diff options
Diffstat (limited to 'debian/local')
-rw-r--r-- | debian/local/Debian-PAM-MiniPolicy | 6 | ||||
-rw-r--r-- | debian/local/common-password | 16 | ||||
-rw-r--r-- | debian/local/common-session | 5 | ||||
-rw-r--r-- | debian/local/common-session-noninteractive | 2 | ||||
-rw-r--r-- | debian/local/pam-auth-update | 55 | ||||
-rw-r--r-- | debian/local/pam-auth-update.8 | 7 |
6 files changed, 66 insertions, 25 deletions
diff --git a/debian/local/Debian-PAM-MiniPolicy b/debian/local/Debian-PAM-MiniPolicy index e51a0246..8cba0aee 100644 --- a/debian/local/Debian-PAM-MiniPolicy +++ b/debian/local/Debian-PAM-MiniPolicy @@ -83,11 +83,11 @@ those modules. E.g., /etc/pam.d/login includes the line: therefore it must depend on libpam-modules, which provides /lib/security/pam_limits.so. -Applications need to depend on libpam-runtime (>= 0.76-14) to -guarantee that /etc/pam.d/common-* exist. +Applications need to depend on libpam-runtime to guarantee that +/etc/pam.d/common-* exist. Applications that use common-session-noninteractive must depend -on libpam-runtime (>= 1.0.1-11) for this file. +on libpam-runtime for this file. The pam_unix.so module allows programs to authenticate the uid of the diff --git a/debian/local/common-password b/debian/local/common-password index 963f1eb4..676b814c 100644 --- a/debian/local/common-password +++ b/debian/local/common-password @@ -6,14 +6,14 @@ # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: -# -# The "sha512" option enables salted SHA512 passwords. Without this option, -# the default is Unix crypt. Prior releases used the option "md5". -# -# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in -# login.defs. -# -# See the pam_unix manpage for other options. +# The "yescrypt" option enables +#hashed passwords using the yescrypt algorithm, introduced in Debian +#11. Without this option, the default is Unix crypt. Prior releases +#used the option "sha512"; if a shadow password hash will be shared +#between Debian 11 and older releases replace "yescrypt" with "sha512" +#for compatibility . The "obscure" option replaces the old +#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage +#for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any diff --git a/debian/local/common-session b/debian/local/common-session index 2e94d6c7..1cd4f1ae 100644 --- a/debian/local/common-session +++ b/debian/local/common-session @@ -3,8 +3,7 @@ # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed -# at the start and end of sessions of *any* kind (both interactive and -# non-interactive). +# at the start and end of interactive sessions. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any @@ -20,6 +19,8 @@ session requisite pam_deny.so # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so +# reset the umask for new sessions +session optional pam_umask.so # and here are more per-package modules (the "Additional" block) $session_additional # end of pam-auth-update config diff --git a/debian/local/common-session-noninteractive b/debian/local/common-session-noninteractive index 1dd1a172..d216f6ed 100644 --- a/debian/local/common-session-noninteractive +++ b/debian/local/common-session-noninteractive @@ -20,6 +20,8 @@ session requisite pam_deny.so # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so +# reset the umask for new sessions +session optional pam_umask.so # and here are more per-package modules (the "Additional" block) $session_nonint_additional # end of pam-auth-update config diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update index 6d17ab72..4c288d7b 100644 --- a/debian/local/pam-auth-update +++ b/debian/local/pam-auth-update @@ -39,7 +39,7 @@ my $blanktemplate = 'libpam-runtime/no_profiles_chosen'; my $titletemplate = 'libpam-runtime/title'; my $confdir = '/etc/pam.d'; my $savedir = '/var/lib/pam'; -my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_enable); +my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_disable, %to_enable); my $force = 0; my $package = 0; my $priority = 'high'; @@ -47,25 +47,23 @@ my %md5sums = ( 'auth' => ['8d4fe17e66ba25de16a117035d1396aa'], 'account' => ['3c0c362eaf3421848b679d63fd48c3fa'], 'password' => [ + '4d5c92d595a46b69cd61f18feb4c0574', '50fce2113dfda83ac8bdd5a6e706caec', '4bd7610f2e85f8ddaef79c7db7cb49eb', '9ba753d0824276b44bcadfee1f87b6bc', ], 'session' => [ + 'f297c731a467822cbd86e1283263e8a3', '240fb92986c885b327cdb21dd641da8c', '4a25673e8b36f1805219027d3be02cd2', + '9e633425b1878897695217ecaf75e204', ], 'session-noninteractive' => [ 'ad2b78ce1498dd637ef36469430b6ac6', + '53c1ede0bf4c07879d3582d875917545', ], ); - -opendir(DIR, $inputdir) || die "could not open config directory: $!"; -while (my $profile = readdir(DIR)) { - next if ($profile eq '.' || $profile eq '..' || $profile =~ m/~$/ || $profile =~ m/^#.+#$/); - %{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile); -} -closedir DIR; +my @invalid_modules = ('pam_tally'); # use a '--force' arg to specify that /etc/pam.d should be overwritten; # used only on upgrades where the postinst has already determined that the @@ -82,6 +80,11 @@ while ($#ARGV >= 0) { $force = 1; } elsif ($opt eq '--package') { $package = 1; + } elsif ($opt eq '--root') { + my $rootdir = shift @ARGV; + $savedir = "${rootdir}$savedir"; + $confdir = "${rootdir}$confdir"; + $inputdir = "${rootdir}$inputdir"; } elsif ($opt eq '--remove') { while ($#ARGV >= 0) { last if ($ARGV[0] =~ /^--/); @@ -89,6 +92,13 @@ while ($#ARGV >= 0) { } # --remove implies --package $package = 1 if (keys(%removals)); + } elsif ($opt eq '--disable') { + while ($#ARGV >= 0) { + last if ($ARGV[0] =~ /^--/); + $to_disable{shift @ARGV} = 1; + } + # --disable implies --package + $package = 1 if (keys(%to_disable)); } elsif ($opt eq '--enable') { while ($#ARGV >= 0) { last if ($ARGV[0] =~ /^--/); @@ -99,6 +109,16 @@ while ($#ARGV >= 0) { } } +opendir(DIR, $inputdir) || die "could not open config directory: $!"; +while (my $profile = readdir(DIR)) { + next if ($profile eq '.' || $profile eq '..' || $profile =~ m/~$/ || $profile =~ m/^#.+#$/); + %{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile); + if (defined $profiles{$profile}{'disabled'} and $profiles{$profile}{'disabled'}) { + delete $profiles{$profile}; + } +} +closedir DIR; + $priority = 'medium' if ($package); x_loadtemplatefile('/var/lib/dpkg/info/libpam-runtime.templates','libpam-runtime'); @@ -137,15 +157,23 @@ if (-e $savedir . '/seen') { # filter out any options that are no longer available for any reason @enabled = grep { $profiles{$_} } @enabled; +# add configs to enable +push(@enabled, + grep { $to_enable{$_} } @sorted); + +# Disable anything explicitly disabled +@enabled = grep {!$to_disable{$_} } @enabled; +# And we've seen anything we disable +foreach my $i (keys %to_disable) { + $seen{$i} = 1; +} + # an empty module set is an error, so in that case grab all the defaults if (!@enabled) { %seen = (); $priority = 'high' unless ($force); } -# add configs to enable -push(@enabled, - grep { $to_enable{$_} } @sorted); # add any previously-unseen configs push(@enabled, @@ -702,11 +730,14 @@ sub parse_pam_profile s/^\s+//; s/\s+$//; $profile{$fieldname} .= "\n$_" if ($_); + if (grep { $profile{$fieldname} =~ /$_/} @invalid_modules) { + $profile{'disabled'} = 1; + } $profile{$fieldname} =~ s/^[\n\s]+//; } } close(PROFILE); - if (!defined($profile{'Session-Interactive-Only'})) { + if (!defined($profile{'Session-Interactive-Only'}) or $profile{'Session-Interactive-Only'} ne 'yes') { $profile{'Session-noninteractive-Type'} = $profile{'Session-Type'}; $profile{'Session-noninteractive'} = $profile{'Session'}; $profile{'Session-noninteractive-Initial'} = $profile{'Session-Initial'}; diff --git a/debian/local/pam-auth-update.8 b/debian/local/pam-auth-update.8 index a5ebdbad..a31ec921 100644 --- a/debian/local/pam-auth-update.8 +++ b/debian/local/pam-auth-update.8 @@ -23,6 +23,10 @@ pam\-auth\-update - manage PAM configuration using packaged profiles .RB [ \-\-package " [" \-\-remove .IR profile " [" profile\fR... "]]]" .RB [ \-\-force ] +.RB [ \-\-enable +.IR profile " [" profile\fR... "]]" +.RB [ \-\-disable +.IR profile " [" profile\fR... "]]" .SH DESCRIPTION .I pam\-auth\-update is a utility that permits configuring the central authentication policy @@ -68,6 +72,9 @@ Indicate that the caller is a package maintainer script; lowers the priority of debconf questions to `medium' so that the user is not prompted by default. .TP +.B \-\-disable \fIprofile \fR[\fIprofile\fR...] +Disable the specified profiles in system configuration. This can be used from system administration scripts to disable profiles. +.TP .B \-\-enable \fIprofile \fR[\fIprofile\fR...] Enable the specified profiles in system configuration. This is used to enable profiles that are not on by default. |