diff options
author | dheerajpdsk <p.dheeraj.srujan.kumar@intel.com> | 2023-12-31 18:41:27 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-12-31 18:41:27 +0300 |
commit | 0127bdba37b5e22adcc423d170589211de377e2e (patch) | |
tree | c4e595e183ef7500206e30f687bb384f73f58fa8 /meta-openbmc-mods/meta-common/recipes-extended/pam/libpam | |
parent | 2561f0aabb8c6a13475d56b5a14bde1f18909d7f (diff) | |
parent | 7f53998bd3726c808abf8b0c4950e25db29d9ea2 (diff) | |
download | openbmc-0127bdba37b5e22adcc423d170589211de377e2e.tar.xz |
Merge pull request #129 from Intel-BMC/update1-1.11-1
Update to internal 1-1.11-1
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-extended/pam/libpam')
15 files changed, 543 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch new file mode 100644 index 000000000..40040a873 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch @@ -0,0 +1,65 @@ +From e8e8ccfd57e0274b431bc5717bf37c488285b07b Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 27 Oct 2021 10:30:46 +0800 +Subject: [PATCH] run-xtests.sh: check whether files exist + +Fixes: + # ./run-xtests.sh . tst-pam_access1 + mv: cannot stat '/etc/security/opasswd': No such file or directory + PASS: tst-pam_access1 + mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory + ================== + 1 tests passed + 0 tests not run + ================== + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/e8e8ccfd57e0274b431bc5717bf37c488285b07b] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + xtests/run-xtests.sh | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh +index 14f585d9..ff9a4dc1 100755 +--- a/xtests/run-xtests.sh ++++ b/xtests/run-xtests.sh +@@ -18,10 +18,12 @@ all=0 + + mkdir -p /etc/security + for config in access.conf group.conf time.conf limits.conf ; do +- cp /etc/security/$config /etc/security/$config-pam-xtests ++ [ -f "/etc/security/$config" ] && ++ mv /etc/security/$config /etc/security/$config-pam-xtests + install -m 644 "${SRCDIR}"/$config /etc/security/$config + done +-mv /etc/security/opasswd /etc/security/opasswd-pam-xtests ++[ -f /etc/security/opasswd ] && ++ mv /etc/security/opasswd /etc/security/opasswd-pam-xtests + + for testname in $XTESTS ; do + for cfg in "${SRCDIR}"/$testname*.pamd ; do +@@ -47,11 +49,15 @@ for testname in $XTESTS ; do + all=`expr $all + 1` + rm -f /etc/pam.d/$testname* + done +-mv /etc/security/access.conf-pam-xtests /etc/security/access.conf +-mv /etc/security/group.conf-pam-xtests /etc/security/group.conf +-mv /etc/security/time.conf-pam-xtests /etc/security/time.conf +-mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf +-mv /etc/security/opasswd-pam-xtests /etc/security/opasswd ++ ++for config in access.conf group.conf time.conf limits.conf opasswd ; do ++ if [ -f "/etc/security/$config-pam-xtests" ]; then ++ mv /etc/security/$config-pam-xtests /etc/security/$config ++ else ++ rm -f /etc/security/$config ++ fi ++done ++ + if test "$failed" -ne 0; then + echo "===================" + echo "$failed of $all tests failed" +-- +2.32.0 + diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/99_pam b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/99_pam new file mode 100644 index 000000000..a88247be1 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/99_pam @@ -0,0 +1 @@ +d root root 0755 /run/sepermit none diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch new file mode 100644 index 000000000..e7bf03f9f --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch @@ -0,0 +1,205 @@ +From 23393bef92c1e768eda329813d7af55481c6ca9f Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk <kukuk@suse.com> +Date: Thu, 24 Feb 2022 10:37:32 +0100 +Subject: [PATCH 2/2] pam_access: handle hostnames in access.conf + +According to the manual page, the following entry is valid but does not +work: +-:root:ALL EXCEPT localhost + +See https://bugzilla.suse.com/show_bug.cgi?id=1019866 + +Patched is based on PR#226 from Josef Moellers + +Upstream-Status: Backport +CVE: CVE-2022-28321 + +Reference to upstream patch: +[https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++------- + 1 file changed, 76 insertions(+), 19 deletions(-) + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index 277192b..bca424f 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -637,7 +637,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) + if ((str_len = strlen(string)) > tok_len + && strcasecmp(tok, string + str_len - tok_len) == 0) + return YES; +- } else if (tok[tok_len - 1] == '.') { ++ } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); +@@ -678,7 +678,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) + return NO; + } + +- /* Assume network/netmask with an IP of a host. */ ++ /* Assume network/netmask, IP address or hostname. */ + return network_netmask_match(pamh, tok, string, item); + } + +@@ -696,7 +696,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, + /* + * If the token has the magic value "ALL" the match always succeeds. + * Otherwise, return YES if the token fully matches the string. +- * "NONE" token matches NULL string. ++ * "NONE" token matches NULL string. + */ + + if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ +@@ -714,7 +714,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, + + /* network_netmask_match - match a string against one token + * where string is a hostname or ip (v4,v6) address and tok +- * represents either a single ip (v4,v6) address or a network/netmask ++ * represents either a hostname, a single ip (v4,v6) address ++ * or a network/netmask + */ + static int + network_netmask_match (pam_handle_t *pamh, +@@ -723,10 +724,12 @@ network_netmask_match (pam_handle_t *pamh, + char *netmask_ptr; + char netmask_string[MAXHOSTNAMELEN + 1]; + int addr_type; ++ struct addrinfo *ai = NULL; + + if (item->debug) +- pam_syslog (pamh, LOG_DEBUG, ++ pam_syslog (pamh, LOG_DEBUG, + "network_netmask_match: tok=%s, item=%s", tok, string); ++ + /* OK, check if tok is of type addr/mask */ + if ((netmask_ptr = strchr(tok, '/')) != NULL) + { +@@ -760,54 +763,108 @@ network_netmask_match (pam_handle_t *pamh, + netmask_ptr = number_to_netmask(netmask, addr_type, + netmask_string, MAXHOSTNAMELEN); + } +- } ++ ++ /* ++ * Construct an addrinfo list from the IP address. ++ * This should not fail as the input is a correct IP address... ++ */ ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) ++ { ++ return NO; ++ } ++ } + else +- /* NO, then check if it is only an addr */ +- if (isipaddr(tok, NULL, NULL) != YES) ++ { ++ /* ++ * It is either an IP address or a hostname. ++ * Let getaddrinfo sort everything out ++ */ ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { ++ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); ++ + return NO; + } ++ netmask_ptr = NULL; ++ } + + if (isipaddr(string, NULL, NULL) != YES) + { +- /* Assume network/netmask with a name of a host. */ + struct addrinfo hint; + ++ /* Assume network/netmask with a name of a host. */ + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = AI_CANONNAME; + hint.ai_family = AF_UNSPEC; + + if (item->gai_rv != 0) ++ { ++ freeaddrinfo(ai); + return NO; ++ } + else if (!item->res && + (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0) ++ { ++ freeaddrinfo(ai); + return NO; ++ } + else + { + struct addrinfo *runp = item->res; ++ struct addrinfo *runp1; + + while (runp != NULL) + { + char buf[INET6_ADDRSTRLEN]; + +- DIAG_PUSH_IGNORE_CAST_ALIGN; +- inet_ntop (runp->ai_family, +- runp->ai_family == AF_INET +- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr +- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, +- buf, sizeof (buf)); +- DIAG_POP_IGNORE_CAST_ALIGN; ++ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0) ++ { ++ freeaddrinfo(ai); ++ return NO; ++ } + +- if (are_addresses_equal(buf, tok, netmask_ptr)) ++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) + { +- return YES; ++ char buf1[INET6_ADDRSTRLEN]; ++ ++ if (runp->ai_family != runp1->ai_family) ++ continue; ++ ++ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0) ++ { ++ freeaddrinfo(ai); ++ return NO; ++ } ++ ++ if (are_addresses_equal (buf, buf1, netmask_ptr)) ++ { ++ freeaddrinfo(ai); ++ return YES; ++ } + } + runp = runp->ai_next; + } + } + } + else +- return (are_addresses_equal(string, tok, netmask_ptr)); ++ { ++ struct addrinfo *runp1; ++ ++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) ++ { ++ char buf1[INET6_ADDRSTRLEN]; ++ ++ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); ++ ++ if (are_addresses_equal(string, buf1, netmask_ptr)) ++ { ++ freeaddrinfo(ai); ++ return YES; ++ } ++ } ++ } ++ ++ freeaddrinfo(ai); + + return NO; + } +-- +2.37.3 + diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.service b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.service new file mode 100644 index 000000000..099a5c6e0 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.service @@ -0,0 +1,10 @@ +[Unit] +Description=Convert PAM config files + +[Service] +RemainAfterExit=yes +Type=oneshot +ExecStart=/usr/bin/convert-pam-configs.sh + +[Install] +WantedBy=multi-user.target diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh new file mode 100644 index 000000000..f66f40beb --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh @@ -0,0 +1,48 @@ +#!/bin/sh +# Convert OpenBMC linux-PAM config files + +# Location of config files this script modifies: +# PAM_CONF_DIR - path to the PAM config files +# SECURITY_CONF_DIR - path to the security config files +PAM_CONF_DIR=/etc/pam.d +SECURITY_CONF_DIR=/etc/security + +# Handle common-password: +# Change cracklib to pwquality and handle the minlen parameter +pam_cracklib=$(grep "^password.*pam_cracklib.so" ${PAM_CONF_DIR}/common-password) +if [ -n "${pam_cracklib}" ] +then + echo "Changing ${PAM_CONF_DIR}/common-password to use pam_pwquality.so (was pam_cracklib.so)" >&2 + minlen=$(echo ${pam_cracklib} | sed -e "s/.*minlen=\([[:alnum:]]*\).*/\1/") + echo " Converting parameter minlen=${minlen} to ${SECURITY_CONF_DIR}/pwquality.conf minlen" >&2 + sed -i.bak -e "s/^minlen=.*/minlen=$minlen/" ${SECURITY_CONF_DIR}/pwquality.conf + pwquality='password [success=ok default=die] pam_pwquality.so debug' + sed -i.bak -e "s/^password.*pam_cracklib.so.*/$pwquality/" ${PAM_CONF_DIR}/common-password + echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-password +fi + +# Handle common-auth: +# Change tally2 to faillock and handle the deny & unlock_time parameters +pam_tally2=$(grep "^auth.*pam_tally2.so" ${PAM_CONF_DIR}/common-auth) +if [ -n "${pam_tally2}" ] +then + echo "Changing ${PAM_CONF_DIR}/common-auth to use pam_faillock.so (was pam_tally2.so)" >&2 + deny=$(echo ${pam_tally2} | sed -e "s/.*deny=\([[:alnum:]]*\).*/\1/") + unlock_time=$(echo ${pam_tally2} | sed -e "s/.*unlock_time=\([[:alnum:]]*\).*/\1/") + # Change faillock.conf parameters + echo " Converting parameter deny=${deny} to ${SECURITY_CONF_DIR}/faillock.conf deny" >&2 + echo " Converting parameter unlock_time=${unlock_time} to ${SECURITY_CONF_DIR}/faillock.conf unlock_time" >&2 + sed -i.bak \ + -e "s/^deny=.*/deny=$deny/" \ + -e "s/^unlock_time=.*/unlock_time=$unlock_time/" \ + ${SECURITY_CONF_DIR}/faillock.conf + # Change pam_tally2 to pam_faillock (changes the overall auth stack) + authfail='auth [default=die] pam_faillock.so authfail' + authsucc='auth sufficient pam_faillock.so authsucc' + sed -i.bak \ + -e "/^auth.*pam_tally2.so.*$/d" \ + -e "/^auth.*pam_deny.so/i $authfail\n$authsucc" \ + ${PAM_CONF_DIR}/common-auth + echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-auth +fi + diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/faillock.conf b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/faillock.conf new file mode 100644 index 000000000..68a658411 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/faillock.conf @@ -0,0 +1,2 @@ +deny=10 +unlock_time=300 diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/libpam-xtests.patch b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/libpam-xtests.patch new file mode 100644 index 000000000..ea145899b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/libpam-xtests.patch @@ -0,0 +1,37 @@ +This patch is used to create a new sub package libpam-xtests to do more checks. + +Upstream-Status: Pending + +Signed-off-by: Kang Kai <kai.kang@windriver.com> +Index: Linux-PAM-1.3.0/xtests/Makefile.am +=================================================================== +--- Linux-PAM-1.3.0.orig/xtests/Makefile.am ++++ Linux-PAM-1.3.0/xtests/Makefile.am +@@ -7,7 +7,7 @@ AM_CFLAGS = -DLIBPAM_COMPILE -I$(top_src + LDADD = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la + +-CLEANFILES = *~ $(XTESTS) ++CLEANFILES = *~ + + EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ + tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \ +@@ -51,3 +51,18 @@ EXTRA_PROGRAMS = $(XTESTS) + + xtests: $(XTESTS) run-xtests.sh + "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS} ++ ++all: $(XTESTS) ++ ++install: install_xtests ++ ++install_xtests: ++ $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests ++ for file in $(EXTRA_DIST) ; do \ ++ $(INSTALL) $(srcdir)/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ ++ done ++ for file in $(XTESTS); do \ ++ $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ ++ done ++ ++.PHONY: all install_xtests diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam-volatiles.conf b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam-volatiles.conf new file mode 100644 index 000000000..1263feb03 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam-volatiles.conf @@ -0,0 +1 @@ +d /run/sepermit 0755 root root - - diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-account b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-account new file mode 100644 index 000000000..4ebbca8d4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-account @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# Announce if faillock is blocking access +account required pam_faillock.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-auth b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-auth new file mode 100644 index 000000000..c051ab7e6 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-auth @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. + +# here are the per-package modules (the "Primary" block) +# Try for local user first, and then try for ldap +auth [success=2 default=ignore] pam_unix.so quiet +-auth [success=1 default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail +# Control gets here when no authentication module succeeds. Increment the +# failure tally and return failure status to PAM. +auth [default=die] pam_faillock.so authfail +# Control gets here when authentication succeeds. Check if the user is locked +# out due to consecutive authentication failures and return status accordingly. +auth sufficient pam_faillock.so authsucc +# If authsucc failed, deny access +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-password b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-password new file mode 100644 index 000000000..2fc4011b2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-password @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# See the pam_unix manpage for other options. + +# here are the per-package modules (the "Primary" block) +password [success=ok default=die] pam_pwquality.so debug +password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi use_authtok +password [success=ok ignore=ignore default=die] pam_pwhistory.so debug enforce_for_root remember=0 use_authtok +password [success=ok default=die] pam_unix.so sha512 use_authtok +password [success=1 default=die] pam_ipmisave.so spec_grp_name=ipmi spec_pass_file=/etc/ipmi_pass key_file=/etc/key_file +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-session b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-session new file mode 100644 index 000000000..a4a551f71 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-session @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-session-noninteractive b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-session-noninteractive new file mode 100644 index 000000000..b110bb2b4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-session-noninteractive @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/other b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/other new file mode 100644 index 000000000..ec970ecbe --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/other @@ -0,0 +1,24 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. + +# We use pam_warn.so to generate syslog notes that the 'other' +#fallback rules are being used (as a hint to suggest you should setup +#specific PAM rules for the service and aid to debugging). Then to be +#secure, deny access to all services by default. + +auth required pam_warn.so +auth required pam_deny.so + +account required pam_warn.so +account required pam_deny.so + +password required pam_warn.so +password required pam_deny.so + +session required pam_warn.so +session required pam_deny.so diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/run-ptest b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/run-ptest new file mode 100644 index 000000000..9c304aee4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/run-ptest @@ -0,0 +1,32 @@ +#! /bin/sh + +cd tests + +export srcdir=. + +failed=0 +all=0 +for f in tst-*; do + "./$f" > /dev/null 2>&1 + case "$?" in + 0) + echo "PASS: $f" + all=$((all + 1)) + ;; + 77) + echo "SKIP: $f" + ;; + *) + echo "FAIL: $f" + failed=$((failed + 1)) + all=$((all + 1)) + ;; + esac +done + +if [ "$failed" -eq 0 ] ; then + echo "All $all tests passed" +else + echo "$failed of $all tests failed" +fi +unset srcdir |