diff options
Diffstat (limited to 'debian/patches/05_debianize-pam-files.patch')
-rw-r--r-- | debian/patches/05_debianize-pam-files.patch | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/debian/patches/05_debianize-pam-files.patch b/debian/patches/05_debianize-pam-files.patch new file mode 100644 index 0000000..b2dd806 --- /dev/null +++ b/debian/patches/05_debianize-pam-files.patch @@ -0,0 +1,105 @@ +--- a/data/pam/lightdm ++++ b/data/pam/lightdm +@@ -1,20 +1,35 @@ + #%PAM-1.0 + + # Block login if they are globally disabled +-auth required pam_nologin.so ++auth requisite pam_nologin.so + + # Load environment from /etc/environment and ~/.pam_environment +-auth required pam_env.so ++auth required pam_env.so envfile=/etc/default/locale + +-# Use /etc/passwd and /etc/shadow for passwords +-auth required pam_unix.so ++@include common-auth + +-# Check account is active, change password if required +-account required pam_unix.so ++-auth optional pam_gnome_keyring.so + +-# Allow password to be changed +-password required pam_unix.so ++@include common-account + +-# Setup session +-session required pam_unix.so +-session optional pam_systemd.so ++# SELinux needs to be the first session rule. This ensures that any ++# lingering context has been cleared. Without out this it is possible ++# that a module could execute code in the wrong domain. ++# When the module is present, "required" would be sufficient (When SELinux ++# is disabled, this returns success.) ++session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close ++ ++session required pam_limits.so ++session required pam_loginuid.so ++@include common-session ++ ++# SELinux needs to intervene at login time to ensure that the process ++# starts in the proper default security context. Only sessions which are ++# intended to run in the user's context should be run after this. ++session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open ++# When the module is present, "required" would be sufficient (When SELinux ++# is disabled, this returns success.) ++ ++-session optional pam_gnome_keyring.so auto_start ++ ++@include common-password +--- a/data/pam/lightdm-greeter ++++ b/data/pam/lightdm-greeter +@@ -1,7 +1,7 @@ + #%PAM-1.0 + + # Load environment from /etc/environment and ~/.pam_environment +-auth required pam_env.so ++auth required pam_env.so envfile=/etc/default/locale + + # Always let the greeter start without authentication + auth required pam_permit.so +--- a/data/pam/lightdm-autologin ++++ b/data/pam/lightdm-autologin +@@ -1,20 +1,35 @@ + #%PAM-1.0 + + # Block login if they are globally disabled +-auth required pam_nologin.so ++auth requisite pam_nologin.so + + # Load environment from /etc/environment and ~/.pam_environment +-auth required pam_env.so ++auth required pam_env.so envfile=/etc/default/locale + + # Allow access without authentication + auth required pam_permit.so + +-# Stop autologin if account requires action +-account required pam_unix.so ++@include common-account ++ ++# SELinux needs to be the first session rule. This ensures that any ++# lingering context has been cleared. Without out this it is possible ++# that a module could execute code in the wrong domain. ++# When the module is present, "required" would be sufficient (When SELinux ++# is disabled, this returns success.) ++session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close ++ ++session required pam_limits.so ++session required pam_loginuid.so ++@include common-session ++ ++# SELinux needs to intervene at login time to ensure that the process ++# starts in the proper default security context. Only sessions which are ++# intended to run in the user's context should be run after this. ++session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open ++# When the module is present, "required" would be sufficient (When SELinux ++# is disabled, this returns success.) + + # Can't change password + password required pam_deny.so + +-# Setup session +-session required pam_unix.so +-session optional pam_systemd.so ++@include common-password |