diff --git a/meta-openeuler/recipes-core/openssh/openssh/sshd b/meta-openeuler/recipes-core/openssh/openssh/sshd index 4882e58b4804cb4dbce792c0e5ec742f896fbd44..98750729022417b44a26235a15c7a0c7126faf37 100644 --- a/meta-openeuler/recipes-core/openssh/openssh/sshd +++ b/meta-openeuler/recipes-core/openssh/openssh/sshd @@ -2,9 +2,23 @@ auth include common-auth account required pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + account include common-account password include common-password session optional pam_keyinit.so force revoke session include common-session session required pam_loginuid.so +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/meta-openeuler/recipes-core/os-base/os-base_1.0.bb b/meta-openeuler/recipes-core/os-base/os-base_1.0.bb index 7d49d791a86a900d3c79f484c0045b879accbd5b..fc2ecd64b1edbb561d6a3f02b3fb508b534597ad 100644 --- a/meta-openeuler/recipes-core/os-base/os-base_1.0.bb +++ b/meta-openeuler/recipes-core/os-base/os-base_1.0.bb @@ -2,25 +2,26 @@ SUMMARY = "OS basic configuration files" DESCRIPTION = "base files" SECTION = "base" PR = "r1" -LICENSE = "MulanPSL-2.0" - +LICENSE = "CLOSED" +FILESPATH = "${THISDIR}/${BPN}/" +DL_DIR = "${THISDIR}/${BPN}/" LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=1acb172ffd3d252285dd1b8b8459941e" -SRC_URI = "file://${WORKDIR}/bashrc \ - file://${WORKDIR}/fstab \ - file://${WORKDIR}/group \ - file://${WORKDIR}/inittab \ - file://${WORKDIR}/issue \ - file://${WORKDIR}/issue.net \ - file://${WORKDIR}/LICENSE \ - file://${WORKDIR}/login.defs \ - file://${WORKDIR}/motd \ - file://${WORKDIR}/passwd \ - file://${WORKDIR}/profile \ - file://${WORKDIR}/securetty \ - file://${WORKDIR}/shadow \ - file://${WORKDIR}/sysctl.conf" +SRC_URI = "file://bashrc \ + file://fstab \ + file://group \ + file://inittab \ + file://issue \ + file://issue.net \ + file://LICENSE \ + file://login.defs \ + file://motd \ + file://passwd \ + file://profile \ + file://securetty \ + file://shadow \ + file://sysctl.conf" do_install() { install -d ${D}/etc @@ -41,3 +42,4 @@ do_install() { FILES_${PN} = "/" +INHIBIT_DEFAULT_DEPS = "1" diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/chfn b/meta-openeuler/recipes-core/pam/libpam/pam.d/chfn deleted file mode 100644 index fc84574aa4f9fd1cf7deea15ade8897c45a4509f..0000000000000000000000000000000000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/chfn +++ /dev/null @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -account required pam_permit.so -password include common-passwd diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/chsh b/meta-openeuler/recipes-core/pam/libpam/pam.d/chsh deleted file mode 100644 index fc84574aa4f9fd1cf7deea15ade8897c45a4509f..0000000000000000000000000000000000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/chsh +++ /dev/null @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -account required pam_permit.so -password include common-passwd diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/login b/meta-openeuler/recipes-core/pam/libpam/pam.d/login deleted file mode 100644 index 0e571ec652e1939f41695dfe5efc245672a1cc79..0000000000000000000000000000000000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/login +++ /dev/null @@ -1,9 +0,0 @@ -#%PAM-1.0 -auth required pam_securetty.so -auth include common-auth -account required pam_nologin.so -account include common-account -password include common-password -session include common-session -session required pam_loginuid.so -session optional pam_console.so diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/passwd b/meta-openeuler/recipes-core/pam/libpam/pam.d/passwd deleted file mode 100644 index f50a8537bbad6e53ce1b8c3777340b6c2104ef1b..0000000000000000000000000000000000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/passwd +++ /dev/null @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth include common-auth -account include common-account -password include common-password diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/sshd b/meta-openeuler/recipes-core/pam/libpam/pam.d/sshd deleted file mode 100644 index ec0228c3d3d6576f2ff5e34e6dceab896c9f1809..0000000000000000000000000000000000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/sshd +++ /dev/null @@ -1,24 +0,0 @@ -#%PAM-1.0 - -auth include common-auth -account required pam_nologin.so - -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without out this it is possible -# that a module could execute code in the wrong domain. -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close - -account include common-account -password include common-password -session optional pam_keyinit.so force revoke -session include common-session -session required pam_loginuid.so - -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/su b/meta-openeuler/recipes-core/pam/libpam/pam.d/su deleted file mode 100644 index d2259132aa5bf8c1eb4507dabe8b57d95644ac40..0000000000000000000000000000000000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/su +++ /dev/null @@ -1,8 +0,0 @@ -auth sufficient pam_rootok.so -auth required pam_wheel.so use_uid -session required pam_env.so readenv=1 -auth include common-auth -account sufficient pam_rootok.so -account include common-account -password include common-password -session include common-session diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/chfn b/meta-openeuler/recipes-core/shadow/files/pam.d/chfn index baf7698bba86d76c8a4d48d04a9428d3ef82b48c..fd39af331f5842646839950f39a9d35d4c4b411f 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/chfn +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/chfn @@ -1,14 +1,4 @@ -# -# The PAM configuration file for the Shadow `chfn' service -# - -# This allows root to change user infomation without being -# prompted for a password +#%PAM-1.0 auth sufficient pam_rootok.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session +account required pam_permit.so +password include common-passwd diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/chsh b/meta-openeuler/recipes-core/shadow/files/pam.d/chsh index 8fb169f64e1d200220b301459f7899880c7d0aa1..fd39af331f5842646839950f39a9d35d4c4b411f 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/chsh +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/chsh @@ -1,19 +1,4 @@ -# -# The PAM configuration file for the Shadow `chsh' service -# - -# This will not allow a user to change their shell unless -# their current one is listed in /etc/shells. This keeps -# accounts with special shells from changing them. -auth required pam_shells.so - -# This allows root to change user shell without being -# prompted for a password +#%PAM-1.0 auth sufficient pam_rootok.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session +account required pam_permit.so +password include common-passwd diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/groupmems b/meta-openeuler/recipes-core/shadow/files/pam.d/groupmems similarity index 100% rename from meta-openeuler/recipes-core/pam/libpam/pam.d/groupmems rename to meta-openeuler/recipes-core/shadow/files/pam.d/groupmems diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/login b/meta-openeuler/recipes-core/shadow/files/pam.d/login index b340058539e23e360f0ce7d5e80a23ed1fc31713..499c8c3d7f0a047dc0dd5cd1824d1c23934b4b30 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/login +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/login @@ -1,81 +1,9 @@ -# -# The PAM configuration file for the Shadow `login' service -# - -# Enforce a minimal delay in case of failure (in microseconds). -# (Replaces the `FAIL_DELAY' setting from login.defs) -# Note that other modules may require another minimal delay. (for example, -# to disable any delay, you should add the nodelay option to pam_unix) -auth optional pam_faildelay.so delay=3000000 - -# Outputs an issue file prior to each login prompt (Replaces the -# ISSUE_FILE option from login.defs). Uncomment for use -# auth required pam_issue.so issue=/etc/issue - -# Disallows root logins except on tty's listed in /etc/securetty -# (Replaces the `CONSOLE' setting from login.defs) -# Note that it is included as a "requisite" module. No password prompts will -# be displayed if this module fails to avoid having the root password -# transmitted on unsecure ttys. -# You can change it to a "required" module if you think it permits to -# guess valid user names of your system (invalid user names are considered -# as possibly being root). -auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so - -# Disallows other than root logins when /etc/nologin exists -# (Replaces the `NOLOGINS_FILE' option from login.defs) -auth requisite pam_nologin.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 - -# Standard Un*x authentication. -auth include common-auth - -# This allows certain extra groups to be granted to a user -# based on things like time of day, tty, service, and user. -# Please edit /etc/security/group.conf to fit your needs -# (Replaces the `CONSOLE_GROUPS' option in login.defs) -auth optional pam_group.so - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on logins. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# Uncomment and edit /etc/security/access.conf if you need to -# set access limits. -# (Replaces /etc/login.access file) -# account required pam_access.so - -# Sets up user limits according to /etc/security/limits.conf -# (Replaces the use of /etc/limits in old login) -session required pam_limits.so - -# Prints the last login info upon succesful login -# (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so - -# Prints the motd upon succesful login -# (Replaces the `MOTD_FILE' option in login.defs) -session optional pam_motd.so - -# Prints the status of the user's mailbox upon succesful login -# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). -# -# This also defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -session optional pam_mail.so standard - -# Standard Un*x account and session -account include common-account -password include common-password -session include common-session +#%PAM-1.0 +auth required pam_securetty.so +auth include common-auth +account required pam_nologin.so +account include common-account +password include common-password +session include common-session +session required pam_loginuid.so +session optional pam_console.so diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/passwd b/meta-openeuler/recipes-core/shadow/files/pam.d/passwd index f53499243582ec383827f28b6cb50824ab861ce9..59cfdfb21b8d9b3216a7f11f5fc872679d7adf3e 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/passwd +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/passwd @@ -1,5 +1,4 @@ -# -# The PAM configuration file for the Shadow `passwd' service -# - -password include common-password +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/su b/meta-openeuler/recipes-core/shadow/files/pam.d/su index 8d590a32e60a18d42dc74391e8ddb429c9254123..28360f571312ce236bc5a3496e4bc95ebdf6beec 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/su +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/su @@ -1,57 +1,8 @@ -# -# The PAM configuration file for the Shadow `su' service -# - -# This allows root to su without passwords (normal operation) -auth sufficient pam_rootok.so - -# Uncomment this to force users to be a member of group root -# before they can use `su'. You can also add "group=foo" -# to the end of this line if you want to use a group other -# than the default "root" (but this may have side effect of -# denying "root" user, unless she's a member of "foo" or explicitly -# permitted earlier by e.g. "sufficient pam_rootok.so"). -# (Replaces the `SU_WHEEL_ONLY' option from login.defs) -# auth required pam_wheel.so - -# Uncomment this if you want wheel members to be able to -# su without a password. -# auth sufficient pam_wheel.so trust - -# Uncomment this if you want members of a specific group to not -# be allowed to use su at all. -# auth required pam_wheel.so deny group=nosu - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on su usage. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 - -# Defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -# -# "nopen" stands to avoid reporting new mail when su'ing to another user -session optional pam_mail.so nopen - -# Sets up user limits, please uncomment and read /etc/security/limits.conf -# to enable this functionality. -# (Replaces the use of /etc/limits in old login) -# session required pam_limits.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session +auth sufficient pam_rootok.so +auth required pam_wheel.so use_uid +session required pam_env.so readenv=1 +auth include common-auth +account sufficient pam_rootok.so +account include common-account +password include common-password +session include common-session diff --git a/meta-openeuler/recipes-core/shadow/shadow.inc b/meta-openeuler/recipes-core/shadow/shadow.inc index 9ddb10bd900109f8833911d8396ca6579bd0521c..75945a2e1391c5cb2249c3ca677393f7db5b0752 100644 --- a/meta-openeuler/recipes-core/shadow/shadow.inc +++ b/meta-openeuler/recipes-core/shadow/shadow.inc @@ -78,7 +78,8 @@ SRC_URI_EXTRA = "file://pam.d/chfn \ file://pam.d/login \ file://pam.d/newusers \ file://pam.d/passwd \ - file://pam.d/su" + file://pam.d/su \ + file://pam.d/groupmems" do_install() { oe_runmake DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install