Message ID | 1433251718-3167-10-git-send-email-clayton.shotwell@rockwellcollins.com |
---|---|
State | Superseded |
Headers | show |
Hi Clayton, On Tue, Jun 2, 2015 at 3:28 PM, Clayton Shotwell <clayton.shotwell@rockwellcollins.com> wrote: [...] > +# Use the host-pam pam_conv1 app to create the pam.d files > +define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL > + ( \ > + if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ > + mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ > + fi; \ > + cd $(TARGET_DIR)/etc/ && \ > + cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \ > + if [ -d pam.d.orig ]; then \ > + cp -a pam.d/* pam.d.orig/; \ > + rm -rf pam.d/; \ > + mv pam.d.orig/ pam.d/; \ > + fi; \ > + ) > + $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth > +endef Funny, I think the sub-shell is not needed here. Also, in the former if-block, paths are absolute (via $(TARGET_DIR)/...), whereas in the latter, they are relative to where the cd command goes... It could be rewrite like this: define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ fi cd $(TARGET_DIR)/etc/ && \ cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1 if [ -d $(TARGET_DIR)/etc/pam.d.orig ]; then \ cp -a $(TARGET_DIR)/etc/pam.d/* $(TARGET_DIR)/etc/pam.d.orig/; \ rm -rf $(TARGET_DIR)/etc/pam.d/; \ mv $(TARGET_DIR)/etc/pam.d.orig/ $(TARGET_DIR)/etc/pam.d/; \ fi $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth endef > + > +LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL > LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG > > +HOST_LINUX_PAM_DEPENDENCIES = host-flex host-pkgconf > + > +HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \ > + --enable-read-both-confs \ > + --disable-regenerate-docu \ > + --disable-isadir \ > + --disable-nis \ > + --enable-securedir=/lib/security \ > + --disable-prelude \ > + --disable-cracklib \ > + --disable-lckpwdf \ > + --enable-db=no \ Why using --enable-db=no and not --disable-db, the target *_CONF_OPTS uses --disable-db > + --disable-selinux \ > + --disable-audit \ > + [...] [1] http://git.buildroot.net/buildroot/tree/package/linux-pam/linux-pam.mk#n15 Regards,
Samuel, Thanks, Clayton Clayton Shotwell Senior Software Engineer, Rockwell Collins clayton.shotwell@rockwellcollins.com On Sat, Jun 20, 2015 at 12:08 PM, Samuel Martin <s.martin49@gmail.com> wrote: > Hi Clayton, > > On Tue, Jun 2, 2015 at 3:28 PM, Clayton Shotwell > <clayton.shotwell@rockwellcollins.com> wrote: > [...] >> +# Use the host-pam pam_conv1 app to create the pam.d files >> +define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL >> + ( \ >> + if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ >> + mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ >> + fi; \ >> + cd $(TARGET_DIR)/etc/ && \ >> + cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \ >> + if [ -d pam.d.orig ]; then \ >> + cp -a pam.d/* pam.d.orig/; \ >> + rm -rf pam.d/; \ >> + mv pam.d.orig/ pam.d/; \ >> + fi; \ >> + ) >> + $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth >> +endef > Funny, I think the sub-shell is not needed here. > Also, in the former if-block, paths are absolute (via > $(TARGET_DIR)/...), whereas in the latter, they are relative to where > the cd command goes... > It could be rewrite like this: > > define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL > if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ > mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ > fi > cd $(TARGET_DIR)/etc/ && \ > cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1 > if [ -d $(TARGET_DIR)/etc/pam.d.orig ]; then \ > cp -a $(TARGET_DIR)/etc/pam.d/* $(TARGET_DIR)/etc/pam.d.orig/; \ > rm -rf $(TARGET_DIR)/etc/pam.d/; \ > mv $(TARGET_DIR)/etc/pam.d.orig/ $(TARGET_DIR)/etc/pam.d/; \ > fi > $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd > $(TARGET_DIR)/etc/pam.d/system-auth > endef > >> + >> +LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL >> LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG >> >> +HOST_LINUX_PAM_DEPENDENCIES = host-flex host-pkgconf >> + >> +HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \ >> + --enable-read-both-confs \ >> + --disable-regenerate-docu \ >> + --disable-isadir \ >> + --disable-nis \ >> + --enable-securedir=/lib/security \ >> + --disable-prelude \ >> + --disable-cracklib \ >> + --disable-lckpwdf \ >> + --enable-db=no \ > Why using --enable-db=no and not --disable-db, the target *_CONF_OPTS > uses --disable-db > >> + --disable-selinux \ >> + --disable-audit \ >> + > [...] > > [1] http://git.buildroot.net/buildroot/tree/package/linux-pam/linux-pam.mk#n15 > > Regards, > > -- > Samuel
Samuel, Definitely sent the last email without adding a message. Sorry about that. >> On Tue, Jun 2, 2015 at 3:28 PM, Clayton Shotwell >> <clayton.shotwell@rockwellcollins.com> wrote: >> [...] >>> +# Use the host-pam pam_conv1 app to create the pam.d files >>> +define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL >>> + ( \ >>> + if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ >>> + mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ >>> + fi; \ >>> + cd $(TARGET_DIR)/etc/ && \ >>> + cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \ >>> + if [ -d pam.d.orig ]; then \ >>> + cp -a pam.d/* pam.d.orig/; \ >>> + rm -rf pam.d/; \ >>> + mv pam.d.orig/ pam.d/; \ >>> + fi; \ >>> + ) >>> + $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth >>> +endef >> Funny, I think the sub-shell is not needed here. Definitely agree. I'll get that removed. >> Also, in the former if-block, paths are absolute (via >> $(TARGET_DIR)/...), whereas in the latter, they are relative to where >> the cd command goes... >> It could be rewrite like this: >> >> define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL >> if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ >> mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ >> fi >> cd $(TARGET_DIR)/etc/ && \ >> cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1 >> if [ -d $(TARGET_DIR)/etc/pam.d.orig ]; then \ >> cp -a $(TARGET_DIR)/etc/pam.d/* $(TARGET_DIR)/etc/pam.d.orig/; \ >> rm -rf $(TARGET_DIR)/etc/pam.d/; \ >> mv $(TARGET_DIR)/etc/pam.d.orig/ $(TARGET_DIR)/etc/pam.d/; \ >> fi >> $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd >> $(TARGET_DIR)/etc/pam.d/system-auth >> endef That looks a lot cleaner. I'll rework the patch to match. >>> + >>> +LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL >>> LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG >>> >>> +HOST_LINUX_PAM_DEPENDENCIES = host-flex host-pkgconf >>> + >>> +HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \ >>> + --enable-read-both-confs \ >>> + --disable-regenerate-docu \ >>> + --disable-isadir \ >>> + --disable-nis \ >>> + --enable-securedir=/lib/security \ >>> + --disable-prelude \ >>> + --disable-cracklib \ >>> + --disable-lckpwdf \ >>> + --enable-db=no \ >> Why using --enable-db=no and not --disable-db, the target *_CONF_OPTS >> uses --disable-db No reason. I'll change to be consistent. Thanks for the review. Thanks, Clayton Clayton Shotwell Senior Software Engineer, Rockwell Collins clayton.shotwell@rockwellcollins.com
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk index 26b627e..f78c1ba 100644 --- a/package/linux-pam/linux-pam.mk +++ b/package/linux-pam/linux-pam.mk @@ -8,6 +8,9 @@ LINUX_PAM_VERSION = 1.1.8 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2 LINUX_PAM_SITE = http://linux-pam.org/library LINUX_PAM_INSTALL_STAGING = YES + +# lckpwdf is included with shadow +# cracklib and libdb are not currently present in buildroot LINUX_PAM_CONF_OPTS = \ --disable-prelude \ --disable-isadir \ @@ -15,8 +18,10 @@ LINUX_PAM_CONF_OPTS = \ --disable-db \ --disable-regenerate-docu \ --enable-securedir=/lib/security \ + --disable-cracklib \ --libdir=/lib -LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf + +LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf host-linux-pam LINUX_PAM_AUTORECONF = YES LINUX_PAM_LICENSE = BSD-3c LINUX_PAM_LICENSE_FILES = Copyright @@ -26,12 +31,63 @@ LINUX_PAM_DEPENDENCIES += gettext LINUX_PAM_MAKE_OPTS += LIBS=-lintl endif +ifeq ($(BR2_PACKAGE_LIBSELINUX),y) + LINUX_PAM_CONF_OPTS += --enable-selinux + LINUX_PAM_DEPENDENCIES += libselinux +else + LINUX_PAM_CONF_OPTS += --disable-selinux +endif + +ifeq ($(BR2_PACKAGE_AUDIT),y) + LINUX_PAM_CONF_OPTS += --enable-audit + LINUX_PAM_DEPENDENCIES += audit +else + LINUX_PAM_CONF_OPTS += --disable-audit +endif + # Install default pam config (deny everything) define LINUX_PAM_INSTALL_CONFIG $(INSTALL) -m 0644 -D package/linux-pam/other.pam \ $(TARGET_DIR)/etc/pam.d/other endef +# Use the host-pam pam_conv1 app to create the pam.d files +define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL + ( \ + if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ + mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ + fi; \ + cd $(TARGET_DIR)/etc/ && \ + cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \ + if [ -d pam.d.orig ]; then \ + cp -a pam.d/* pam.d.orig/; \ + rm -rf pam.d/; \ + mv pam.d.orig/ pam.d/; \ + fi; \ + ) + $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth +endef + +LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG +HOST_LINUX_PAM_DEPENDENCIES = host-flex host-pkgconf + +HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \ + --enable-read-both-confs \ + --disable-regenerate-docu \ + --disable-isadir \ + --disable-nis \ + --enable-securedir=/lib/security \ + --disable-prelude \ + --disable-cracklib \ + --disable-lckpwdf \ + --enable-db=no \ + --disable-selinux \ + --disable-audit \ + +define HOST_LINUX_PAM_INSTALL_CMDS + $(INSTALL) -m 755 $(@D)/conf/pam_conv1/pam_conv1 $(HOST_DIR)/usr/bin/ +endef $(eval $(autotools-package)) +$(eval $(host-autotools-package)) diff --git a/package/linux-pam/system-auth.pamd b/package/linux-pam/system-auth.pamd new file mode 100644 index 0000000..2fa116a --- /dev/null +++ b/package/linux-pam/system-auth.pamd @@ -0,0 +1,15 @@ +#%PAM-1.0 +auth required pam_env.so +auth sufficient pam_unix.so +auth required pam_deny.so + +account required pam_unix.so + +#password required pam_cracklib.so try_first_pass retry=3 +password sufficient pam_unix.so md5 shadow try_first_pass +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so