + for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \ + groupmems groupmod newusers useradd userdel usermod + do + install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM} + sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM} + done + + # Configuring Login Access + # Instead of using the /etc/login.access file for controlling access to the + # system, Linux-PAM uses the pam_access.so module along with the + # /etc/security/access.conf file. Rename the /etc/login.access file: + [ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE} + + # Configuring Resource Limits + # Instead of using the /etc/limits file for limiting usage of system + # resources, Linux-PAM uses the pam_limits.so module along with the + # /etc/security/limits.conf file. Rename the /etc/limits file: + [ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE} +} -- 2.20.1