1 files changed, 105 insertions, 0 deletions

diff --git a/debian/patches/05_debianize-pam-files.patch b/debian/patches/05_debianize-pam-files.patch
new file mode 100644
index 0000000..b2dd806
--- /dev/null
+++ b/debian/patches/05_debianize-pam-files.patch
@@ -0,0 +1,105 @@
+--- a/data/pam/lightdm
++++ b/data/pam/lightdm
+@@ -1,20 +1,35 @@
+ #%PAM-1.0
+ 
+ # Block login if they are globally disabled
+-auth      required pam_nologin.so
++auth      requisite pam_nologin.so
+ 
+ # Load environment from /etc/environment and ~/.pam_environment
+-auth      required pam_env.so
++auth      required pam_env.so envfile=/etc/default/locale
+ 
+-# Use /etc/passwd and /etc/shadow for passwords
+-auth      required pam_unix.so
++@include common-auth
+ 
+-# Check account is active, change password if required
+-account   required pam_unix.so
++-auth  optional pam_gnome_keyring.so
+ 
+-# Allow password to be changed
+-password  required pam_unix.so
++@include common-account
+ 
+-# Setup session
+-session   required pam_unix.so
+-session   optional pam_systemd.so
++# SELinux needs to be the first session rule. This ensures that any
++# lingering context has been cleared. Without out this it is possible
++# that a module could execute code in the wrong domain.
++# When the module is present, "required" would be sufficient (When SELinux
++# is disabled, this returns success.)
++session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
++
++session  required        pam_limits.so
++session  required        pam_loginuid.so
++@include common-session
++
++# SELinux needs to intervene at login time to ensure that the process
++# starts in the proper default security context. Only sessions which are
++# intended to run in the user's context should be run after this.
++session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
++# When the module is present, "required" would be sufficient (When SELinux
++# is disabled, this returns success.)
++
++-session optional        pam_gnome_keyring.so auto_start
++
++@include common-password
+--- a/data/pam/lightdm-greeter
++++ b/data/pam/lightdm-greeter
+@@ -1,7 +1,7 @@
+ #%PAM-1.0
+ 
+ # Load environment from /etc/environment and ~/.pam_environment
+-auth      required pam_env.so
++auth      required pam_env.so envfile=/etc/default/locale
+ 
+ # Always let the greeter start without authentication
+ auth      required pam_permit.so
+--- a/data/pam/lightdm-autologin
++++ b/data/pam/lightdm-autologin
+@@ -1,20 +1,35 @@
+ #%PAM-1.0
+ 
+ # Block login if they are globally disabled
+-auth      required pam_nologin.so
++auth      requisite pam_nologin.so
+ 
+ # Load environment from /etc/environment and ~/.pam_environment
+-auth      required pam_env.so
++auth      required pam_env.so envfile=/etc/default/locale
+ 
+ # Allow access without authentication
+ auth      required pam_permit.so
+ 
+-# Stop autologin if account requires action
+-account   required pam_unix.so
++@include common-account
++
++# SELinux needs to be the first session rule. This ensures that any
++# lingering context has been cleared. Without out this it is possible
++# that a module could execute code in the wrong domain.
++# When the module is present, "required" would be sufficient (When SELinux
++# is disabled, this returns success.)
++session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
++
++session  required        pam_limits.so
++session  required        pam_loginuid.so
++@include common-session
++
++# SELinux needs to intervene at login time to ensure that the process
++# starts in the proper default security context. Only sessions which are
++# intended to run in the user's context should be run after this.
++session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
++# When the module is present, "required" would be sufficient (When SELinux
++# is disabled, this returns success.)
+ 
+ # Can't change password
+ password  required pam_deny.so
+ 
+-# Setup session
+-session   required pam_unix.so
+-session   optional pam_systemd.so
++@include common-password