From 51680b00cefba826c14893e9d7737138a3ba9a7b Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 14 Mar 2018 20:31:47 +0100 Subject: [pam/rfs-stage32/pam-slx-plug] Only overwrite pam/nsswitch files that have --- .../data/opt/openslx/pam/systemd/create-pam-config | 114 +++++++++++---------- core/modules/pam/data/etc/pam.d/common-account | 1 + core/modules/pam/data/etc/pam.d/common-auth | 1 + core/modules/pam/data/etc/pam.d/common-session | 1 + core/rootfs/rootfs-stage32/data/etc/nsswitch.conf | 14 +-- 5 files changed, 72 insertions(+), 59 deletions(-) (limited to 'core') diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config index 0ac461ae..274c5e08 100755 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config @@ -123,66 +123,76 @@ session+=("optional pam_exec.so quiet /opt/openslx/pam/exec_session") # # Write pam configs tmpfile=$(mktemp) + # common-auth -skip=$(( ${#auth[@]} + 1 )) -echo "# Generated $(date)" > "$tmpfile" -for line in "${auth[@]}"; do - echo "auth ${line//%NUM%/$skip}" - skip=$(( skip - 1 )) -done >> "$tmpfile" -cat >> "$tmpfile" <<-HERE - auth optional pam_faildelay.so delay=2123123 - auth requisite pam_deny.so - auth required pam_permit.so - auth optional pam_cap.so -HERE -cp -f -- "$tmpfile" "/etc/pam.d/common-auth" +if grep -q '' "/etc/pam.d/common-auth"; then + skip=$(( ${#auth[@]} + 1 )) + echo "# Generated $(date)" > "$tmpfile" + for line in "${auth[@]}"; do + echo "auth ${line//%NUM%/$skip}" + skip=$(( skip - 1 )) + done >> "$tmpfile" + cat >> "$tmpfile" <<-HERE + auth optional pam_faildelay.so delay=2123123 + auth requisite pam_deny.so + auth required pam_permit.so + auth optional pam_cap.so + HERE + cp -f -- "$tmpfile" "/etc/pam.d/common-auth" +fi # common-account -skip=${#account[@]} -echo "# Generated $(date)" > "$tmpfile" -for line in "${account[@]}"; do - echo "account ${line//%NUM%/$skip}" - skip=$(( skip - 1 )) -done >> "$tmpfile" -cat >> "$tmpfile" <<-HERE - account requisite pam_deny.so - account required pam_permit.so -HERE -cp -f -- "$tmpfile" "/etc/pam.d/common-account" +if grep -q '' "/etc/pam.d/common-account"; then + skip=${#account[@]} + echo "# Generated $(date)" > "$tmpfile" + for line in "${account[@]}"; do + echo "account ${line//%NUM%/$skip}" + skip=$(( skip - 1 )) + done >> "$tmpfile" + cat >> "$tmpfile" <<-HERE + account requisite pam_deny.so + account required pam_permit.so + HERE + cp -f -- "$tmpfile" "/etc/pam.d/common-account" +fi # common-session -cat > "$tmpfile" <<-HERE - session required pam_permit.so - session optional pam_umask.so - session required pam_systemd.so - session optional pam_env.so readenv=1 - session optional pam_env.so readenv=1 envfile=/etc/default/locale - session optional pam_exec.so quiet /opt/openslx/pam/mkhome -HERE -for line in "${session[@]}"; do - echo "session $line" -done >> "$tmpfile" -cp -f -- "$tmpfile" "/etc/pam.d/common-session" +if grep -q '' "/etc/pam.d/common-session"; then + cat > "$tmpfile" <<-HERE + # Generated $(date) + session required pam_permit.so + session optional pam_umask.so + session required pam_systemd.so + session optional pam_env.so readenv=1 + session optional pam_env.so readenv=1 envfile=/etc/default/locale + session optional pam_exec.so quiet /opt/openslx/pam/mkhome + HERE + for line in "${session[@]}"; do + echo "session $line" + done >> "$tmpfile" + cp -f -- "$tmpfile" "/etc/pam.d/common-session" +fi # # Write nsswitch.conf -cat > "/etc/nsswitch.conf" <<-HERE -# Generated $(date) -passwd: ${nss[@]} -group: ${nss[@]} -shadow: files - -hosts: ${dns[@]} -networks: files - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: nis -HERE +if grep -q '' "/etc/nsswitch.conf"; then + cat > "/etc/nsswitch.conf" <<-HERE + # Generated $(date) + passwd: ${nss[@]} + group: ${nss[@]} + shadow: files + + hosts: ${dns[@]} + networks: files + + protocols: db files + services: db files + ethers: db files + rpc: db files + + netgroup: nis + HERE +fi rm -f -- "$tmpfile" diff --git a/core/modules/pam/data/etc/pam.d/common-account b/core/modules/pam/data/etc/pam.d/common-account index 6694c6f7..40ddfde4 100644 --- a/core/modules/pam/data/etc/pam.d/common-account +++ b/core/modules/pam/data/etc/pam.d/common-account @@ -1,3 +1,4 @@ +# account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so diff --git a/core/modules/pam/data/etc/pam.d/common-auth b/core/modules/pam/data/etc/pam.d/common-auth index bc2d23bd..12d09a35 100644 --- a/core/modules/pam/data/etc/pam.d/common-auth +++ b/core/modules/pam/data/etc/pam.d/common-auth @@ -1,3 +1,4 @@ +# auth [success=1 default=ignore] pam_unix.so auth requisite pam_deny.so auth required pam_permit.so diff --git a/core/modules/pam/data/etc/pam.d/common-session b/core/modules/pam/data/etc/pam.d/common-session index 4009012e..323b81b1 100644 --- a/core/modules/pam/data/etc/pam.d/common-session +++ b/core/modules/pam/data/etc/pam.d/common-session @@ -1,3 +1,4 @@ +# session required pam_permit.so session required pam_unix.so session optional pam_umask.so diff --git a/core/rootfs/rootfs-stage32/data/etc/nsswitch.conf b/core/rootfs/rootfs-stage32/data/etc/nsswitch.conf index 6886def9..a44378e4 100644 --- a/core/rootfs/rootfs-stage32/data/etc/nsswitch.conf +++ b/core/rootfs/rootfs-stage32/data/etc/nsswitch.conf @@ -1,14 +1,14 @@ # /etc/nsswitch.conf # -# Example configuration of GNU Name Service Switch functionality. -# If you have the `glibc-doc-reference' and `info' packages installed, try: -# `info libc "Name Service Switch"' for information about this file. +# +# Default OpenSLX nsswitch file -- remove line above to prevent +# this file from being overwritten at runtime -passwd: compat -group: compat -shadow: compat +passwd: files +group: files +shadow: files -hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 +hosts: files dns networks: files protocols: db files -- cgit v1.2.3-55-g7522