From 739c65c54cb0e957df5e9b76f93fb02554e5cac3 Mon Sep 17 00:00:00 2001 From: davidovski Date: Wed, 4 May 2022 23:52:30 +0100 Subject: moved everything to new file formatting --- repo/system/shadow/chage.pamd | 11 +++ repo/system/shadow/chpasswd.pamd | 12 ++++ repo/system/shadow/login.pamd | 46 +++++++++++++ repo/system/shadow/newusers.pamd | 12 ++++ repo/system/shadow/passwd.pamd | 6 ++ repo/system/shadow/shadow.xibuild | 136 ++++++++++++++++++++++++++++++++++++++ repo/system/shadow/su.pamd | 27 ++++++++ 7 files changed, 250 insertions(+) create mode 100644 repo/system/shadow/chage.pamd create mode 100644 repo/system/shadow/chpasswd.pamd create mode 100644 repo/system/shadow/login.pamd create mode 100644 repo/system/shadow/newusers.pamd create mode 100644 repo/system/shadow/passwd.pamd create mode 100644 repo/system/shadow/shadow.xibuild create mode 100644 repo/system/shadow/su.pamd (limited to 'repo/system/shadow') diff --git a/repo/system/shadow/chage.pamd b/repo/system/shadow/chage.pamd new file mode 100644 index 0000000..3f277f8 --- /dev/null +++ b/repo/system/shadow/chage.pamd @@ -0,0 +1,11 @@ +# Begin /etc/pam.d/chage + +# always allow root +auth sufficient pam_rootok.so + +# include system auth and account settings +auth include system-auth +account include system-account + +# End /etc/pam.d/chage + diff --git a/repo/system/shadow/chpasswd.pamd b/repo/system/shadow/chpasswd.pamd new file mode 100644 index 0000000..81afbee --- /dev/null +++ b/repo/system/shadow/chpasswd.pamd @@ -0,0 +1,12 @@ +# Begin /etc/pam.d/newusers + +# always allow root +auth sufficient pam_rootok.so + +# include system auth and account settings +auth include system-auth +account include system-account +password include system-password + +# End /etc/pam.d/newusers + diff --git a/repo/system/shadow/login.pamd b/repo/system/shadow/login.pamd new file mode 100644 index 0000000..c6410c1 --- /dev/null +++ b/repo/system/shadow/login.pamd @@ -0,0 +1,46 @@ +# Begin /etc/pam.d/login + +# Set failure delay before next prompt to 3 seconds +auth optional pam_faildelay.so delay=3000000 + +# Check to make sure that the user is allowed to login +auth requisite pam_nologin.so + +# Check to make sure that root is allowed to login +# Disabled by default. You will need to create /etc/securetty +# file for this module to function. See man 5 securetty. +#auth required pam_securetty.so + +# Additional group memberships - disabled by default +#auth optional pam_group.so + +# include system auth settings +auth include system-auth + +# check access for the user +account required pam_access.so + +# include system account settings +account include system-account + +# Set default environment variables for the user +session required pam_env.so + +# Set resource limits for the user +session required pam_limits.so + +# Display date of last login - Disabled by default +#session optional pam_lastlog.so + +# Display the message of the day - Disabled by default +#session optional pam_motd.so + +# Check user's mail - Disabled by default +#session optional pam_mail.so standard quiet + +# include system session and password settings +session include system-session +password include system-password + +# End /etc/pam.d/login + diff --git a/repo/system/shadow/newusers.pamd b/repo/system/shadow/newusers.pamd new file mode 100644 index 0000000..57f5cfa --- /dev/null +++ b/repo/system/shadow/newusers.pamd @@ -0,0 +1,12 @@ +# Begin /etc/pam.d/chpasswd + +# always allow root +auth sufficient pam_rootok.so + +# include system auth and account settings +auth include system-auth +account include system-account +password include system-password + +# End /etc/pam.d/chpasswd + diff --git a/repo/system/shadow/passwd.pamd b/repo/system/shadow/passwd.pamd new file mode 100644 index 0000000..83459e3 --- /dev/null +++ b/repo/system/shadow/passwd.pamd @@ -0,0 +1,6 @@ +# Begin /etc/pam.d/passwd + +password include system-password + +# End /etc/pam.d/passwd + diff --git a/repo/system/shadow/shadow.xibuild b/repo/system/shadow/shadow.xibuild new file mode 100644 index 0000000..22bd2f1 --- /dev/null +++ b/repo/system/shadow/shadow.xibuild @@ -0,0 +1,136 @@ +#!/bin/sh + +MAKEDEPS="make " +DEPS="acl libcap libxcrypt" + +PKG_VER=4.11.1 + +SOURCE=https://github.com/shadow-maint/shadow/releases/download/v$PKG_VER/shadow-$PKG_VER.tar.xz +DESC="Password and account management tool suite with support for shadow files and PAM" +ADDITIONAL=" + chage.pamd + chpasswd.pamd + login.pamd + newusers.pamd + passwd.pamd + su.pamd +" + +prepare () { + + sed -i 's/groups$(EXEEXT) //' src/Makefile.in + find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; + find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; + find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \; + + sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \ + -e 's:/var/spool/mail:/var/mail:' \ + -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \ + -i etc/login.defs + + mkdir -p $PKG_DEST/usr/bin + touch $PKG_DEST/usr/bin/passwd + +} + +build () { + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --localstatedir=/var \ + --disable-account-tools-setuid \ + --disable-nls \ + --without-audit \ + --with-libpam \ + --without-selinux \ + --without-acl \ + --without-attr \ + --without-tcb \ + --with-yescrypt \ + --without-nscd \ + --without-group-name-max-length \ + --with-fcaps + + make +} + +package () { + make exec_prefix=/usr DESTDIR=$PKG_DEST install + make DESTDIR=$PKG_DEST -C man install-man + mkdir -p $PKG_DEST/etc/default + + [ -d $PKG_DEST/etc/pam.d ] && rm -rf $PKG_DEST/etc/pam.d/* + + + install -m644 $PKG_DEST/etc/login.defs $PKG_DEST/etc/login.defs.orig && + echo "USERGROUPS_ENAB yes"> $PKG_DEST/etc/login.defs + + for f in $ADDITIONAL; do + case $f in + *.pamd) + cp $f $PKG_DEST/etc/pam.d/${f%.pamd} + ;; + esac + done + cp $PKG_DEST/etc/pam.d/su $PKG_DEST/etc/pam.d/su-l + + for PROGRAM in chfn chgpasswd chsh groupadd groupdel \ + groupmems groupmod useradd userdel usermod + do + install -m644 chage.pamd $PKG_DEST/etc/pam.d/${PROGRAM} + sed -i "s/chage/$PROGRAM/" $PKG_DEST/etc/pam.d/${PROGRAM} + done + + [ -f $PKG_DEST/etc/login.access ] && mv $PKG_DEST/etc/login.access $PKG_DEST/etc/login.access.NOUSE || true + [ -f $PKG_DEST/etc/limits ] && mv $PKG_DEST/etc/limits $PKG_DEST/etc/limits.NOUSE || true + + rm $PKG_DEST/usr/bin/su +} + +postinstall () { + + [ ! -f /etc/passwd ] && + cat > /etc/passwd << "EOF" +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/dev/null:/usr/bin/false +daemon:x:6:6:Daemon User:/dev/null:/usr/bin/false +messagebus:x:18:18:D-Bus Message Daemon User:/run/dbus:/usr/bin/false +uuidd:x:80:80:UUID Generation Daemon User:/dev/null:/usr/bin/false +nobody:x:99:99:Unprivileged User:/dev/null:/usr/bin/false +EOF + + [ ! -f /etc/group ] && + cat > /etc/group << "EOF" +root:x:0:root +bin:x:1:daemon +sys:x:2: +kmem:x:3: +tape:x:4: +tty:x:5: +daemon:x:6: +floppy:x:7: +disk:x:8: +lp:x:9: +dialout:x:10: +audio:x:11: +video:x:12: +utmp:x:13: +usb:x:14: +cdrom:x:15: +adm:x:16: +messagebus:x:18: +input:x:24: +mail:x:34: +kvm:x:61: +uuidd:x:80: +wheel:x:97: +nogroup:x:99: +users:x:999: +EOF + /usr/sbin/pwconv + /usr/sbin/grpconv + chmod 0640 /etc/shadow + mkdir -p /etc/default + /usr/sbin/useradd -D --gid 999 +} diff --git a/repo/system/shadow/su.pamd b/repo/system/shadow/su.pamd new file mode 100644 index 0000000..ca6ab90 --- /dev/null +++ b/repo/system/shadow/su.pamd @@ -0,0 +1,27 @@ +# Begin /etc/pam.d/su + +# always allow root +auth sufficient pam_rootok.so + +# Allow users in the wheel group to execute su without a password +# disabled by default +#auth sufficient pam_wheel.so trust use_uid + +# include system auth settings +auth include system-auth + +# limit su to users in the wheel group +# disabled by default +#auth required pam_wheel.so use_uid + +# include system account settings +account include system-account + +# Set default environment variables for the service user +session required pam_env.so + +# include system session settings +session include system-session + +# End /etc/pam.d/su + -- cgit v1.2.1