From 92b76d72e0acd722c9d9ca01747f7b5973999ae9 Mon Sep 17 00:00:00 2001 From: zhuyan Date: Sat, 18 Sep 2021 10:31:36 +0800 Subject: [PATCH 1/2] move pam files to openssh and shadow Signed-off-by: zhuyan --- .../recipes-core/openssh/openssh/sshd | 14 +++ .../recipes-core/pam/libpam/pam.d/chfn | 4 - .../recipes-core/pam/libpam/pam.d/chsh | 4 - .../recipes-core/pam/libpam/pam.d/login | 9 -- .../recipes-core/pam/libpam/pam.d/passwd | 4 - .../recipes-core/pam/libpam/pam.d/sshd | 24 ----- .../recipes-core/pam/libpam/pam.d/su | 8 -- .../recipes-core/shadow/files/pam.d/chfn | 16 +--- .../recipes-core/shadow/files/pam.d/chsh | 21 +---- .../libpam => shadow/files}/pam.d/groupmems | 0 .../recipes-core/shadow/files/pam.d/login | 90 ++----------------- .../recipes-core/shadow/files/pam.d/passwd | 9 +- .../recipes-core/shadow/files/pam.d/su | 65 ++------------ meta-openeuler/recipes-core/shadow/shadow.inc | 3 +- 14 files changed, 43 insertions(+), 228 deletions(-) delete mode 100644 meta-openeuler/recipes-core/pam/libpam/pam.d/chfn delete mode 100644 meta-openeuler/recipes-core/pam/libpam/pam.d/chsh delete mode 100644 meta-openeuler/recipes-core/pam/libpam/pam.d/login delete mode 100644 meta-openeuler/recipes-core/pam/libpam/pam.d/passwd delete mode 100644 meta-openeuler/recipes-core/pam/libpam/pam.d/sshd delete mode 100644 meta-openeuler/recipes-core/pam/libpam/pam.d/su rename meta-openeuler/recipes-core/{pam/libpam => shadow/files}/pam.d/groupmems (100%) diff --git a/meta-openeuler/recipes-core/openssh/openssh/sshd b/meta-openeuler/recipes-core/openssh/openssh/sshd index 4882e58b480..98750729022 100644 --- a/meta-openeuler/recipes-core/openssh/openssh/sshd +++ b/meta-openeuler/recipes-core/openssh/openssh/sshd @@ -2,9 +2,23 @@ auth include common-auth account required pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + account include common-account password include common-password session optional pam_keyinit.so force revoke session include common-session session required pam_loginuid.so +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/chfn b/meta-openeuler/recipes-core/pam/libpam/pam.d/chfn deleted file mode 100644 index fc84574aa4f..00000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/chfn +++ /dev/null @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -account required pam_permit.so -password include common-passwd diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/chsh b/meta-openeuler/recipes-core/pam/libpam/pam.d/chsh deleted file mode 100644 index fc84574aa4f..00000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/chsh +++ /dev/null @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth sufficient pam_rootok.so -account required pam_permit.so -password include common-passwd diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/login b/meta-openeuler/recipes-core/pam/libpam/pam.d/login deleted file mode 100644 index 0e571ec652e..00000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/login +++ /dev/null @@ -1,9 +0,0 @@ -#%PAM-1.0 -auth required pam_securetty.so -auth include common-auth -account required pam_nologin.so -account include common-account -password include common-password -session include common-session -session required pam_loginuid.so -session optional pam_console.so diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/passwd b/meta-openeuler/recipes-core/pam/libpam/pam.d/passwd deleted file mode 100644 index f50a8537bba..00000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/passwd +++ /dev/null @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth include common-auth -account include common-account -password include common-password diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/sshd b/meta-openeuler/recipes-core/pam/libpam/pam.d/sshd deleted file mode 100644 index ec0228c3d3d..00000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/sshd +++ /dev/null @@ -1,24 +0,0 @@ -#%PAM-1.0 - -auth include common-auth -account required pam_nologin.so - -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without out this it is possible -# that a module could execute code in the wrong domain. -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close - -account include common-account -password include common-password -session optional pam_keyinit.so force revoke -session include common-session -session required pam_loginuid.so - -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/su b/meta-openeuler/recipes-core/pam/libpam/pam.d/su deleted file mode 100644 index d2259132aa5..00000000000 --- a/meta-openeuler/recipes-core/pam/libpam/pam.d/su +++ /dev/null @@ -1,8 +0,0 @@ -auth sufficient pam_rootok.so -auth required pam_wheel.so use_uid -session required pam_env.so readenv=1 -auth include common-auth -account sufficient pam_rootok.so -account include common-account -password include common-password -session include common-session diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/chfn b/meta-openeuler/recipes-core/shadow/files/pam.d/chfn index baf7698bba8..fd39af331f5 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/chfn +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/chfn @@ -1,14 +1,4 @@ -# -# The PAM configuration file for the Shadow `chfn' service -# - -# This allows root to change user infomation without being -# prompted for a password +#%PAM-1.0 auth sufficient pam_rootok.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session +account required pam_permit.so +password include common-passwd diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/chsh b/meta-openeuler/recipes-core/shadow/files/pam.d/chsh index 8fb169f64e1..fd39af331f5 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/chsh +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/chsh @@ -1,19 +1,4 @@ -# -# The PAM configuration file for the Shadow `chsh' service -# - -# This will not allow a user to change their shell unless -# their current one is listed in /etc/shells. This keeps -# accounts with special shells from changing them. -auth required pam_shells.so - -# This allows root to change user shell without being -# prompted for a password +#%PAM-1.0 auth sufficient pam_rootok.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session +account required pam_permit.so +password include common-passwd diff --git a/meta-openeuler/recipes-core/pam/libpam/pam.d/groupmems b/meta-openeuler/recipes-core/shadow/files/pam.d/groupmems similarity index 100% rename from meta-openeuler/recipes-core/pam/libpam/pam.d/groupmems rename to meta-openeuler/recipes-core/shadow/files/pam.d/groupmems diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/login b/meta-openeuler/recipes-core/shadow/files/pam.d/login index b340058539e..499c8c3d7f0 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/login +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/login @@ -1,81 +1,9 @@ -# -# The PAM configuration file for the Shadow `login' service -# - -# Enforce a minimal delay in case of failure (in microseconds). -# (Replaces the `FAIL_DELAY' setting from login.defs) -# Note that other modules may require another minimal delay. (for example, -# to disable any delay, you should add the nodelay option to pam_unix) -auth optional pam_faildelay.so delay=3000000 - -# Outputs an issue file prior to each login prompt (Replaces the -# ISSUE_FILE option from login.defs). Uncomment for use -# auth required pam_issue.so issue=/etc/issue - -# Disallows root logins except on tty's listed in /etc/securetty -# (Replaces the `CONSOLE' setting from login.defs) -# Note that it is included as a "requisite" module. No password prompts will -# be displayed if this module fails to avoid having the root password -# transmitted on unsecure ttys. -# You can change it to a "required" module if you think it permits to -# guess valid user names of your system (invalid user names are considered -# as possibly being root). -auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so - -# Disallows other than root logins when /etc/nologin exists -# (Replaces the `NOLOGINS_FILE' option from login.defs) -auth requisite pam_nologin.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 - -# Standard Un*x authentication. -auth include common-auth - -# This allows certain extra groups to be granted to a user -# based on things like time of day, tty, service, and user. -# Please edit /etc/security/group.conf to fit your needs -# (Replaces the `CONSOLE_GROUPS' option in login.defs) -auth optional pam_group.so - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on logins. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# Uncomment and edit /etc/security/access.conf if you need to -# set access limits. -# (Replaces /etc/login.access file) -# account required pam_access.so - -# Sets up user limits according to /etc/security/limits.conf -# (Replaces the use of /etc/limits in old login) -session required pam_limits.so - -# Prints the last login info upon succesful login -# (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so - -# Prints the motd upon succesful login -# (Replaces the `MOTD_FILE' option in login.defs) -session optional pam_motd.so - -# Prints the status of the user's mailbox upon succesful login -# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). -# -# This also defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -session optional pam_mail.so standard - -# Standard Un*x account and session -account include common-account -password include common-password -session include common-session +#%PAM-1.0 +auth required pam_securetty.so +auth include common-auth +account required pam_nologin.so +account include common-account +password include common-password +session include common-session +session required pam_loginuid.so +session optional pam_console.so diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/passwd b/meta-openeuler/recipes-core/shadow/files/pam.d/passwd index f5349924358..59cfdfb21b8 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/passwd +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/passwd @@ -1,5 +1,4 @@ -# -# The PAM configuration file for the Shadow `passwd' service -# - -password include common-password +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password diff --git a/meta-openeuler/recipes-core/shadow/files/pam.d/su b/meta-openeuler/recipes-core/shadow/files/pam.d/su index 8d590a32e60..28360f57131 100644 --- a/meta-openeuler/recipes-core/shadow/files/pam.d/su +++ b/meta-openeuler/recipes-core/shadow/files/pam.d/su @@ -1,57 +1,8 @@ -# -# The PAM configuration file for the Shadow `su' service -# - -# This allows root to su without passwords (normal operation) -auth sufficient pam_rootok.so - -# Uncomment this to force users to be a member of group root -# before they can use `su'. You can also add "group=foo" -# to the end of this line if you want to use a group other -# than the default "root" (but this may have side effect of -# denying "root" user, unless she's a member of "foo" or explicitly -# permitted earlier by e.g. "sufficient pam_rootok.so"). -# (Replaces the `SU_WHEEL_ONLY' option from login.defs) -# auth required pam_wheel.so - -# Uncomment this if you want wheel members to be able to -# su without a password. -# auth sufficient pam_wheel.so trust - -# Uncomment this if you want members of a specific group to not -# be allowed to use su at all. -# auth required pam_wheel.so deny group=nosu - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on su usage. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 - -# Defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -# -# "nopen" stands to avoid reporting new mail when su'ing to another user -session optional pam_mail.so nopen - -# Sets up user limits, please uncomment and read /etc/security/limits.conf -# to enable this functionality. -# (Replaces the use of /etc/limits in old login) -# session required pam_limits.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -auth include common-auth -account include common-account -session include common-session +auth sufficient pam_rootok.so +auth required pam_wheel.so use_uid +session required pam_env.so readenv=1 +auth include common-auth +account sufficient pam_rootok.so +account include common-account +password include common-password +session include common-session diff --git a/meta-openeuler/recipes-core/shadow/shadow.inc b/meta-openeuler/recipes-core/shadow/shadow.inc index 9ddb10bd900..75945a2e139 100644 --- a/meta-openeuler/recipes-core/shadow/shadow.inc +++ b/meta-openeuler/recipes-core/shadow/shadow.inc @@ -78,7 +78,8 @@ SRC_URI_EXTRA = "file://pam.d/chfn \ file://pam.d/login \ file://pam.d/newusers \ file://pam.d/passwd \ - file://pam.d/su" + file://pam.d/su \ + file://pam.d/groupmems" do_install() { oe_runmake DESTDIR="${D}" sbindir="${base_sbindir}" usbindir="${sbindir}" install -- Gitee From 4373ee3639e0a11946dcf1d9618d574d86bd006c Mon Sep 17 00:00:00 2001 From: zhuyan Date: Sat, 18 Sep 2021 10:48:48 +0800 Subject: [PATCH 2/2] fix compile error in opensuse Signed-off-by: zhuyan --- .../recipes-core/os-base/os-base_1.0.bb | 34 ++++++++++--------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/meta-openeuler/recipes-core/os-base/os-base_1.0.bb b/meta-openeuler/recipes-core/os-base/os-base_1.0.bb index 7d49d791a86..fc2ecd64b1e 100644 --- a/meta-openeuler/recipes-core/os-base/os-base_1.0.bb +++ b/meta-openeuler/recipes-core/os-base/os-base_1.0.bb @@ -2,25 +2,26 @@ SUMMARY = "OS basic configuration files" DESCRIPTION = "base files" SECTION = "base" PR = "r1" -LICENSE = "MulanPSL-2.0" - +LICENSE = "CLOSED" +FILESPATH = "${THISDIR}/${BPN}/" +DL_DIR = "${THISDIR}/${BPN}/" LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=1acb172ffd3d252285dd1b8b8459941e" -SRC_URI = "file://${WORKDIR}/bashrc \ - file://${WORKDIR}/fstab \ - file://${WORKDIR}/group \ - file://${WORKDIR}/inittab \ - file://${WORKDIR}/issue \ - file://${WORKDIR}/issue.net \ - file://${WORKDIR}/LICENSE \ - file://${WORKDIR}/login.defs \ - file://${WORKDIR}/motd \ - file://${WORKDIR}/passwd \ - file://${WORKDIR}/profile \ - file://${WORKDIR}/securetty \ - file://${WORKDIR}/shadow \ - file://${WORKDIR}/sysctl.conf" +SRC_URI = "file://bashrc \ + file://fstab \ + file://group \ + file://inittab \ + file://issue \ + file://issue.net \ + file://LICENSE \ + file://login.defs \ + file://motd \ + file://passwd \ + file://profile \ + file://securetty \ + file://shadow \ + file://sysctl.conf" do_install() { install -d ${D}/etc @@ -41,3 +42,4 @@ do_install() { FILES_${PN} = "/" +INHIBIT_DEFAULT_DEPS = "1" -- Gitee