File: 05_debianize-pam-files.patch

package info (click to toggle)
lightdm 1.32.0-7
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 8,016 kB
  • sloc: ansic: 24,716; sh: 5,008; makefile: 1,159; cpp: 1,143; python: 267; xml: 39
file content (131 lines) | stat: -rw-r--r-- 4,882 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
From: Yves-Alexis Perez <corsac@debian.org>
Date: Fri, 22 Feb 2019 17:16:09 +0100
Subject: debianize pam files

---
 data/pam/lightdm           | 38 +++++++++++++++++++++++++++-----------
 data/pam/lightdm-autologin | 31 ++++++++++++++++++++++++-------
 data/pam/lightdm-greeter   |  5 ++++-
 3 files changed, 55 insertions(+), 19 deletions(-)

diff --git a/data/pam/lightdm b/data/pam/lightdm
index fed8a9b..f7f77d4 100644
--- a/data/pam/lightdm
+++ b/data/pam/lightdm
@@ -1,20 +1,36 @@
 #%PAM-1.0
 
 # Block login if they are globally disabled
-auth      required pam_nologin.so
+auth      requisite pam_nologin.so
 
 # Load environment from /etc/environment and ~/.pam_environment
-auth      required pam_env.so
+session      required pam_env.so readenv=1
+session      required pam_env.so readenv=1 envfile=/etc/default/locale
 
-# Use /etc/passwd and /etc/shadow for passwords
-auth      required pam_unix.so
+@include common-auth
 
-# Check account is active, change password if required
-account   required pam_unix.so
+-auth  optional pam_gnome_keyring.so
 
-# Allow password to be changed
-password  required pam_unix.so
+@include common-account
 
-# Setup session
-session   required pam_unix.so
-session   optional pam_systemd.so
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+session  required        pam_limits.so
+session  required        pam_loginuid.so
+@include common-session
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+-session optional        pam_gnome_keyring.so auto_start
+
+@include common-password
diff --git a/data/pam/lightdm-autologin b/data/pam/lightdm-autologin
index 157f469..d90ae06 100644
--- a/data/pam/lightdm-autologin
+++ b/data/pam/lightdm-autologin
@@ -3,20 +3,37 @@
 auth      required pam_succeed_if.so shell notin /sbin/nologin:/usr/sbin/nologin:/bin/false:/usr/bin/false
 
 # Block login if they are globally disabled
-auth      required pam_nologin.so
+auth      requisite pam_nologin.so
 
 # Load environment from /etc/environment and ~/.pam_environment
-auth      required pam_env.so
+session      required pam_env.so readenv=1
+session      required pam_env.so readenv=1 envfile=/etc/default/locale
 
 # Allow access without authentication
+auth      required pam_succeed_if.so user != root quiet_success
 auth      required pam_permit.so
 
-# Stop autologin if account requires action
-account   required pam_unix.so
+@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+session  required        pam_limits.so
+session  required        pam_loginuid.so
+@include common-session
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
 
 # Can't change password
 password  required pam_deny.so
 
-# Setup session
-session   required pam_unix.so
-session   optional pam_systemd.so
+@include common-password
diff --git a/data/pam/lightdm-greeter b/data/pam/lightdm-greeter
index 9a6862b..683f9f4 100644
--- a/data/pam/lightdm-greeter
+++ b/data/pam/lightdm-greeter
@@ -1,7 +1,8 @@
 #%PAM-1.0
 
 # Load environment from /etc/environment and ~/.pam_environment
-auth      required pam_env.so
+session      required pam_env.so readenv=1
+session      required pam_env.so readenv=1 envfile=/etc/default/locale
 
 # Always let the greeter start without authentication
 auth      required pam_permit.so
@@ -15,3 +16,5 @@ password  required pam_deny.so
 # Setup session
 session   required pam_unix.so
 session   optional pam_systemd.so
+
+@include common-session