diff options
53 files changed, 948 insertions, 136 deletions
diff --git a/remote/modules/consolekit/consolekit.conf b/remote/modules/consolekit/consolekit.conf index afb573ce..4f128c62 100644 --- a/remote/modules/consolekit/consolekit.conf +++ b/remote/modules/consolekit/consolekit.conf @@ -1,11 +1,12 @@ -REQUIRED_CONTENT_PACKAGES="consolekit" -REQUIRED_BINARIES=" ck-history - ck-launch-session - ck-list-sessions - ck-log-system-start - ck-log-system-restart - ck-log-system-stop - console-kit-daemon" -REQUIRED_DIRECTORIES=" /usr/lib/ConsoleKit /etc /lib/systemd/system" -REQUIRED_FILES=" /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service - /usr/share/polkit-1/actions/org.freedesktop.consolekit.policy" +REQUIRED_BINARIES=" + console-kit-daemon +" +REQUIRED_DIRECTORIES=" + /usr + /etc + /lib +" +REQUIRED_LIBRARIES=" + pam_ck_connector +" + diff --git a/remote/modules/consolekit/consolekit.conf.opensuse b/remote/modules/consolekit/consolekit.conf.opensuse new file mode 100644 index 00000000..74c694a1 --- /dev/null +++ b/remote/modules/consolekit/consolekit.conf.opensuse @@ -0,0 +1,2 @@ +REQUIRED_CONTENT_PACKAGES="ConsoleKit" + diff --git a/remote/modules/consolekit/consolekit.conf.ubuntu b/remote/modules/consolekit/consolekit.conf.ubuntu new file mode 100644 index 00000000..c0fffffa --- /dev/null +++ b/remote/modules/consolekit/consolekit.conf.ubuntu @@ -0,0 +1,2 @@ +REQUIRED_CONTENT_PACKAGES="consolekit" + diff --git a/remote/modules/consolekit/consolekit.conf.zypper b/remote/modules/consolekit/consolekit.conf.zypper deleted file mode 100644 index 394ee0da..00000000 --- a/remote/modules/consolekit/consolekit.conf.zypper +++ /dev/null @@ -1,11 +0,0 @@ -REQUIRED_CONTENT_PACKAGES="ConsoleKit" -REQUIRED_BINARIES=" ck-history - ck-launch-session - ck-list-sessions - ck-log-system-start - ck-log-system-restart - ck-log-system-stop - console-kit-daemon" -REQUIRED_DIRECTORIES=" /usr/lib/ConsoleKit /etc /lib/systemd/system" -REQUIRED_FILES=" /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service - /usr/share/polkit-1/actions/org.freedesktop.consolekit.policy" diff --git a/remote/modules/consolekit/data/etc/systemd/system/basic.target.wants/console-kit-daemon.service b/remote/modules/consolekit/data/etc/systemd/system/basic.target.wants/console-kit-daemon.service new file mode 120000 index 00000000..2b34a3f6 --- /dev/null +++ b/remote/modules/consolekit/data/etc/systemd/system/basic.target.wants/console-kit-daemon.service @@ -0,0 +1 @@ +../console-kit-daemon.service
\ No newline at end of file diff --git a/remote/modules/consolekit/data/etc/systemd/system/console-kit-daemon.service b/remote/modules/consolekit/data/etc/systemd/system/console-kit-daemon.service new file mode 100644 index 00000000..bc2a0de9 --- /dev/null +++ b/remote/modules/consolekit/data/etc/systemd/system/console-kit-daemon.service @@ -0,0 +1,8 @@ +[Unit] +Description=ConsoleKit + +[Service] +Type=dbus +BusName=org.freedesktop.ConsoleKit +ExecStart=/usr/sbin/console-kit-daemon --no-daemon + diff --git a/remote/modules/consolekit/data/usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service b/remote/modules/consolekit/data/usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service new file mode 100644 index 00000000..cbefc9a4 --- /dev/null +++ b/remote/modules/consolekit/data/usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service @@ -0,0 +1,6 @@ +[D-BUS Service] +Name=org.freedesktop.ConsoleKit +Exec=/usr/sbin/console-kit-daemon --no-daemon +User=root +SystemdService=console-kit-daemon.service + diff --git a/remote/modules/policykit-src/TODO b/remote/modules/policykit-src/TODO deleted file mode 100644 index 6203c18f..00000000 --- a/remote/modules/policykit-src/TODO +++ /dev/null @@ -1 +0,0 @@ -update to new config scheme diff --git a/remote/modules/policykit-src/policykit.build b/remote/modules/policykit-src/policykit.build deleted file mode 100644 index 26d1e27a..00000000 --- a/remote/modules/policykit-src/policykit.build +++ /dev/null @@ -1,38 +0,0 @@ -#tool/distro specific functions for fetching, building and installing dependencies - - -fetch_source () { - download_untar "$URL" "src/" -} - -build () { - cd src/$VERSION - - [ ! -d "${MODULES_DIR}/systemd/build" ] && perror "systemd build directory not found. Build it first." - SYSTEMD_BUILD_DIR="${MODULES_DIR}/systemd/build" - pinfo "configuring..." - LIBSYSTEMD_LOGIN_LIBS="-L${SYSTEMD_BUILD_DIR}/usr/lib/" \ - LIBSYSTEMD_LOGIN_CFLAGS="-I${SYSTEMD_BUILD_DIR}/usr/include -I${SYSTEMD_BUILD_DIR}/usr/include/systemd -lsystemd-login -lsystemd-daemon" \ - ./configure --enable-libsystemd-login=yes --with-systemdsystemunitdir=/etc/systemd/system -prefix="/" --datarootdir="/usr/share" --enable-man-pages=no --enable-gtk-doc-html=no --enable-examples=no --enable-static=no - pinfo "calling make..." - make || perror "make failed." - [ ! -d "${MODULE_BUILD_DIR}" ] && mkdir -p "${MODULE_BUILD_DIR}" - pinfo "installing to ${MODULE_BUILD_DIR}..." - DESTDIR="${MODULE_BUILD_DIR}" make install || perror "make install failed..." - - COPYLIST="list_dpkg_output" - [ -e "$COPYLIST" ] && rm "$COPYLIST" - - list_packet_files >> "$COPYLIST" - tarcopy "$(cat "$COPYLIST" | sort -u)" "${MODULE_BUILD_DIR}" - - cd - -} - -post_copy() { - - #Add Polkit User/Group/Shadow to Stage3.2 - pinfo "Adding polkitd user to target system..." - add_user "polkitd" -} - diff --git a/remote/modules/policykit-src/policykit.conf b/remote/modules/policykit-src/policykit.conf deleted file mode 100644 index 3e74c383..00000000 --- a/remote/modules/policykit-src/policykit.conf +++ /dev/null @@ -1,10 +0,0 @@ -VERSION=polkit-0.110 -URL=http://www.freedesktop.org/software/polkit/releases/polkit-0.110.tar.gz -REQUIRED_INSTALLED_PACKAGES="libmozjs185-1.0" -REQUIRED_CONTENT_PACKAGES="libmozjs185-1.0" -REQUIRED_BINARIES="" -REQUIRED_DIRECTORIES="/bin /etc /lib /usr/share/dbus-1 /usr/share/polkit-1" -REQUIRED_FILES="" -REQUIRED_LIBRARIES="libmozjs185" -REQUIRED_MODULES="systemd" - diff --git a/remote/modules/policykit/data/etc/systemd/system/polkitd.service b/remote/modules/policykit/data/etc/systemd/system/polkitd.service deleted file mode 100644 index 2aeb3c48..00000000 --- a/remote/modules/policykit/data/etc/systemd/system/polkitd.service +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Authenticate and Authorize Users to Run Privileged Tasks - -[Service] -Type=dbus -BusName=org.freedesktop.PolicyKit1 -ExecStart=%%POLKITD%% --no-debug diff --git a/remote/modules/policykit/policykit.build b/remote/modules/policykit/policykit.build deleted file mode 100644 index 52be1221..00000000 --- a/remote/modules/policykit/policykit.build +++ /dev/null @@ -1,24 +0,0 @@ -#tool/distro specific functions for fetching, building and installing dependencies - - -fetch_source () { - pinfo "Extracting from running system..." -} - -build () { - COPYLIST="$MODULE_DIR/list_dpkg_output" - [ -e "${COPYLIST}" ] && rm "${COPYLIST}" - - list_packet_files >> "${COPYLIST}" - tarcopy "$(cat "${COPYLIST}" | sort -u)" "${MODULE_BUILD_DIR}" -} - -post_copy() { - COPYLIST="$MODULE_DIR/list_dpkg_output" - local POLPATH="$(grep '/polkitd$' "$COPYLIST" | head -1 | sed -e 's/[\/&]/\\&/g')" - [ -n "$POLPATH" ] && sed -i "s/%%POLKITD%%/${POLPATH}/g" "$TARGET_BUILD_DIR/etc/systemd/system/polkitd.service" - #Add Polkit User/Group/Shadow to Stage3.2 - pinfo "Adding polkitd user to target system..." - add_user "polkitd" -} - diff --git a/remote/modules/policykit/policykit.conf b/remote/modules/policykit/policykit.conf deleted file mode 100644 index d1f5269e..00000000 --- a/remote/modules/policykit/policykit.conf +++ /dev/null @@ -1,11 +0,0 @@ -REQUIRED_BINARIES="" -REQUIRED_DIRECTORIES=" - /etc/pam.d - /etc/dbus-1 - /etc/polkit-1 - /usr/bin - /usr/share/dbus-1 - /usr/share/polkit-1 -" -REQUIRED_FILES="" -REQUIRED_LIBRARIES="libmozjs185" diff --git a/remote/modules/polkit/data/etc/systemd/system/basic.target.wants/polkit.service b/remote/modules/polkit/data/etc/systemd/system/basic.target.wants/polkit.service new file mode 120000 index 00000000..b766f9ab --- /dev/null +++ b/remote/modules/polkit/data/etc/systemd/system/basic.target.wants/polkit.service @@ -0,0 +1 @@ +../polkit.service
\ No newline at end of file diff --git a/remote/modules/polkit/polkit.build b/remote/modules/polkit/polkit.build new file mode 100644 index 00000000..eeae1e32 --- /dev/null +++ b/remote/modules/polkit/polkit.build @@ -0,0 +1,26 @@ +#tool/distro specific functions for fetching, building and installing dependencies + + +fetch_source () { + pinfo "Extracting from running system..." +} + +build () { + COPYLIST="$MODULE_DIR/list_dpkg_output" + [ -e "${COPYLIST}" ] && rm "${COPYLIST}" + + list_packet_files >> "${COPYLIST}" + tarcopy "$(cat "${COPYLIST}" | sort -u)" "${MODULE_BUILD_DIR}" + local POLPATH=$(find "$MODULE_BUILD_DIR" -name polkitd -executable | head -n 1) + POLPATH="/${POLPATH#$MODULE_BUILD_DIR}" + mkdir -p "$MODULE_BUILD_DIR/etc/systemd/system" "$MODULE_BUILD_DIR/usr/share/dbus-1/system-services" + sed "s,%POLKITD%,${POLPATH},g" "templates/systemd.service" > "$MODULE_BUILD_DIR/etc/systemd/system/polkit.service" || perror "Could not generate polkit.service for systemd" + sed "s,%POLKITD%,${POLPATH},g" "templates/dbus.service" > "$MODULE_BUILD_DIR/usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service" || perror "Could not generate polkit.service for dbus" +} + +post_copy() { + #Add Polkit User/Group/Shadow to Stage3.2, required on opensuse + pinfo "Adding polkitd user to target system..." + add_user "polkitd" +} + diff --git a/remote/modules/polkit/polkit.conf b/remote/modules/polkit/polkit.conf new file mode 100644 index 00000000..97d4b892 --- /dev/null +++ b/remote/modules/polkit/polkit.conf @@ -0,0 +1,13 @@ +REQUIRED_DIRECTORIES=" + /etc/pam.d + /etc/polkit-1 + /usr/bin + /usr/share/polkit-1 + /etc/dbus-1/system.d +" +REQUIRED_FILES=" + /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service + /etc/systemd/system/polkit.service +" +REQUIRED_LIBRARIES="libmozjs185" + diff --git a/remote/modules/policykit/policykit.conf.opensuse b/remote/modules/polkit/polkit.conf.opensuse index f0a7d385..10cedbe9 100644 --- a/remote/modules/policykit/policykit.conf.opensuse +++ b/remote/modules/polkit/polkit.conf.opensuse @@ -5,8 +5,7 @@ REQUIRED_CONTENT_PACKAGES=" libmozjs185-1_0 polkit " -REQUIRED_BINARIES="" REQUIRED_DIRECTORIES+=" /usr/lib/polkit-1 " -REQUIRED_FILES="" + diff --git a/remote/modules/policykit/policykit.conf.ubuntu b/remote/modules/polkit/polkit.conf.ubuntu index 4bdd625d..76d31b9e 100644 --- a/remote/modules/policykit/policykit.conf.ubuntu +++ b/remote/modules/polkit/polkit.conf.ubuntu @@ -5,9 +5,8 @@ REQUIRED_CONTENT_PACKAGES=" libmozjs185-1.0 policykit-1 " -REQUIRED_BINARIES="" -REQUIRED_FILES="" REQUIRED_DIRECTORIES+=" /usr/lib/policykit-1 /usr${ARCH_LIB_DIR}/polkit-1 " + diff --git a/remote/modules/polkit/templates/dbus.service b/remote/modules/polkit/templates/dbus.service new file mode 100644 index 00000000..c9ee6c8b --- /dev/null +++ b/remote/modules/polkit/templates/dbus.service @@ -0,0 +1,6 @@ +[D-BUS Service] +Name=org.freedesktop.PolicyKit1 +Exec=%POLKITD% --no-debug +User=root +SystemdService=polkit.service + diff --git a/remote/modules/polkit/templates/systemd.service b/remote/modules/polkit/templates/systemd.service new file mode 100644 index 00000000..747fd7eb --- /dev/null +++ b/remote/modules/polkit/templates/systemd.service @@ -0,0 +1,8 @@ +[Unit] +Description=the cancer that is called PolKit + +[Service] +Type=dbus +BusName=org.freedesktop.PolicyKit1 +ExecStart=%POLKITD% --no-debug + diff --git a/remote/modules/udisks/data/usr/share/polkit-1/rules.d/10-drives.rules b/remote/modules/udisks/data/usr/share/polkit-1/rules.d/10-drives.rules new file mode 100644 index 00000000..72c4fb16 --- /dev/null +++ b/remote/modules/udisks/data/usr/share/polkit-1/rules.d/10-drives.rules @@ -0,0 +1,6 @@ +polkit.addRule(function(action, subject) { + if (action.id.indexOf("org.freedesktop.udisks") == 0) { + return polkit.Result.YES; + } +}); + diff --git a/remote/modules/udisks/templates/udisks.dbus.service b/remote/modules/udisks/templates/udisks.dbus.service new file mode 100644 index 00000000..f48b064b --- /dev/null +++ b/remote/modules/udisks/templates/udisks.dbus.service @@ -0,0 +1,6 @@ +[D-BUS Service] +Name=org.freedesktop.UDisks +Exec=%UDISKSD% --no-debug +User=root +SystemdService=udisks.service + diff --git a/remote/modules/udisks/templates/udisks.systemd.service b/remote/modules/udisks/templates/udisks.systemd.service new file mode 100644 index 00000000..d0c41438 --- /dev/null +++ b/remote/modules/udisks/templates/udisks.systemd.service @@ -0,0 +1,9 @@ +[Unit] +Description=Gnomes bloated 1000 dependency monster aka Disk Manager +Documentation=man:udisks(8) + +[Service] +Type=dbus +BusName=org.freedesktop.UDisks +ExecStart=%UDISKSD% --no-debug + diff --git a/remote/modules/udisks/templates/udisks2.dbus.service b/remote/modules/udisks/templates/udisks2.dbus.service new file mode 100644 index 00000000..2761a67c --- /dev/null +++ b/remote/modules/udisks/templates/udisks2.dbus.service @@ -0,0 +1,6 @@ +[D-BUS Service] +Name=org.freedesktop.UDisks2 +Exec=%UDISKSD% --no-debug +User=root +SystemdService=udisks2.service + diff --git a/remote/modules/udisks/templates/udisks2.systemd.service b/remote/modules/udisks/templates/udisks2.systemd.service new file mode 100644 index 00000000..47105a71 --- /dev/null +++ b/remote/modules/udisks/templates/udisks2.systemd.service @@ -0,0 +1,9 @@ +[Unit] +Description=Gnomes bloated 1000 dependency monster aka Disk Manager +Documentation=man:udisks(8) + +[Service] +Type=dbus +BusName=org.freedesktop.UDisks2 +ExecStart=%UDISKSD% --no-debug + diff --git a/remote/modules/udisks/udisks.build b/remote/modules/udisks/udisks.build new file mode 100644 index 00000000..1e9e73b0 --- /dev/null +++ b/remote/modules/udisks/udisks.build @@ -0,0 +1,38 @@ + +fetch_source () { + : +} + +build () { + COPYLIST="list_dpkg_output" + rm -f "$COPYLIST" + + list_packet_files >> "$COPYLIST" + tarcopy "$(cat "$COPYLIST" | sort -u)" "$MODULE_BUILD_DIR" + if [ -d "$MODULE_BUILD_DIR/lib/udev" ]; then + cp -a "$MODULE_BUILD_DIR/lib/udev" "$MODULE_BUILD_DIR/usr/lib/" || perror "Could not move /lib/udev to /usr/lib/udev" + fi + mkdir -p "$MODULE_BUILD_DIR/etc/systemd/system/basic.target.wants" "$MODULE_BUILD_DIR/usr/share/dbus-1/system-services" + local BINARY=$(find "$MODULE_BUILD_DIR" -name udisksd -executable | head -n 1) + [ -z "$BINARY" ] && BINARY=$(find "$MODULE_BUILD_DIR" -name udisks2d -executable | head -n 1) + [ -z "$BINARY" ] && BINARY=$(find "$MODULE_BUILD_DIR" -name udisksd2 -executable | head -n 1) + [ -z "$BINARY" ] && BINARY=$(find "$MODULE_BUILD_DIR" -name udisks-daemon -executable | head -n 1) + [ -z "$BINARY" ] && perror "Could not determine the udisks(1/2) daemon binary from inspecting $MODULE_BUILD_DIR" + BINARY="/${BINARY#$MODULE_BUILD_DIR}" + if [[ "$BINARY" == *udisks2* || -d "$MODULE_BUILD_DIR/usr/lib/udisks2" ]]; then + # assume udisks v2 + sed "s,%UDISKSD%,$BINARY,g" templates/udisks2.systemd.service > "$MODULE_BUILD_DIR/etc/systemd/system/udisks2.service" || perror "Error creating systemd service for udisks2" + sed "s,%UDISKSD%,$BINARY,g" templates/udisks2.dbus.service > "$MODULE_BUILD_DIR/usr/share/dbus-1/system-services/org.freedesktop.UDisks2.service" || perror "Error creating dbus service for udisks2" + ln -s "../udisks2.service" "$MODULE_BUILD_DIR/etc/systemd/system/basic.target.wants/udisks2.service" + else + # assume udisks v1 + sed "s,%UDISKSD%,$BINARY,g" templates/udisks1.systemd.service > "$MODULE_BUILD_DIR/etc/systemd/system/udisks.service" || perror "Error creating systemd service for udisks" + sed "s,%UDISKSD%,$BINARY,g" templates/udisks1.dbus.service > "$MODULE_BUILD_DIR/usr/share/dbus-1/system-services/org.freedesktop.UDisks.service" || perror "Error creating dbus service for udisks" + ln -s "../udisks.service" "$MODULE_BUILD_DIR/etc/systemd/system/basic.target.wants/udisks.service" + fi +} + +post_copy () { + : +} + diff --git a/remote/modules/udisks/udisks.conf b/remote/modules/udisks/udisks.conf new file mode 100644 index 00000000..8ef6f29c --- /dev/null +++ b/remote/modules/udisks/udisks.conf @@ -0,0 +1,14 @@ +# This module is a little special, as it's supposed to be compatible +# with udisks 1 and 2. suse 12.3 and ubuntu 13.04 use udisks2, ubuntu 12.04 +# uses udisks1. The build script looks a little hacky +REQUIRED_DIRECTORIES=" + /etc/dbus-1 + /usr/lib/udev/rules.d + /usr/share/dbus-1 + /usr/share/polkit-1 + /etc/systemd/system +" +REQUIRED_BINARIES=" + udisksd +" + diff --git a/remote/modules/udisks/udisks.conf.opensuse b/remote/modules/udisks/udisks.conf.opensuse new file mode 100644 index 00000000..abf12be7 --- /dev/null +++ b/remote/modules/udisks/udisks.conf.opensuse @@ -0,0 +1,7 @@ +REQUIRED_INSTALLED_PACKAGES=" + udisks2 +" +REQUIRED_CONTENT_PACKAGES=" + udisks2 +" + diff --git a/remote/modules/udisks/udisks.conf.ubuntu b/remote/modules/udisks/udisks.conf.ubuntu new file mode 100644 index 00000000..abf12be7 --- /dev/null +++ b/remote/modules/udisks/udisks.conf.ubuntu @@ -0,0 +1,7 @@ +REQUIRED_INSTALLED_PACKAGES=" + udisks2 +" +REQUIRED_CONTENT_PACKAGES=" + udisks2 +" + diff --git a/remote/modules/udisks/udisks.conf.ubuntu.12 b/remote/modules/udisks/udisks.conf.ubuntu.12 new file mode 100644 index 00000000..0b8690bd --- /dev/null +++ b/remote/modules/udisks/udisks.conf.ubuntu.12 @@ -0,0 +1,7 @@ +REQUIRED_INSTALLED_PACKAGES=" + udisks +" +REQUIRED_CONTENT_PACKAGES=" + udisks +" + diff --git a/remote/setup_target b/remote/setup_target index 9db5ba20..b783729f 100755 --- a/remote/setup_target +++ b/remote/setup_target @@ -355,25 +355,6 @@ post_process_target() { rm -r "${TARGET_BUILD_DIR}/lib/systemd" fi - # replace ck connector with fake one - # CAVE: On Scientific Lunux (6.4) and perhaps others: - # If include dbus/dbus-arch-deps.h is missing (file not found) either set a symb. link: - # /usr/include/dbus-1.0/dbus/dbus-arch-deps.h -> /usr/lib(64)/dbus-1.0/include/dbus/dbus-arch-deps.h - # or execute "pkg-config dbus-1 --cflags". - - local CK_LIBS=$(find "$TARGET_BUILD_DIR" -name "libck-connector.so*") - if [ -n "$CK_LIBS" ]; then - pinfo "Replacing libck-connector with dummy" - local SRC="$ROOT_DIR/remote/post-patch/ck-connector/fake-ck-connector.c" - local BIN="$ROOT_DIR/remote/post-patch/ck-connector/libck-connector.so" - if [ ! -s "$BIN" ]; then - gcc -O3 -shared -o "$BIN" "-I/usr/include/dbus-1.0" "-I/usr/lib/$ARCH_TRIPLET/dbus-1.0/include" "$SRC" || perror "Compiling fake libck-connector.so failed. Make sure libdbus-1-dev is installed." - fi - for OCCURENCE in $CK_LIBS; do - cp "$BIN" "$OCCURENCE" || perror "Frickeling ck-connector to $OCCURENCE failed." - done - fi - # figure out all relevant ld-paths pinfo "Running ldconfig" local LDTEMP="$TARGET_BUILD_DIR/ldconf-temp" diff --git a/remote/targets/stage32/consolekit b/remote/targets/stage32/consolekit new file mode 120000 index 00000000..261968c7 --- /dev/null +++ b/remote/targets/stage32/consolekit @@ -0,0 +1 @@ +../../modules/consolekit
\ No newline at end of file diff --git a/remote/targets/stage32/polkit b/remote/targets/stage32/polkit new file mode 120000 index 00000000..0ad0b111 --- /dev/null +++ b/remote/targets/stage32/polkit @@ -0,0 +1 @@ +../../modules/polkit
\ No newline at end of file diff --git a/remote/targets/stage32/udisks b/remote/targets/stage32/udisks new file mode 120000 index 00000000..06e7da5f --- /dev/null +++ b/remote/targets/stage32/udisks @@ -0,0 +1 @@ +../../modules/udisks
\ No newline at end of file diff --git a/server/configs/offenburg/pam-hso b/server/configs/offenburg/pam-hso new file mode 120000 index 00000000..700c42e0 --- /dev/null +++ b/server/configs/offenburg/pam-hso @@ -0,0 +1 @@ +../../modules/pam-hso
\ No newline at end of file diff --git a/server/modules/pam-hso/etc/ldap.conf b/server/modules/pam-hso/etc/ldap.conf new file mode 100644 index 00000000..086e58c1 --- /dev/null +++ b/server/modules/pam-hso/etc/ldap.conf @@ -0,0 +1,297 @@ +###DEBCONF### +## +## Configuration of this file will be managed by debconf as long as the +## first line of the file says '###DEBCONF###' +## +## You should use dpkg-reconfigure to configure this file via debconf +## + +# +# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ +# +# This is the configuration file for the LDAP nameservice +# switch library and the LDAP PAM module. +# +# PADL Software +# http://www.padl.com +# + +# Your LDAP server. Must be resolvable without using LDAP. +# Multiple hosts may be specified, each separated by a +# space. How long nss_ldap takes to failover depends on +# whether your LDAP client library supports configurable +# network or connect timeouts (see bind_timelimit). +#host 127.0.0.1 + +# The distinguished name of the search base. +base o=fho + +# Another way to specify your LDAP server is to provide an +uri ldaps://fs3.rz.hs-offenburg.de +# Unix Domain Sockets to connect to a local LDAP Server. +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator + +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +binddn cn=ldap_proxy_openslx,ou=misc,o=fho + +# The credentials to bind with. +# Optional: default is no credential. +bindpw !N4ye,04u.!N4ye,04u.!N4ye,04u. + +# The distinguished name to bind to the server with +# if the effective user ID is root. Password is +# stored in /etc/ldap.secret (mode 600) +#rootbinddn cn=manager,dc=padl,dc=com + +# The port. +# Optional: default is 389. +#port 389 + +# The search scope. +#scope sub +#scope one +#scope base + +# Search timelimit +#timelimit 30 + +# Bind/connect timelimit +#bind_timelimit 30 + +# Reconnect policy: hard (default) will retry connecting to +# the software with exponential backoff, soft will fail +# immediately. +#bind_policy hard + +# Idle timelimit; client will close connections +# (nss_ldap only) if the server has not been contacted +# for the number of seconds specified below. +#idle_timelimit 3600 + +# Filter to AND with uid=%s +#pam_filter objectclass=account + +# The user ID attribute (defaults to uid) +#pam_login_attribute uid + +# Search the root DSE for the password policy (works +# with Netscape Directory Server) +#pam_lookup_policy yes + +# Check the 'host' attribute for access control +# Default is no; if set to yes, and user has no +# value for the host attribute, and pam_ldap is +# configured for account management (authorization) +# then the user will not be allowed to login. +#pam_check_host_attr yes + +# Check the 'authorizedService' attribute for access +# control +# Default is no; if set to yes, and the user has no +# value for the authorizedService attribute, and +# pam_ldap is configured for account management +# (authorization) then the user will not be allowed +# to login. +#pam_check_service_attr yes + +# Group to enforce membership of +#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com + +# Group member attribute +#pam_member_attribute uniquemember + +# Specify a minium or maximum UID number allowed +#pam_min_uid 0 +#pam_max_uid 0 + +# Template login attribute, default template user +# (can be overriden by value of former attribute +# in user's entry) +#pam_login_attribute userPrincipalName +#pam_template_login_attribute uid +#pam_template_login nobody + +# HEADS UP: the pam_crypt, pam_nds_passwd, +# and pam_ad_passwd options are no +# longer supported. +# +# Do not hash the password at all; presume +# the directory server will do it, if +# necessary. This is the default. +pam_password md5 + +# Hash password locally; required for University of +# Michigan LDAP server, and works with Netscape +# Directory Server if you're using the UNIX-Crypt +# hash mechanism and not using the NT Synchronization +# service. +#pam_password crypt + +# Remove old password first, then update in +# cleartext. Necessary for use with Novell +# Directory Services (NDS) +#pam_password clear_remove_old +#pam_password nds + +# RACF is an alias for the above. For use with +# IBM RACF +#pam_password racf + +# Update Active Directory password, by +# creating Unicode password and updating +# unicodePwd attribute. +#pam_password ad + +# Use the OpenLDAP password change +# extended operation to update the password. +#pam_password exop + +# Redirect users to a URL or somesuch on password +# changes. +#pam_password_prohibit_message Please visit http://internal to change your password. + +# RFC2307bis naming contexts +# Syntax: +# nss_base_XXX base?scope?filter +# where scope is {base,one,sub} +# and filter is a filter to be &'d with the +# default filter. +# You can omit the suffix eg: +# nss_base_passwd ou=People, +# to append the default base DN but this +# may incur a small performance impact. +#nss_base_passwd ou=People,dc=padl,dc=com?one +#nss_base_shadow ou=People,dc=padl,dc=com?one +#nss_base_group ou=Group,dc=padl,dc=com?one +#nss_base_hosts ou=Hosts,dc=padl,dc=com?one +#nss_base_services ou=Services,dc=padl,dc=com?one +#nss_base_networks ou=Networks,dc=padl,dc=com?one +#nss_base_protocols ou=Protocols,dc=padl,dc=com?one +#nss_base_rpc ou=Rpc,dc=padl,dc=com?one +#nss_base_ethers ou=Ethers,dc=padl,dc=com?one +#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne +#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one +#nss_base_aliases ou=Aliases,dc=padl,dc=com?one +#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one + +# attribute/objectclass mapping +# Syntax: +#nss_map_attribute rfc2307attribute mapped_attribute +#nss_map_objectclass rfc2307objectclass mapped_objectclass + +# configure --enable-nds is no longer supported. +# NDS mappings +#nss_map_attribute uniqueMember member + +# Services for UNIX 3.5 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount User +#nss_map_attribute uid msSFU30Name +#nss_map_attribute uniqueMember msSFU30PosixMember +#nss_map_attribute userPassword msSFU30Password +#nss_map_attribute homeDirectory msSFU30HomeDirectory +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_objectclass posixGroup Group +#pam_login_attribute msSFU30Name +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-mssfu-schema is no longer supported. +# Services for UNIX 2.0 mappings +#nss_map_objectclass posixAccount User +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid msSFUName +#nss_map_attribute uniqueMember posixMember +#nss_map_attribute userPassword msSFUPassword +#nss_map_attribute homeDirectory msSFUHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup Group +#nss_map_attribute cn msSFUName +#pam_login_attribute msSFUName +#pam_filter objectclass=User +#pam_password ad + +# RFC 2307 (AD) mappings +#nss_map_objectclass posixAccount user +#nss_map_objectclass shadowAccount user +#nss_map_attribute uid sAMAccountName +#nss_map_attribute homeDirectory unixHomeDirectory +#nss_map_attribute shadowLastChange pwdLastSet +#nss_map_objectclass posixGroup group +#nss_map_attribute uniqueMember member +#pam_login_attribute sAMAccountName +#pam_filter objectclass=User +#pam_password ad + +# configure --enable-authpassword is no longer supported +# AuthPassword mappings +#nss_map_attribute userPassword authPassword + +# AIX SecureWay mappings +#nss_map_objectclass posixAccount aixAccount +#nss_base_passwd ou=aixaccount,?one +#nss_map_attribute uid userName +#nss_map_attribute gidNumber gid +#nss_map_attribute uidNumber uid +#nss_map_attribute userPassword passwordChar +#nss_map_objectclass posixGroup aixAccessGroup +#nss_base_group ou=aixgroup,?one +#nss_map_attribute cn groupName +#nss_map_attribute uniqueMember member +#pam_login_attribute userName +#pam_filter objectclass=aixAccount +#pam_password clear + +# Netscape SDK LDAPS +#ssl on + +# Netscape SDK SSL options +#sslpath /etc/ssl/certs + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +#ssl start_tls +#ssl on + +# OpenLDAP SSL options +# Require and verify server certificate (yes/no) +# Default is to use libldap's default behavior, which can be configured in +# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for +# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". +#tls_checkpeer yes + +# CA certificates for server certificate verification +# At least one of these are required if tls_checkpeer is "yes" +#tls_cacertfile /etc/ssl/ca.cert +#tls_cacertdir /etc/ssl/certs + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Disable SASL security layers. This is needed for AD. +#sasl_secprops maxssf=0 + +# Override the default Kerberos ticket cache location. +#krb5_ccname FILE:/etc/.ldapcache + +# SASL mechanism for PAM authentication - use is experimental +# at present and does not support password policy control +#pam_sasl_mech DIGEST-MD5 +nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,nslcd,proxy,pulse,root,rtkit,saned,speech-dispatcher,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/server/modules/pam-hso/etc/pam-script/pam_script_ses_close b/server/modules/pam-hso/etc/pam-script/pam_script_ses_close new file mode 100755 index 00000000..8bc8d3bb --- /dev/null +++ b/server/modules/pam-hso/etc/pam-script/pam_script_ses_close @@ -0,0 +1,7 @@ +#!/bin/bash + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" + +echo "[$PAM_TYPE] Closing session for $PAM_USER" + +[ $(id -g $PAM_USER) -eq 1001 ] && umount /home/$PAM_USER diff --git a/server/modules/pam-hso/etc/pam-script/pam_script_ses_open b/server/modules/pam-hso/etc/pam-script/pam_script_ses_open new file mode 100755 index 00000000..2189c347 --- /dev/null +++ b/server/modules/pam-hso/etc/pam-script/pam_script_ses_open @@ -0,0 +1,25 @@ +#!/bin/sh + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" + + +#check who is logged in to put the "Home"-Folder on the correct Desktop +#Doesn't work with root! +#export loggedInUser=$(whoami) +[ ! -z "$PAM_USER" ] && export loggedInUser="$PAM_USER" + + +#create Folder on Desktop to link with H-Drive, if not already existent +if [ ! -d /home/users/$loggedInUser ]; then + mkdir -p /home/users/$loggedInUser +fi + + +#ask for username +#read -p "Benutzername: " username + + +#mount H-Drive +ncpmount -A fs1-2-home.rz.hs-offenburg.de -S fs1-2-home.rz.hs-offenburg.de -V HOME/USERS/$loggedInUser -U $loggedInUser.HRZ.FHO /home/users/$loggedInUser + + diff --git a/server/modules/pam-hso/etc/pam-script/pam_script_ses_open.bak b/server/modules/pam-hso/etc/pam-script/pam_script_ses_open.bak new file mode 100755 index 00000000..79a94169 --- /dev/null +++ b/server/modules/pam-hso/etc/pam-script/pam_script_ses_open.bak @@ -0,0 +1,30 @@ +#!/bin/bash + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" + +echo "[$PAM_TYPE] Opening session for $PAM_USER" + +if [ $(id -g $PAM_USER) -eq 1001 ]; then + echo "[$PAM_TYPE] Mounting home directory for $PAM_USER" + + # generate keytab + sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab + chmod 600 /etc/krb5.keytab + + # determine fileserver and share for home directories + ldapsearch -x -LLL uid="$PAM_USER" homeDirectory rufFileserver > /tmp/ldapsearch."$PAM_USER" + + FILESERVER=$(cat /tmp/ldapsearch.$PAM_USER | grep rufFileserver | cut -d" " -f2) + VOLUME=$(cat /tmp/ldapsearch.$PAM_USER | grep homeDirectory | cut -d" " -f2) + + # now we can mount the home directory + mkdir -p /home/$PAM_USER + if mount -t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy,sec=krb5p "$FILESERVER":"$VOLUME" /home/"$PAM_USER"; then + exit 0 + else + echo "Failed to mount home directory for $PAM_USER" + exit 1 + fi + +fi + diff --git a/server/modules/pam-hso/etc/pam-script/pam_script_ses_open.save b/server/modules/pam-hso/etc/pam-script/pam_script_ses_open.save new file mode 100755 index 00000000..1bbb9d81 --- /dev/null +++ b/server/modules/pam-hso/etc/pam-script/pam_script_ses_open.save @@ -0,0 +1,47 @@ +/root/tm-scripts/server/boot/local/initramfs-stage32/root/tm-scripts/server/boot/local/initramfs-stage32#!/bin/sh + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" + + +#check who is logged in to put the "Home"-Folder on the correct Desktop +#Doesn't work with root! +#export loggedInUser=$(whoami) +[ ! -z "$PAM_USER" ] && export loggedInUser="$PAM_USER" + + +#create Folder on Desktop to link with H-Drive, if not already existent +if [ ! -d /home/$loggedInUser ]; then + mkdir -p /home/$loggedInUser +fi + + +#ask for username +#read -p "Benutzername: " username + + +#mount H-Drive +ncpmount -A fs1-2-home.rz.hs-offenburg.de -S fs1-2-home.rz.hs-offenburg.de -V HOME/USERS/$loggedInUser -U $loggedInUser.HRZ.FHO /home/$loggedInUser#!/bin/sh + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" + + +#check who is logged in to put the "Home"-Folder on the correct Desktop +#Doesn't work with root! +#export loggedInUser=$(whoami) +[ ! -z "$PAM_USER" ] && export loggedInUser="$PAM_USER" + + +#create Folder on Desktop to link with H-Drive, if not already existent +if [ ! -d /home/$loggedInUser ]; then + mkdir -p /home/$loggedInUser +fi + + +#ask for username +#read -p "Benutzername: " username + + +#mount H-Drive +ncpmount -A fs1-2-home.rz.hs-offenburg.de -S fs1-2-home.rz.hs-offenburg.de -V HOME/USERS/$loggedInUser -U $loggedInUser.HRZ.FHO /home/$loggedInUser + + diff --git a/server/modules/pam-hso/etc/pam.d/common-account b/server/modules/pam-hso/etc/pam.d/common-account new file mode 100644 index 00000000..3a5d5a14 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/common-account @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so +account [success=1 new_authtok_reqd=done default=ignore] pam_ldap.so use_first_pass +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/server/modules/pam-hso/etc/pam.d/common-auth b/server/modules/pam-hso/etc/pam.d/common-auth new file mode 100644 index 00000000..8a2d4c86 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/common-auth @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=2 default=ignore] pam_unix.so try_first_pass +auth [success=1 default=ignore] pam_ldap.so use_first_pass nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/server/modules/pam-hso/etc/pam.d/common-password b/server/modules/pam-hso/etc/pam.d/common-password new file mode 100644 index 00000000..cb8c7b71 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/common-password @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/server/modules/pam-hso/etc/pam.d/common-session b/server/modules/pam-hso/etc/pam.d/common-session new file mode 100644 index 00000000..4c4a7e95 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/common-session @@ -0,0 +1,36 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_systemd.so +session optional pam_env.so readenv=1 +session optional pam_env.so readenv=1 envfile=/etc/default/locale +session [success=1] pam_unix.so +session [success=ok] pam_ldap.so +session sufficient pam_script.so +session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +# end of pam-auth-update config diff --git a/server/modules/pam-hso/etc/pam.d/common-session-noninteractive b/server/modules/pam-hso/etc/pam.d/common-session-noninteractive new file mode 100644 index 00000000..1fee2c4f --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/common-session-noninteractive @@ -0,0 +1,30 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config diff --git a/server/modules/pam-hso/etc/pam.d/kdm b/server/modules/pam-hso/etc/pam.d/kdm new file mode 100644 index 00000000..e6a4ec9b --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/kdm @@ -0,0 +1,10 @@ +# +# /etc/pam.d/kdm - specify the PAM behaviour of kdm +# +auth required pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/server/modules/pam-hso/etc/pam.d/kdm-np b/server/modules/pam-hso/etc/pam.d/kdm-np new file mode 100644 index 00000000..dc10e5b5 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/kdm-np @@ -0,0 +1,11 @@ +# +# /etc/pam.d/kdm-np - specify the PAM behaviour of kdm for passwordless logins +# +auth required pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +session required pam_limits.so +account include common-account +password include common-password +session include common-session +auth required pam_permit.so diff --git a/server/modules/pam-hso/etc/pam.d/login b/server/modules/pam-hso/etc/pam.d/login new file mode 100644 index 00000000..1065f351 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/login @@ -0,0 +1,101 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +# OpenSLX: Not Needed? +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# TODO do we need this? +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +#auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# TODO do we need this? +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +#session required pam_limits.so + +# TODO check if this is needed +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Standard Un*x account and session +account include common-account +session include common-session +password include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/server/modules/pam-hso/etc/pam.d/other b/server/modules/pam-hso/etc/pam.d/other new file mode 100644 index 00000000..840eb77f --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/other @@ -0,0 +1,10 @@ +#%PAM-1.0 +auth required pam_warn.so +auth required pam_deny.so +account required pam_warn.so +account required pam_deny.so +password required pam_warn.so +password required pam_deny.so +session required pam_warn.so +session required pam_deny.so + diff --git a/server/modules/pam-hso/etc/pam.d/passwd b/server/modules/pam-hso/etc/pam.d/passwd new file mode 100644 index 00000000..32eaa3c6 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/passwd @@ -0,0 +1,6 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password + diff --git a/server/modules/pam-hso/etc/pam.d/sshd b/server/modules/pam-hso/etc/pam.d/sshd new file mode 100644 index 00000000..8954d639 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/sshd @@ -0,0 +1,41 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +auth required pam_env.so envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +account include common-account + +# Standard Un*x session setup and teardown. +session include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# TODO do we need this? +# Print the status of the user's mailbox upon successful login. +#session optional pam_mail.so standard noenv # [1] + +# TODO do we need this? +# Set up user limits from /etc/security/limits.conf. +#session required pam_limits.so + +# Set up SELinux capabilities (need modified pam) +# session required pam_selinux.so multiple + +# Standard Un*x password updating. +password include common-password diff --git a/server/modules/pam-hso/etc/pam.d/vmware-authd b/server/modules/pam-hso/etc/pam.d/vmware-authd new file mode 100644 index 00000000..1f9b60f9 --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/vmware-authd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session include common-session + diff --git a/server/modules/pam-hso/etc/pam.d/xdm b/server/modules/pam-hso/etc/pam.d/xdm new file mode 100644 index 00000000..d21651db --- /dev/null +++ b/server/modules/pam-hso/etc/pam.d/xdm @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session |