diff options
Diffstat (limited to 'poky/meta/recipes-extended/pam/libpam')
15 files changed, 984 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/pam/libpam/0001-Add-support-for-defining-missing-funcitonality.patch b/poky/meta/recipes-extended/pam/libpam/0001-Add-support-for-defining-missing-funcitonality.patch new file mode 100644 index 000000000..c55b64813 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/0001-Add-support-for-defining-missing-funcitonality.patch @@ -0,0 +1,68 @@ +From 45d1ed58927593968faead7dbb295f3922f41a2f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 8 Aug 2015 14:16:43 -0700 +Subject: [PATCH] Add support for defining missing funcitonality + +In order to support alternative libc on linux ( musl, bioninc ) etc we +need to check for glibc-only features and provide alternatives, in this +list strndupa is first one, when configure detects that its not included +in system C library then the altrnative implementation from missing.h is +used + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- +Upstream-Status: Pending + + configure.ac | 3 +++ + libpam/include/missing.h | 12 ++++++++++++ + modules/pam_exec/pam_exec.c | 1 + + 3 files changed, 16 insertions(+) + create mode 100644 libpam/include/missing.h + +diff --git a/configure.ac b/configure.ac +index 9e1257f..cbed979 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -599,6 +599,9 @@ dnl + AC_CHECK_DECL(__NR_keyctl, [have_key_syscalls=1],[have_key_syscalls=0],[#include <sys/syscall.h>]) + AC_CHECK_DECL(ENOKEY, [have_key_errors=1],[have_key_errors=0],[#include <errno.h>]) + ++# musl and bionic don't have strndupa ++AC_CHECK_DECLS_ONCE([strndupa]) ++ + HAVE_KEY_MANAGEMENT=0 + if test $have_key_syscalls$have_key_errors = 11 + then +diff --git a/libpam/include/missing.h b/libpam/include/missing.h +new file mode 100644 +index 0000000..3cf011c +--- /dev/null ++++ b/libpam/include/missing.h +@@ -0,0 +1,12 @@ ++#pragma once ++ ++#if !HAVE_DECL_STRNDUPA ++#define strndupa(s, n) \ ++ ({ \ ++ const char *__old = (s); \ ++ size_t __len = strnlen(__old, (n)); \ ++ char *__new = alloca(__len + 1); \ ++ __new[__len] = '\0'; \ ++ memcpy(__new, __old, __len); \ ++ }) ++#endif +diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c +index 17ba6ca..3aa2694 100644 +--- a/modules/pam_exec/pam_exec.c ++++ b/modules/pam_exec/pam_exec.c +@@ -59,6 +59,7 @@ + #include <security/pam_modutil.h> + #include <security/pam_ext.h> + #include <security/_pam_macros.h> ++#include <missing.h> + + #define ENV_ITEM(n) { (n), #n } + static struct { +-- +2.1.4 + diff --git a/poky/meta/recipes-extended/pam/libpam/99_pam b/poky/meta/recipes-extended/pam/libpam/99_pam new file mode 100644 index 000000000..97e990d10 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/99_pam @@ -0,0 +1 @@ +d root root 0755 /var/run/sepermit none diff --git a/poky/meta/recipes-extended/pam/libpam/crypt_configure.patch b/poky/meta/recipes-extended/pam/libpam/crypt_configure.patch new file mode 100644 index 000000000..917a8af64 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/crypt_configure.patch @@ -0,0 +1,40 @@ +From b86575ab4a0df07da160283459da270e1c0372a0 Mon Sep 17 00:00:00 2001 +From: "Maxin B. John" <maxin.john@intel.com> +Date: Tue, 24 May 2016 14:11:09 +0300 +Subject: [PATCH] crypt_configure + +This patch fixes a case where it find crypt defined in libc (musl) but +not in specified libraries then it ends up assigning +LIBCRYPT="-l" which then goes into makefile cause all sort of problems +e.g. + +ld: cannot find -l-m32 +| collect2: error: ld returned 1 exit status +The reason is that -l appears on commandline with +out any library and compiler treats the next argument as library name +whatever it is. + +Upstream-Status: Pending + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Signed-off-by: Maxin B. John <maxin.john@intel.com> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index df39d07..e68d856 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -401,7 +401,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"], + [crypt_libs="crypt"]) + + BACKUP_LIBS=$LIBS +-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="") ++AC_SEARCH_LIBS([crypt],[$crypt_libs], [test "$ac_cv_search_crypt" = "none required" || LIBCRYPT="$ac_cv_search_crypt"]) + AC_CHECK_FUNCS(crypt_r crypt_gensalt_r) + LIBS=$BACKUP_LIBS + AC_SUBST(LIBCRYPT) +-- +2.4.0 + diff --git a/poky/meta/recipes-extended/pam/libpam/fixsepbuild.patch b/poky/meta/recipes-extended/pam/libpam/fixsepbuild.patch new file mode 100644 index 000000000..8a9c3b2fa --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/fixsepbuild.patch @@ -0,0 +1,24 @@ +Fix the build error when a separate build directory is used: + +Making install in xtestsmake[1]: Entering directory `/media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/build/xtests'/usr/bin/install -c -d /media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/image/usr/share/Linux-PAM/xtestsfor file in run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd tst-pam_dispatch5.pamd tst-pam_cracklib1.pamd tst-pam_cracklib2.pamd tst-pam_unix1.pamd tst-pam_unix2.pamd tst-pam_unix3.pamd tst-pam_unix4.pamd tst-pam_unix1.sh tst-pam_unix2.sh tst-pam_unix3.sh tst-pam_unix4.sh access.conf tst-pam_access1.pamd tst-pam_access1.sh tst-pam_access2.pamd tst-pam_access2.sh tst-pam_access3.pamd tst-pam_access3.sh tst-pam_access4.pamd tst-pam_access4.sh limits.conf tst-pam_limits1.pamd tst-pam_limits1.sh tst-pam_succeed_if1.pamd tst-pam_succeed_if1.sh group.conf tst-pam_group1.pamd tst-pam_group1.sh tst-pam_authfail.pamd tst-pam_authsucceed.pamd tst-pam_substack1.pamd tst-pam_substack1a.pamd tst-pam_substack1.sh tst-pam_substack2.pamd tst-pam_substack2a.pamd tst-pam_substack2.sh tst-pam_substack3.pamd tst-pam_substack3a.pamd tst-pam_substack3.sh tst-pam_substack4.pamd tst-pam_substack4a.pamd tst-pam_substack4.sh tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh tst-pam_time1.pamd time.conf ; do \/usr/bin/install -c $file /media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/image/usr/share/Linux-PAM/xtests ; \ done +/usr/bin/install: cannot stat `run-xtests.sh': No such file or directory +/usr/bin/install: cannot stat `tst-pam_dispatch1.pamd': No such file or directory +/usr/bin/install: cannot stat `tst-pam_dispatch2.pamd': No such file or directory + +Upstream-Status: Pending + +RP 2013/03/21 + +Index: Linux-PAM-1.1.6/xtests/Makefile.am +=================================================================== +--- Linux-PAM-1.1.6.orig/xtests/Makefile.am 2013-03-08 12:26:30.360266000 +0000 ++++ Linux-PAM-1.1.6/xtests/Makefile.am 2013-03-21 11:39:58.557166650 +0000 +@@ -59,7 +59,7 @@ + install_xtests: + $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests + for file in $(EXTRA_DIST) ; do \ +- $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \ ++ $(INSTALL) $(srcdir)/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ + done + for file in $(XTESTS); do \ + $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ diff --git a/poky/meta/recipes-extended/pam/libpam/include_paths_header.patch b/poky/meta/recipes-extended/pam/libpam/include_paths_header.patch new file mode 100644 index 000000000..e4eb95669 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/include_paths_header.patch @@ -0,0 +1,59 @@ +This patch adds missing include for paths.h which should provide +_PATH_LASTLOG definition + +Upstream-Status: Pending + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Index: Linux-PAM-1.1.6/modules/pam_lastlog/pam_lastlog.c +=================================================================== +--- Linux-PAM-1.1.6.orig/modules/pam_lastlog/pam_lastlog.c ++++ Linux-PAM-1.1.6/modules/pam_lastlog/pam_lastlog.c +@@ -23,9 +23,11 @@ + #include <stdarg.h> + #include <stdio.h> + #include <string.h> ++#include <sys/file.h> + #include <sys/types.h> + #include <syslog.h> + #include <unistd.h> ++#include <paths.h> + + #if defined(hpux) || defined(sunos) || defined(solaris) + # ifndef _PATH_LASTLOG +@@ -332,6 +334,23 @@ last_login_read(pam_handle_t *pamh, int + return retval; + } + ++#ifndef __GLIBC__ ++static void logwtmp(const char * line, const char * name, const char * host) ++{ ++ struct utmp u; ++ memset(&u, 0, sizeof(u)); ++ ++ u.ut_pid = getpid(); ++ u.ut_type = name[0] ? USER_PROCESS : DEAD_PROCESS; ++ strncpy(u.ut_line, line, sizeof(u.ut_line)); ++ strncpy(u.ut_name, name, sizeof(u.ut_name)); ++ strncpy(u.ut_host, host, sizeof(u.ut_host)); ++ gettimeofday(&(u.ut_tv), NULL); ++ ++ updwtmp(_PATH_WTMP, &u); ++} ++#endif /* __GLIBC__ */ ++ + static int + last_login_write(pam_handle_t *pamh, int announce, int last_fd, + uid_t uid, const char *user) +Index: Linux-PAM-1.1.6/modules/Makefile.am +=================================================================== +--- Linux-PAM-1.1.6.orig/modules/Makefile.am ++++ Linux-PAM-1.1.6/modules/Makefile.am +@@ -7,7 +7,7 @@ SUBDIRS = pam_access pam_cracklib pam_de + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ + pam_mkhomedir pam_motd pam_namespace pam_nologin \ +- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ ++ pam_permit pam_pwhistory pam_rootok pam_securetty \ + pam_selinux pam_sepermit pam_shells pam_stress \ + pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ + pam_tty_audit pam_umask \ diff --git a/poky/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch b/poky/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch new file mode 100644 index 000000000..680029ae0 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch @@ -0,0 +1,226 @@ +From 555407ff6e2f742df64ae93859f14a0fc1397829 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Fri, 12 Sep 2014 05:35:05 -0400 +Subject: [PATCH] libpam/xtests: remove bash dependency + +There's not bash specific syntax in the xtest scripts: + + # after below patches applied: + $ cd Linux-PAM-1.1.6/xtests + $ checkbashisms *.sh + No output + +Just remove the runtime dependency to bash. + +Upstream-Status: Pending + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +--- + xtests/run-xtests.sh | 2 +- + xtests/tst-pam_access1.sh | 2 +- + xtests/tst-pam_access2.sh | 2 +- + xtests/tst-pam_access3.sh | 2 +- + xtests/tst-pam_access4.sh | 2 +- + xtests/tst-pam_assemble_line1.sh | 2 +- + xtests/tst-pam_group1.sh | 2 +- + xtests/tst-pam_limits1.sh | 2 +- + xtests/tst-pam_pwhistory1.sh | 2 +- + xtests/tst-pam_substack1.sh | 2 +- + xtests/tst-pam_substack2.sh | 2 +- + xtests/tst-pam_substack3.sh | 2 +- + xtests/tst-pam_substack4.sh | 2 +- + xtests/tst-pam_substack5.sh | 2 +- + xtests/tst-pam_succeed_if1.sh | 2 +- + xtests/tst-pam_unix1.sh | 2 +- + xtests/tst-pam_unix2.sh | 2 +- + xtests/tst-pam_unix3.sh | 2 +- + xtests/tst-pam_unix4.sh | 2 +- + 19 files changed, 19 insertions(+), 19 deletions(-) + +diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh +index 3a89057..1cf8684 100755 +--- a/xtests/run-xtests.sh ++++ b/xtests/run-xtests.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + SRCDIR=$1 + shift 1 +diff --git a/xtests/tst-pam_access1.sh b/xtests/tst-pam_access1.sh +index 180d256..70521d2 100755 +--- a/xtests/tst-pam_access1.sh ++++ b/xtests/tst-pam_access1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/groupadd tstpamaccess + /usr/sbin/useradd -G tstpamaccess -p '!!' tstpamaccess1 +diff --git a/xtests/tst-pam_access2.sh b/xtests/tst-pam_access2.sh +index 0a30275..7e3e60f 100755 +--- a/xtests/tst-pam_access2.sh ++++ b/xtests/tst-pam_access2.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/groupadd tstpamaccess + /usr/sbin/useradd -p '!!' tstpamaccess2 +diff --git a/xtests/tst-pam_access3.sh b/xtests/tst-pam_access3.sh +index 348e0c3..3630e2e 100755 +--- a/xtests/tst-pam_access3.sh ++++ b/xtests/tst-pam_access3.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamaccess3 + ./tst-pam_access3 +diff --git a/xtests/tst-pam_access4.sh b/xtests/tst-pam_access4.sh +index 61e7b44..4538df4 100755 +--- a/xtests/tst-pam_access4.sh ++++ b/xtests/tst-pam_access4.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamaccess4 + ./tst-pam_access4 +diff --git a/xtests/tst-pam_assemble_line1.sh b/xtests/tst-pam_assemble_line1.sh +index 248d47e..dc2a675 100755 +--- a/xtests/tst-pam_assemble_line1.sh ++++ b/xtests/tst-pam_assemble_line1.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authfail tst-pam_assemble_line1 +diff --git a/xtests/tst-pam_group1.sh b/xtests/tst-pam_group1.sh +index b76377f..44faca9 100755 +--- a/xtests/tst-pam_group1.sh ++++ b/xtests/tst-pam_group1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/groupadd tstpamgrpg + /usr/sbin/useradd -p '!!' tstpamgrp +diff --git a/xtests/tst-pam_limits1.sh b/xtests/tst-pam_limits1.sh +index 4faa822..32c021d 100755 +--- a/xtests/tst-pam_limits1.sh ++++ b/xtests/tst-pam_limits1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamlimits + ./tst-pam_limits1 +diff --git a/xtests/tst-pam_pwhistory1.sh b/xtests/tst-pam_pwhistory1.sh +index ddb3b8b..0f212e2 100644 +--- a/xtests/tst-pam_pwhistory1.sh ++++ b/xtests/tst-pam_pwhistory1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd tstpampwhistory + ./tst-pam_pwhistory1 +diff --git a/xtests/tst-pam_substack1.sh b/xtests/tst-pam_substack1.sh +index 5260175..f1b72a7 100755 +--- a/xtests/tst-pam_substack1.sh ++++ b/xtests/tst-pam_substack1.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authfail tst-pam_substack1 +diff --git a/xtests/tst-pam_substack2.sh b/xtests/tst-pam_substack2.sh +index c02f597..3804fa7 100755 +--- a/xtests/tst-pam_substack2.sh ++++ b/xtests/tst-pam_substack2.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authsucceed tst-pam_substack2 +diff --git a/xtests/tst-pam_substack3.sh b/xtests/tst-pam_substack3.sh +index 0e572aa..aa48e8e 100755 +--- a/xtests/tst-pam_substack3.sh ++++ b/xtests/tst-pam_substack3.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authsucceed tst-pam_substack3 +diff --git a/xtests/tst-pam_substack4.sh b/xtests/tst-pam_substack4.sh +index a3ef08a..958a07a 100755 +--- a/xtests/tst-pam_substack4.sh ++++ b/xtests/tst-pam_substack4.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authsucceed tst-pam_substack4 +diff --git a/xtests/tst-pam_substack5.sh b/xtests/tst-pam_substack5.sh +index e2714fd..7e0da74 100755 +--- a/xtests/tst-pam_substack5.sh ++++ b/xtests/tst-pam_substack5.sh +@@ -1,3 +1,3 @@ +-#!/bin/bash ++#!/bin/sh + + exec ./tst-pam_authfail tst-pam_substack5 +diff --git a/xtests/tst-pam_succeed_if1.sh b/xtests/tst-pam_succeed_if1.sh +index a643b2e..58e57b4 100755 +--- a/xtests/tst-pam_succeed_if1.sh ++++ b/xtests/tst-pam_succeed_if1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamtest + /usr/sbin/useradd -p '!!' pamtest +diff --git a/xtests/tst-pam_unix1.sh b/xtests/tst-pam_unix1.sh +index f75bd84..72deac0 100755 +--- a/xtests/tst-pam_unix1.sh ++++ b/xtests/tst-pam_unix1.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + /usr/sbin/useradd -p '!!' tstpamunix + ./tst-pam_unix1 +diff --git a/xtests/tst-pam_unix2.sh b/xtests/tst-pam_unix2.sh +index 7093155..c04d6e6 100755 +--- a/xtests/tst-pam_unix2.sh ++++ b/xtests/tst-pam_unix2.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # pamunix0 = 0aXKZztA.d1KY + /usr/sbin/useradd -p 0aXKZztA.d1KY tstpamunix +diff --git a/xtests/tst-pam_unix3.sh b/xtests/tst-pam_unix3.sh +index ef4a07c..b52db2b 100755 +--- a/xtests/tst-pam_unix3.sh ++++ b/xtests/tst-pam_unix3.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # pamunix01 = 0aXKZztA.d1KYIuFXArmd2jU + /usr/sbin/useradd -p 0aXKZztA.d1KYIuFXArmd2jU tstpamunix +diff --git a/xtests/tst-pam_unix4.sh b/xtests/tst-pam_unix4.sh +index 787c2f9..e7976fd 100755 +--- a/xtests/tst-pam_unix4.sh ++++ b/xtests/tst-pam_unix4.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # pamunix01 = 0aXKZztA.d1KYIuFXArmd2jU + /usr/sbin/useradd -p 0aXKZztA.d1KYIuFXArmd2jU tstpamunix +-- +1.7.9.5 + diff --git a/poky/meta/recipes-extended/pam/libpam/libpam-xtests.patch b/poky/meta/recipes-extended/pam/libpam/libpam-xtests.patch new file mode 100644 index 000000000..7edf66f91 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/libpam-xtests.patch @@ -0,0 +1,37 @@ +This patch is used to create a new sub package libpam-xtests to do more checks. + +Upstream-Status: Pending + +Signed-off-by: Kang Kai <kai.kang@windriver.com> +Index: Linux-PAM-1.3.0/xtests/Makefile.am +=================================================================== +--- Linux-PAM-1.3.0.orig/xtests/Makefile.am ++++ Linux-PAM-1.3.0/xtests/Makefile.am +@@ -7,7 +7,7 @@ AM_CFLAGS = -DLIBPAM_COMPILE -I$(top_src + LDADD = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la + +-CLEANFILES = *~ $(XTESTS) ++CLEANFILES = *~ + + EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ + tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \ +@@ -51,3 +51,18 @@ EXTRA_PROGRAMS = $(XTESTS) + + xtests: $(XTESTS) run-xtests.sh + "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS} ++ ++all: $(XTESTS) ++ ++install: install_xtests ++ ++install_xtests: ++ $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests ++ for file in $(EXTRA_DIST) ; do \ ++ $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \ ++ done ++ for file in $(XTESTS); do \ ++ $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ ++ done ++ ++.PHONY: all install_xtests diff --git a/poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch new file mode 100644 index 000000000..9b8d4c297 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch @@ -0,0 +1,203 @@ +Description: extract the securetty logic for use with the "nullok_secure" option + introduced in the "055_pam_unix_nullok_secure" patch. + +Upstream-Status: Pending + +Signed-off-by: Ming Liu <ming.liu@windriver.com> +=================================================================== +Index: Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am +=================================================================== +--- Linux-PAM-1.3.0.orig/modules/pam_securetty/Makefile.am ++++ Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am +@@ -24,6 +24,10 @@ endif + securelib_LTLIBRARIES = pam_securetty.la + pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la + ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_securetty.8.xml +Index: Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c +=================================================================== +--- Linux-PAM-1.3.0.orig/modules/pam_securetty/pam_securetty.c ++++ Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c +@@ -1,7 +1,5 @@ + /* pam_securetty module */ + +-#define SECURETTY_FILE "/etc/securetty" +-#define TTY_PREFIX "/dev/" + #define CMDLINE_FILE "/proc/cmdline" + #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + +@@ -40,6 +38,9 @@ + #include <security/pam_modutil.h> + #include <security/pam_ext.h> + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + #define PAM_DEBUG_ARG 0x0001 + #define PAM_NOCONSOLE_ARG 0x0002 + +@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p + const char *username; + const char *uttyname; + const void *void_uttyname; +- char ttyfileline[256]; +- char ptname[256]; +- struct stat ttyfileinfo; + struct passwd *user_pwd; +- FILE *ttyfile; + + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { +@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p + return PAM_SERVICE_ERR; + } + +- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ +- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { +- uttyname += sizeof(TTY_PREFIX)-1; +- } +- +- if (stat(SECURETTY_FILE, &ttyfileinfo)) { +- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); +- return PAM_SUCCESS; /* for compatibility with old securetty handling, +- this needs to succeed. But we still log the +- error. */ +- } +- +- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { +- /* If the file is world writable or is not a +- normal file, return error */ +- pam_syslog(pamh, LOG_ERR, +- "%s is either world writable or not a normal file", +- SECURETTY_FILE); +- return PAM_AUTH_ERR; +- } +- +- ttyfile = fopen(SECURETTY_FILE,"r"); +- if (ttyfile == NULL) { /* Check that we opened it successfully */ +- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); +- return PAM_SERVICE_ERR; +- } +- +- if (isdigit(uttyname[0])) { +- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); +- } else { +- ptname[0] = '\0'; +- } +- +- retval = 1; +- +- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) +- && retval) { +- if (ttyfileline[strlen(ttyfileline) - 1] == '\n') +- ttyfileline[strlen(ttyfileline) - 1] = '\0'; +- +- retval = ( strcmp(ttyfileline, uttyname) +- && (!ptname[0] || strcmp(ptname, uttyname)) ); +- } +- fclose(ttyfile); ++ retval = _pammodutil_tty_secure(pamh, uttyname); + + if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { + FILE *cmdlinefile; +Index: Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c +=================================================================== +--- /dev/null ++++ Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c +@@ -0,0 +1,90 @@ ++/* ++ * A function to determine if a particular line is in /etc/securetty ++ */ ++ ++ ++#define SECURETTY_FILE "/etc/securetty" ++#define TTY_PREFIX "/dev/" ++ ++/* This function taken out of pam_securetty by Sam Hartman ++ * <hartmans@debian.org>*/ ++/* ++ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. ++ * July 25, 1996. ++ * Slight modifications AGM. 1996/12/3 ++ */ ++ ++#include <unistd.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <security/pam_modules.h> ++#include <stdarg.h> ++#include <syslog.h> ++#include <sys/syslog.h> ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <ctype.h> ++#include <security/pam_modutil.h> ++#include <security/pam_ext.h> ++ ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ ++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) ++{ ++ int retval = PAM_AUTH_ERR; ++ char ttyfileline[256]; ++ char ptname[256]; ++ struct stat ttyfileinfo; ++ FILE *ttyfile; ++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ ++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) ++ uttyname += sizeof(TTY_PREFIX)-1; ++ ++ if (stat(SECURETTY_FILE, &ttyfileinfo)) { ++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", ++ SECURETTY_FILE); ++ return PAM_SUCCESS; /* for compatibility with old securetty handling, ++ this needs to succeed. But we still log the ++ error. */ ++ } ++ ++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { ++ /* If the file is world writable or is not a ++ normal file, return error */ ++ pam_syslog(pamh, LOG_ERR, ++ "%s is either world writable or not a normal file", ++ SECURETTY_FILE); ++ return PAM_AUTH_ERR; ++ } ++ ++ ttyfile = fopen(SECURETTY_FILE,"r"); ++ if(ttyfile == NULL) { /* Check that we opened it successfully */ ++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (isdigit(uttyname[0])) { ++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); ++ } else { ++ ptname[0] = '\0'; ++ } ++ ++ retval = 1; ++ ++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) ++ && retval) { ++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ++ ttyfileline[strlen(ttyfileline) - 1] = '\0'; ++ retval = ( strcmp(ttyfileline,uttyname) ++ && (!ptname[0] || strcmp(ptname, uttyname)) ); ++ } ++ fclose(ttyfile); ++ ++ if(retval) { ++ retval = PAM_AUTH_ERR; ++ } ++ ++ return retval; ++} diff --git a/poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch new file mode 100644 index 000000000..d2cc66882 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch @@ -0,0 +1,195 @@ +From b6545b83f94c5fb7aec1478b8d458a1393f479c8 Mon Sep 17 00:00:00 2001 +From: "Maxin B. John" <maxin.john@intel.com> +Date: Wed, 25 May 2016 14:12:25 +0300 +Subject: [PATCH] pam_unix: support 'nullok_secure' option + +Debian patch to add a new 'nullok_secure' option to pam_unix, +which accepts users with null passwords only when the applicant is +connected from a tty listed in /etc/securetty. + +Authors: Sam Hartman <hartmans@debian.org>, + Steve Langasek <vorlon@debian.org> + +Upstream-Status: Pending + +Signed-off-by: Ming Liu <ming.liu@windriver.com> +Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> +Signed-off-by: Maxin B. John <maxin.john@intel.com> +--- + modules/pam_unix/Makefile.am | 3 ++- + modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++- + modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++----- + modules/pam_unix/support.h | 8 ++++++-- + 4 files changed, 61 insertions(+), 9 deletions(-) + +diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am +index 56df178..2bba460 100644 +--- a/modules/pam_unix/Makefile.am ++++ b/modules/pam_unix/Makefile.am +@@ -30,7 +30,8 @@ if HAVE_VERSIONING + pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ +- @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ ++ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \ ++ ../pam_securetty/tty_secure.lo + + securelib_LTLIBRARIES = pam_unix.la + +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index 1b318f1..be0330e 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -159,7 +159,24 @@ + <para> + The default action of this module is to not permit the + user access to a service if their official password is blank. +- The <option>nullok</option> argument overrides this default. ++ The <option>nullok</option> argument overrides this default ++ and allows any user with a blank password to access the ++ service. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>nullok_secure</option> ++ </term> ++ <listitem> ++ <para> ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The <option>nullok_secure</option> argument overrides this ++ default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of ++ the values found in /etc/securetty. + </para> + </listitem> + </varlistentry> +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index fc8595e..29e3341 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -183,13 +183,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, + /* now parse the arguments to this module */ + + for (; argc-- > 0; ++argv) { ++ int sl; + + D(("pam_unix arg: %s", *argv)); + + for (j = 0; j < UNIX_CTRLS_; ++j) { +- if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { +- break; ++ if (unix_args[j].token) { ++ sl = strlen(unix_args[j].token); ++ if (unix_args[j].token[sl-1] == '=') { ++ /* exclude argument from comparison */ ++ if (!strncmp(*argv, unix_args[j].token, sl)) ++ break; ++ } else { ++ /* compare full strings */ ++ if (!strcmp(*argv, unix_args[j].token)) ++ break; ++ } + } + } + +@@ -560,6 +569,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + if (child == 0) { + static char *envp[] = { NULL }; + const char *args[] = { NULL, NULL, NULL, NULL }; ++ int nullok = off(UNIX__NONULL, ctrl); + + /* XXX - should really tidy up PAM here too */ + +@@ -587,7 +597,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + /* exec binary helper */ + args[0] = CHKPWD_HELPER; + args[1] = user; +- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ const void *uttyname; ++ retval = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval != PAM_SUCCESS || uttyname == NULL ++ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) { ++ nullok = 0; ++ } ++ } ++ ++ if (nullok) { + args[2]="nullok"; + } else { + args[2]="nonull"; +@@ -672,6 +691,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) + if (on(UNIX__NONULL, ctrl)) + return 0; /* will fail but don't let on yet */ + ++ if (on(UNIX_NULLOK_SECURE, ctrl)) { ++ int retval2; ++ const void *uttyname; ++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval2 != PAM_SUCCESS || uttyname == NULL) ++ return 0; ++ ++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ return 0; ++ } ++ + /* UNIX passwords area */ + + retval = get_pwd_hash(pamh, name, &pwd, &salt); +@@ -758,7 +788,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name + } + } + } else { +- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); ++ retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name)); + } + + if (retval == PAM_SUCCESS) { +diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h +index b4c279c..8da4a8e 100644 +--- a/modules/pam_unix/support.h ++++ b/modules/pam_unix/support.h +@@ -98,8 +98,9 @@ typedef struct { + #define UNIX_QUIET 28 /* Don't print informational messages */ + #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */ + #define UNIX_DES 30 /* DES, default */ ++#define UNIX_NULLOK_SECURE 31 /* NULL passwords allowed only on secure ttys */ + /* -------------- */ +-#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) + +@@ -117,7 +118,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + /* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, + /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, + /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0}, + /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, + /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, + /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, + /* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, + /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -172,6 +174,8 @@ extern int _unix_read_password(pam_handle_t * pamh + ,const char *data_name + ,const void **pass); + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname); ++ + extern int _unix_run_verify_binary(pam_handle_t *pamh, + unsigned int ctrl, const char *user, int *daysleft); + #endif /* _PAM_UNIX_SUPPORT_H */ +-- +2.4.0 + diff --git a/poky/meta/recipes-extended/pam/libpam/pam.d/common-account b/poky/meta/recipes-extended/pam/libpam/pam.d/common-account new file mode 100644 index 000000000..316b17337 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/poky/meta/recipes-extended/pam/libpam/pam.d/common-auth b/poky/meta/recipes-extended/pam/libpam/pam.d/common-auth new file mode 100644 index 000000000..460b69f19 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/pam.d/common-auth @@ -0,0 +1,18 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/poky/meta/recipes-extended/pam/libpam/pam.d/common-password b/poky/meta/recipes-extended/pam/libpam/pam.d/common-password new file mode 100644 index 000000000..389605732 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/pam.d/common-password @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/poky/meta/recipes-extended/pam/libpam/pam.d/common-session b/poky/meta/recipes-extended/pam/libpam/pam.d/common-session new file mode 100644 index 000000000..a4a551f71 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/pam.d/common-session @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/poky/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive b/poky/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive new file mode 100644 index 000000000..b110bb2b4 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/poky/meta/recipes-extended/pam/libpam/pam.d/other b/poky/meta/recipes-extended/pam/libpam/pam.d/other new file mode 100644 index 000000000..ec970ecbe --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/pam.d/other @@ -0,0 +1,24 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. + +# We use pam_warn.so to generate syslog notes that the 'other' +#fallback rules are being used (as a hint to suggest you should setup +#specific PAM rules for the service and aid to debugging). Then to be +#secure, deny access to all services by default. + +auth required pam_warn.so +auth required pam_deny.so + +account required pam_warn.so +account required pam_deny.so + +password required pam_warn.so +password required pam_deny.so + +session required pam_warn.so +session required pam_deny.so |
