diff options
| author | Steve Langasek <vorlon@debian.org> | 2009-08-18 16:25:06 -0700 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2019-01-08 19:42:00 -0800 |
| commit | 9bfcff20ad2c0b0ad3244b3ef49bb4d017bcaca7 (patch) | |
| tree | 1b64892f9321deb679d2c8a775b55785bba0212d | |
| parent | d475ac43a87c208019ac4dccad294d1fd92281f0 (diff) | |
debian/local/common-session-noninteractive{,.md5sums},
debian/local/pam-auth-update: split out a session-noninteractive include
file, so that we can at last distinguish between interactive and
non-interactive PAM sessions at a policy level. Closes: #169930,
LP: #287715.
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/local/common-session-noninteractive | 25 | ||||
| -rw-r--r-- | debian/local/common-session-noninteractive.md5sums | 1 | ||||
| -rwxr-xr-x | debian/local/pam-auth-update | 23 |
4 files changed, 50 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog index 997a9d5b..f5450615 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,11 @@ pam (1.0.1-11) UNRELEASED; urgency=low unmanaged and new managed /etc/pam.d/common-* files. * debian/local/common-{auth,account,session,password}.md5sums: document the known md5sums for the new managed files. + * debian/local/common-session-noninteractive{,.md5sums}, + debian/local/pam-auth-update: split out a session-noninteractive include + file, so that we can at last distinguish between interactive and + non-interactive PAM sessions at a policy level. Closes: #169930, + LP: #287715. -- Steve Langasek <vorlon@debian.org> Tue, 18 Aug 2009 12:58:52 -0700 diff --git a/debian/local/common-session-noninteractive b/debian/local/common-session-noninteractive new file mode 100644 index 00000000..1dd1a172 --- /dev/null +++ b/debian/local/common-session-noninteractive @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +$session_nonint_primary +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +$session_nonint_additional +# end of pam-auth-update config diff --git a/debian/local/common-session-noninteractive.md5sums b/debian/local/common-session-noninteractive.md5sums new file mode 100644 index 00000000..c3c970e6 --- /dev/null +++ b/debian/local/common-session-noninteractive.md5sums @@ -0,0 +1 @@ +ad2b78ce1498dd637ef36469430b6ac6 diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update index b059bf94..eeb14598 100755 --- a/debian/local/pam-auth-update +++ b/debian/local/pam-auth-update @@ -54,6 +54,9 @@ my %md5sums = ( '1bd2f3e86f552c57f5ee013b93ffca2b', '4a25673e8b36f1805219027d3be02cd2', ], + 'session-noninteractive' => [ + 'ad2b78ce1498dd637ef36469430b6ac6', + ], ); opendir(DIR, $inputdir) || die "could not open config directory: $!"; @@ -278,6 +281,7 @@ sub create_from_template my($template,$dest,$profiles,$enabled,$diff,$type) = @_; my $state = 0; my $uctype = ucfirst($type); + $type =~ s/-noninteractive//; open(INPUT,$template) || return 0; open(OUTPUT,">$dest") || return 0; @@ -431,7 +435,9 @@ sub write_profiles # because we can't atomically replace both /var/lib/pam/$foo and # /etc/pam.d/common-$foo at the same time, take steps to make this # somewhat robust - for my $type ('auth','account','password','session') { + for my $type ('auth','account','password','session', + 'session-noninteractive') + { my $target = $confdir . '/common-' . $type; my $template = $target; my $dest = $template . '.pam-new'; @@ -540,7 +546,9 @@ sub diff_profiles # If anything fails here, just return immediately since we then # have nothing to merge; instead, the caller will decide later # whether to force an overwrite. - for my $type ('auth','account','password','session') { + for my $type ('auth','account','password','session', + 'session-noninteractive') + { my (@saved,$modname); open(SAVED,$savedir . '/' . $type) || return 0; @@ -563,6 +571,8 @@ sub diff_profiles my $state = 0; my (@prev_opts,$curmod); + my $realtype = $type; + $realtype =~ s/-noninteractive//; open(CURRENT,$sourcedir . '/common-' . $type) || return 0; while (<CURRENT>) { @@ -572,7 +582,7 @@ sub diff_profiles next; } if ($state == 1) { - s/^$type\s+//; + s/^$realtype\s+//; if (/^# here's the fallback if no module succeeds/) { $state = 2; next; @@ -585,7 +595,7 @@ sub diff_profiles } if ($state == 3) { last if (/^# end of pam-auth-update config/); - s/^$type\s+//; + s/^$realtype\s+//; } my $found = 0; @@ -668,5 +678,10 @@ sub parse_pam_profile } } close(PROFILE); + if (!defined($profile{'Session-Interactive-Only'})) { + $profile{'Session-noninteractive-Type'} = $profile{'Session-Type'}; + $profile{'Session-noninteractive'} = $profile{'Session'}; + $profile{'Session-noninteractive-Initial'} = $profile{'Session-Initial'}; + } return %profile; } |