summaryrefslogtreecommitdiff
path: root/meta-openbmc-mods/meta-common/recipes-extended
diff options
context:
space:
mode:
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-extended')
-rw-r--r--meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend7
-rw-r--r--meta-openbmc-mods/meta-common/recipes-extended/pam/pam-ipmi_%.bbappend4
-rw-r--r--meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus/0001-Revert-server-Check-return-code-for-sd_bus_add_objec.patch34
-rw-r--r--meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus/0002-Skip-decoding-some-dbus-identifiers.patch66
-rw-r--r--meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend6
-rw-r--r--meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/pam.d/login90
-rw-r--r--meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend4
7 files changed, 211 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend
new file mode 100644
index 000000000..21e1d88ea
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend
@@ -0,0 +1,7 @@
+RDEPENDS:${PN}-runtime += "${MLPREFIX}pam-plugin-localuser-${libpam_suffix}"
+
+#Default settings lockout duration to 300 seconds and threshold value to 10
+do_install:append() {
+ sed -i 's/deny=0/deny=10/' ${D}${sysconfdir}/pam.d/common-auth
+ sed -i 's/unlock_time=0/unlock_time=300/' ${D}${sysconfdir}/pam.d/common-auth
+}
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/pam-ipmi_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/pam/pam-ipmi_%.bbappend
new file mode 100644
index 000000000..971fe4290
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/pam-ipmi_%.bbappend
@@ -0,0 +1,4 @@
+do_install:append () {
+# Remove ipmi_pass from image, if debug-tweaks is not enabled
+ ${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', 'rm ${D}/${sysconfdir}/ipmi_pass', d)}
+}
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus/0001-Revert-server-Check-return-code-for-sd_bus_add_objec.patch b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus/0001-Revert-server-Check-return-code-for-sd_bus_add_objec.patch
new file mode 100644
index 000000000..9aaf2f952
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus/0001-Revert-server-Check-return-code-for-sd_bus_add_objec.patch
@@ -0,0 +1,34 @@
+From baff58f6e8f7aef4fd56be959fdd2e5e3c429eef Mon Sep 17 00:00:00 2001
+From: Johnathan Mantey <johnathanx.mantey@intel.com>
+Date: Mon, 13 Jul 2020 11:51:54 -0700
+Subject: [PATCH] Revert "server: Check return code for
+ sd_bus_add_object_vtable()"
+
+This reverts commit 017a19da5f67a74daedf4d63111569902d4764e6.
+---
+ src/server/interface.cpp | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/src/server/interface.cpp b/src/server/interface.cpp
+index a72c656..0155b6d 100644
+--- a/src/server/interface.cpp
++++ b/src/server/interface.cpp
+@@ -17,13 +17,8 @@ interface::interface(sdbusplus::bus::bus& bus, const char* path,
+ _interface_added(false)
+ {
+ sd_bus_slot* slot = nullptr;
+- int r = _intf->sd_bus_add_object_vtable(_bus.get(), &slot, _path.c_str(),
+- _interf.c_str(), vtable, context);
+- if (r < 0)
+- {
+- throw exception::SdBusError(-r, "sd_bus_add_object_vtable");
+- }
+-
++ _intf->sd_bus_add_object_vtable(_bus.get(), &slot, _path.c_str(),
++ _interf.c_str(), vtable, context);
+ _slot = decltype(_slot){slot};
+ }
+
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus/0002-Skip-decoding-some-dbus-identifiers.patch b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus/0002-Skip-decoding-some-dbus-identifiers.patch
new file mode 100644
index 000000000..3f65cd16f
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus/0002-Skip-decoding-some-dbus-identifiers.patch
@@ -0,0 +1,66 @@
+From 2765f7fe7e01f3bbf30b008d0aea5c4260c2bbb9 Mon Sep 17 00:00:00 2001
+From: Nidhin MS <nidhin.ms@intel.com>
+Date: Tue, 22 Jun 2021 19:49:28 +0530
+Subject: [PATCH] Skip decoding some dbus identifiers
+
+Dbus identifiers starting with _ and having length less than 3 and also
+those having incorrect encoding can be skipped from decoding in
+filename() method. Services like user manager accepts usernames
+starting with _ and does not restrict accepted usernames.
+Ignore those dbus identifiers while decoding.
+
+Tested:
+Small identifiers decoded correctly
+
+Change-Id: I11aea22060a789dcf756142ee02637dfe7d77c14
+Signed-off-by: Nidhin MS <nidhin.ms@intel.com>
+---
+ src/message/native_types.cpp | 7 +++++--
+ test/message/types.cpp | 8 ++++----
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/message/native_types.cpp b/src/message/native_types.cpp
+index f0a7747..118d829 100644
+--- a/src/message/native_types.cpp
++++ b/src/message/native_types.cpp
+@@ -79,13 +79,16 @@ std::string string_path_wrapper::filename() const
+ }
+ if (i + 2 >= filename.size())
+ {
+- return "";
++ out.append(1, filename[i]);
++ continue;
+ }
++
+ auto ch = unhex[filename[i + 1]];
+ auto cl = unhex[filename[i + 2]];
+ if (ch == -1 || cl == -1)
+ {
+- return "";
++ out.append(1, filename[i]);
++ continue;
+ }
+ out.append(1, (ch << 4) | cl);
+ i += 2;
+diff --git a/test/message/types.cpp b/test/message/types.cpp
+index d666008..2c639f5 100644
+--- a/test/message/types.cpp
++++ b/test/message/types.cpp
+@@ -53,10 +53,10 @@ TEST(MessageTypes, ObjectPathFilename)
+ EXPECT_EQ(sdbusplus::message::object_path("/_2d").filename(), "-");
+ EXPECT_EQ(sdbusplus::message::object_path("/_20").filename(), " ");
+ EXPECT_EQ(sdbusplus::message::object_path("/_2F").filename(), "/");
+- EXPECT_EQ(sdbusplus::message::object_path("/_").filename(), "");
+- EXPECT_EQ(sdbusplus::message::object_path("/_2").filename(), "");
+- EXPECT_EQ(sdbusplus::message::object_path("/_2y").filename(), "");
+- EXPECT_EQ(sdbusplus::message::object_path("/_y2").filename(), "");
++ EXPECT_EQ(sdbusplus::message::object_path("/_").filename(), "_");
++ EXPECT_EQ(sdbusplus::message::object_path("/_2").filename(), "_2");
++ EXPECT_EQ(sdbusplus::message::object_path("/_2y").filename(), "_2y");
++ EXPECT_EQ(sdbusplus::message::object_path("/_y2").filename(), "_y2");
+ EXPECT_EQ(sdbusplus::message::object_path("/bios_active").filename(),
+ "bios_active");
+ }
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend
new file mode 100644
index 000000000..8413ae3bc
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend
@@ -0,0 +1,6 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+ file://0001-Revert-server-Check-return-code-for-sd_bus_add_objec.patch \
+ file://0002-Skip-decoding-some-dbus-identifiers.patch \
+ "
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/pam.d/login b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/pam.d/login
new file mode 100644
index 000000000..51dd3a83b
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/pam.d/login
@@ -0,0 +1,90 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth optional pam_faildelay.so delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth required pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+# Note that it is included as a "requisite" module. No password prompts will
+# be displayed if this module fails to avoid having the root password
+# transmitted on unsecure ttys.
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root).
+auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth requisite pam_nologin.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session required pam_env.so readenv=1
+
+# Allow only uid 0 for login prompt authentication
+auth required pam_succeed_if.so uid eq 0
+
+# Do regular pam unix based authentication. Allow null password.
+auth [success=2 default=ignore] pam_unix.so quiet nullok_secure
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth optional pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account requisite pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account required pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session required pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session optional pam_lastlog.so
+
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session optional pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session optional pam_mail.so standard
+
+# Standard Un*x account and session
+account include common-account
+password include common-password
+session include common-session
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 000000000..31952588b
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+PAM_SRC_URI += "file://pam.d/login \
+ "
generated by cgit v1.2.3 (git 2.39.0) at 2024-08-23 16:38:24 +0300