From a050086a244f8706249cb78ac41e7b1287a46100 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 22 Dec 2010 18:22:11 +0100 Subject: [PATCH] - add postlogin common PAM configuration file (#665059) --- pam.spec | 15 +++++++++++++-- postlogin.5 | 46 ++++++++++++++++++++++++++++++++++++++++++++++ postlogin.pamd | 3 +++ system-auth.5 | 33 +++++++++------------------------ 4 files changed, 71 insertions(+), 26 deletions(-) create mode 100644 postlogin.5 create mode 100644 postlogin.pamd diff --git a/pam.spec b/pam.spec index 912bed7..06302f3 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.3 -Release: 6%{?dist} +Release: 7%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -22,6 +22,8 @@ Source12: system-auth.5 Source13: config-util.5 Source14: 90-nproc.conf Source15: pamtmp.conf +Source16: postlogin.pamd +Source17: postlogin.5 Patch1: pam-1.0.90-redhat-modules.patch Patch2: pam-1.0.91-std-noclose.patch Patch4: pam-1.1.0-console-nochmod.patch @@ -159,6 +161,7 @@ install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util +install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd install -d -m 755 $RPM_BUILD_ROOT/var/log @@ -166,7 +169,11 @@ install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock # Install man pages. -install -m 644 %{SOURCE12} %{SOURCE13} $RPM_BUILD_ROOT%{_mandir}/man5/ +install -m 644 %{SOURCE12} %{SOURCE13} %{SOURCE17} $RPM_BUILD_ROOT%{_mandir}/man5/ +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/password-auth.5 +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/fingerprint-auth.5 +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/smartcard-auth.5 + for phase in auth acct passwd session ; do ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so @@ -245,6 +252,7 @@ fi %config(noreplace) %{_pamconfdir}/fingerprint-auth %config(noreplace) %{_pamconfdir}/smartcard-auth %config(noreplace) %{_pamconfdir}/config-util +%config(noreplace) %{_pamconfdir}/postlogin %doc Copyright %doc doc/txts %doc doc/sag/*.txt doc/sag/html @@ -359,6 +367,9 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Wed Dec 22 2010 Tomas Mraz 1.1.3-7 +- add postlogin common PAM configuration file (#665059) + * Tue Dec 14 2010 Tomas Mraz 1.1.3-6 - include patches recently submitted and applied to upstream CVS diff --git a/postlogin.5 b/postlogin.5 new file mode 100644 index 0000000..3a8abcf --- /dev/null +++ b/postlogin.5 @@ -0,0 +1,46 @@ +.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual" +.SH NAME + +postlogin \- Common configuration file for PAMified services + +.SH SYNOPSIS +.B /etc/pam.d/postlogin +.sp 2 +.SH DESCRIPTION + +The purpose of this PAM configuration file is to provide a common +place for all PAM modules which should be called after the stack +configured in +.BR system-auth +or the other common PAM configuration files. + +.sp +The +.BR postlogin +configuration file is included from all individual service configuration +files that provide login service with shell or file access. + +.SH NOTES +The modules in the postlogin configuration file are executed regardless +of the success or failure of the modules in the +.BR system-auth +configuration file. + +.SH BUGS +.sp 2 +Sometimes it would be useful to be able to skip the postlogin modules in +case the substack of the +.BR system-auth +modules failed. Unfortunately the current Linux-PAM library does not +provide any way how to achieve this. + +.SH "SEE ALSO" +pam(8), config-util(5), system-auth(5) + +The three +.BR Linux-PAM +Guides, for +.BR "system administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/postlogin.pamd b/postlogin.pamd new file mode 100644 index 0000000..43d25c5 --- /dev/null +++ b/postlogin.pamd @@ -0,0 +1,3 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. diff --git a/system-auth.5 b/system-auth.5 index 8f8ef34..c0ca80b 100644 --- a/system-auth.5 +++ b/system-auth.5 @@ -1,4 +1,4 @@ -.TH SYSTEM-AUTH 5 "2009 Apr 10" "Red Hat" "Linux-PAM Manual" +.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual" .SH NAME system-auth \- Common configuration file for PAMified services @@ -20,7 +20,7 @@ The .BR system-auth configuration file is included from nearly all individual service configuration files with the help of the -.BR include +.BR substack directive. .sp @@ -33,36 +33,21 @@ different types of devices via simultaneously running individual conversations instead of one aggregate conversation. .SH NOTES -There should be no -.BR sufficient -modules in the -.BR session -part of -.BR system-auth -file because individual services may add session modules after -.BR include +Previously these common configuration files were included with the help of the -.BR system-auth -file. Execution of these modules would be skipped if there were sufficient -modules in -.BR system-auth -file. - -.sp -Conversely there should not be any modules after .BR include -directive in the individual service files in -.BR auth account -and -.BR password -sections otherwise they could be bypassed. +directive. This limited the use of the different action types of modules. +With the use of +.BR substack +directive to include these common configuration files this limitation +no longer applies. .SH BUGS .sp 2 None known. .SH "SEE ALSO" -pam(8), config-util(5) +pam(8), config-util(5), postlogin(5) The three .BR Linux-PAM