From 3f84ee4afe4a6ec1246be51ac0c858b4ab9e3f92 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 20 Nov 2013 17:42:43 +0100
Subject: [pam-freiburg] Add nox11 to ck-connector as ubuntu is our productive
 env for now, and it requires this option

---
 server/modules/pam-freiburg/etc/pam.d/common-session | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'server')

diff --git a/server/modules/pam-freiburg/etc/pam.d/common-session b/server/modules/pam-freiburg/etc/pam.d/common-session
index 9a8b73e1..26ff89a3 100644
--- a/server/modules/pam-freiburg/etc/pam.d/common-session
+++ b/server/modules/pam-freiburg/etc/pam.d/common-session
@@ -13,26 +13,26 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-session	[default=1]     pam_permit.so
+session	[default=1]    pam_permit.so
 # here's the fallback if no module succeeds
-session	requisite       pam_deny.so
+session	requisite      pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
-session	required        pam_permit.so
+session	required       pam_permit.so
 # The pam_umask module will set the umask according to the system default in
 # /etc/login.defs and user settings, solving the problem of different
 # umask settings with different shells, display managers, remote sessions etc.
 # See "man pam_umask".
 session optional        pam_umask.so
 # and here are more per-package modules (the "Additional" block)
-session	required        pam_systemd.so
-session optional			pam_ck_connector.so
+session	required       pam_systemd.so
+session optional        pam_ck_connector.so nox11
 session optional        pam_env.so readenv=1
 session optional        pam_env.so readenv=1 envfile=/etc/default/locale
-session	optional        pam_krb5.so minimum_uid=1000
-session	[success=1]     pam_unix.so 
+session	optional       pam_krb5.so minimum_uid=1000
+session	[success=1]    pam_unix.so 
 session [success=ok]    pam_ldap.so
-session	sufficient      pam_script.so
+session	sufficient     pam_script.so
 session optional        pam_mkhomedir.so skel=/etc/skel umask=0022
 # end of pam-auth-update config
-- 
cgit v1.2.3-55-g7522


From 40d4ef0dfb1487b599973f14b89fc80c2dc2cfdf Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 21 Nov 2013 17:29:31 +0100
Subject: [stage4-blacklist] Remove links to shell, poweroff/reboot/shutdown,
 whitelist xfce desktop environment

---
 server/blacklists/desktop-sessions/filter | 1 +
 server/blacklists/essential/linux-base    | 6 ++++++
 2 files changed, 7 insertions(+)

(limited to 'server')

diff --git a/server/blacklists/desktop-sessions/filter b/server/blacklists/desktop-sessions/filter
index 66d3589a..aafd1156 100644
--- a/server/blacklists/desktop-sessions/filter
+++ b/server/blacklists/desktop-sessions/filter
@@ -2,3 +2,4 @@
 + /usr/share/xsessions/gnome.desktop
 + /usr/share/xsessions/kde-plasma.desktop
 + /usr/share/xsessions/ubuntu.desktop
++ /usr/share/xsessions/xfce.desktop
diff --git a/server/blacklists/essential/linux-base b/server/blacklists/essential/linux-base
index 4f58b6c9..f83ef1ac 100644
--- a/server/blacklists/essential/linux-base
+++ b/server/blacklists/essential/linux-base
@@ -32,5 +32,11 @@
 - /initrd.img.old
 - /vmlinuz
 - /vmlinuz.old
+# Interfering binaries/links
+- /sbin/shutdown
+- /sbin/reboot
+- /sbin/poweroff
+- /sbin/halt
+- /bin/sh
 # This is where the bind-mount of mltk resides...
 - /export/build
-- 
cgit v1.2.3-55-g7522