Message ID | 1436905227-26937-7-git-send-email-clayton.shotwell@rockwellcollins.com |
---|---|
State | Changes Requested |
Headers | show |
Dear Clayton Shotwell, On Tue, 14 Jul 2015 15:20:18 -0500, Clayton Shotwell wrote: > From: Matt Weber <matthew.weber@rockwellcollins.com> > > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> > Reviewed-by: Samuel Martin <s.martin49@gmail.com> This commit is far too complicated to not have any commit log, and I believe it would benefit from being split in several smaller commits, such as (an example, other splits might make more sense) : * Adding the host-linux-pam variant * Adding the optional selinux and audit dependencies * Adding the pam.d mess-up logic. > diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk > index 26b627e..72ead8e 100644 > --- a/package/linux-pam/linux-pam.mk > +++ b/package/linux-pam/linux-pam.mk > @@ -8,6 +8,9 @@ LINUX_PAM_VERSION = 1.1.8 > LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2 > LINUX_PAM_SITE = http://linux-pam.org/library > LINUX_PAM_INSTALL_STAGING = YES > + > +# lckpwdf is included with shadow > +# cracklib and libdb are not currently present in buildroot What is lckpwdf ? What are you adding a reference to it here? > LINUX_PAM_CONF_OPTS = \ > --disable-prelude \ > --disable-isadir \ > @@ -15,8 +18,10 @@ LINUX_PAM_CONF_OPTS = \ > --disable-db \ > --disable-regenerate-docu \ > --enable-securedir=/lib/security \ > + --disable-cracklib \ Maybe put it next to --disable-db, instead of in the middle of the directory related options. > --libdir=/lib > -LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf > + > +LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf host-linux-pam Do we need this new host-linux-pam dependency in all situations? We only need it when this new system-auth.pam file needs to be used. It used to work just fine until now without that. Can you comment as to what you're trying to achieve with this system-auth.pam file, and in which situations do we need it vs. not need it ? > LINUX_PAM_AUTORECONF = YES > LINUX_PAM_LICENSE = BSD-3c > LINUX_PAM_LICENSE_FILES = Copyright > @@ -26,12 +31,61 @@ LINUX_PAM_DEPENDENCIES += gettext > LINUX_PAM_MAKE_OPTS += LIBS=-lintl > endif > > +ifeq ($(BR2_PACKAGE_LIBSELINUX),y) > + LINUX_PAM_CONF_OPTS += --enable-selinux > + LINUX_PAM_DEPENDENCIES += libselinux > +else > + LINUX_PAM_CONF_OPTS += --disable-selinux > +endif > + > +ifeq ($(BR2_PACKAGE_AUDIT),y) > + LINUX_PAM_CONF_OPTS += --enable-audit > + LINUX_PAM_DEPENDENCIES += audit > +else > + LINUX_PAM_CONF_OPTS += --disable-audit > +endif Indentation is wrong: we don't indent such lines (I know some packages do not respect this, but we should fix them). > + > # Install default pam config (deny everything) > define LINUX_PAM_INSTALL_CONFIG > $(INSTALL) -m 0644 -D package/linux-pam/other.pam \ > $(TARGET_DIR)/etc/pam.d/other > endef > > +# Use the host-pam pam_conv1 app to create the pam.d files > +define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL > + if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ > + mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ > + fi; \ > + cd $(TARGET_DIR)/etc/ && \ > + cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \ > + if [ -d $(TARGET_DIR)/etc/pam.d.orig ]; then \ > + cp -a $(TARGET_DIR)/etc/pam.d/* $(TARGET_DIR)/etc/pam.d.orig/; \ > + rm -rf $(TARGET_DIR)/etc/pam.d/; \ > + mv $(TARGET_DIR)/etc/pam.d.orig/ $(TARGET_DIR)/etc/pam.d/; \ > + fi; > + $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth Why do you have all those lines in a single shell command? I don't really see the reason. Something like: if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ fi cd $(TARGET_DIR)/etc/ && cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1 if [ -d $(TARGET_DIR)/etc/pam.d.orig ]; then \ cp -a $(TARGET_DIR)/etc/pam.d/* $(TARGET_DIR)/etc/pam.d.orig/; \ rm -rf $(TARGET_DIR)/etc/pam.d/; \ mv $(TARGET_DIR)/etc/pam.d.orig/ $(TARGET_DIR)/etc/pam.d/; \ fi $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth Should work just as well. However, I don't quite understand what is happening here. What is installed in /etc/pam.d/ before linux-pam gets installed? Maybe nothing, in which case we could avoid the pam.d.orig dance altogether ? In any case, this needs a better comment above it to explain what's going on. And you are doing all this unconditionally, regardless of whether SELinux support is used or not, which seems a bit weird. > +endef > + > +LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL > LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG > > +HOST_LINUX_PAM_DEPENDENCIES = host-flex host-pkgconf > + > +HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \ --disable-rpath should be on the next line. > + --enable-read-both-confs \ > + --disable-regenerate-docu \ > + --disable-isadir \ > + --disable-nis \ > + --enable-securedir=/lib/security \ > + --disable-prelude \ > + --disable-cracklib \ > + --disable-lckpwdf \ > + --disable-db \ > + --disable-selinux \ > + --disable-audit \ Use one tab for indentation. > + > +define HOST_LINUX_PAM_INSTALL_CMDS > + $(INSTALL) -m 755 $(@D)/conf/pam_conv1/pam_conv1 $(HOST_DIR)/usr/bin/ -D + full path for the destination. Thanks, Thomas
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk index 26b627e..72ead8e 100644 --- a/package/linux-pam/linux-pam.mk +++ b/package/linux-pam/linux-pam.mk @@ -8,6 +8,9 @@ LINUX_PAM_VERSION = 1.1.8 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2 LINUX_PAM_SITE = http://linux-pam.org/library LINUX_PAM_INSTALL_STAGING = YES + +# lckpwdf is included with shadow +# cracklib and libdb are not currently present in buildroot LINUX_PAM_CONF_OPTS = \ --disable-prelude \ --disable-isadir \ @@ -15,8 +18,10 @@ LINUX_PAM_CONF_OPTS = \ --disable-db \ --disable-regenerate-docu \ --enable-securedir=/lib/security \ + --disable-cracklib \ --libdir=/lib -LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf + +LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf host-linux-pam LINUX_PAM_AUTORECONF = YES LINUX_PAM_LICENSE = BSD-3c LINUX_PAM_LICENSE_FILES = Copyright @@ -26,12 +31,61 @@ LINUX_PAM_DEPENDENCIES += gettext LINUX_PAM_MAKE_OPTS += LIBS=-lintl endif +ifeq ($(BR2_PACKAGE_LIBSELINUX),y) + LINUX_PAM_CONF_OPTS += --enable-selinux + LINUX_PAM_DEPENDENCIES += libselinux +else + LINUX_PAM_CONF_OPTS += --disable-selinux +endif + +ifeq ($(BR2_PACKAGE_AUDIT),y) + LINUX_PAM_CONF_OPTS += --enable-audit + LINUX_PAM_DEPENDENCIES += audit +else + LINUX_PAM_CONF_OPTS += --disable-audit +endif + # Install default pam config (deny everything) define LINUX_PAM_INSTALL_CONFIG $(INSTALL) -m 0644 -D package/linux-pam/other.pam \ $(TARGET_DIR)/etc/pam.d/other endef +# Use the host-pam pam_conv1 app to create the pam.d files +define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL + if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \ + mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \ + fi; \ + cd $(TARGET_DIR)/etc/ && \ + cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \ + if [ -d $(TARGET_DIR)/etc/pam.d.orig ]; then \ + cp -a $(TARGET_DIR)/etc/pam.d/* $(TARGET_DIR)/etc/pam.d.orig/; \ + rm -rf $(TARGET_DIR)/etc/pam.d/; \ + mv $(TARGET_DIR)/etc/pam.d.orig/ $(TARGET_DIR)/etc/pam.d/; \ + fi; + $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth +endef + +LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG +HOST_LINUX_PAM_DEPENDENCIES = host-flex host-pkgconf + +HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \ + --enable-read-both-confs \ + --disable-regenerate-docu \ + --disable-isadir \ + --disable-nis \ + --enable-securedir=/lib/security \ + --disable-prelude \ + --disable-cracklib \ + --disable-lckpwdf \ + --disable-db \ + --disable-selinux \ + --disable-audit \ + +define HOST_LINUX_PAM_INSTALL_CMDS + $(INSTALL) -m 755 $(@D)/conf/pam_conv1/pam_conv1 $(HOST_DIR)/usr/bin/ +endef $(eval $(autotools-package)) +$(eval $(host-autotools-package)) diff --git a/package/linux-pam/system-auth.pamd b/package/linux-pam/system-auth.pamd new file mode 100644 index 0000000..2fa116a --- /dev/null +++ b/package/linux-pam/system-auth.pamd @@ -0,0 +1,15 @@ +#%PAM-1.0 +auth required pam_env.so +auth sufficient pam_unix.so +auth required pam_deny.so + +account required pam_unix.so + +#password required pam_cracklib.so try_first_pass retry=3 +password sufficient pam_unix.so md5 shadow try_first_pass +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so