From: root <root@template.drsnuggles.stderr.nl>
Date: Tue, 30 Dec 2008 17:15:54 +0000 (+0100)
Subject: Merge commit 'origin/template' into mysql
X-Git-Url: https://git.stderr.nl/gitweb?a=commitdiff_plain;h=0fabd0d94abc647b40e8f93df0d1dacc3779e310;hp=e6f2c99b65018de76c59579c4ada9176b8f16810;p=matthijs%2Fservers%2Fdrsnuggles.git

Merge commit 'origin/template' into mysql

* commit 'origin/template':
  pam: Deny everything in pam.d/other.
  pam: Add default pam.d/other file.
  pam: Fix pam configuration for cron.
  pam: Don't allow console logins.
  pam: Allow only root to change shells and user info.
  pam: Add default pamd.d/{chfn,chsh,cron,login} files.
  pam: Remove all but one line from pam.d/su.
  pam: Add default pam.d/su file.
---

diff --git a/etc/pam.d/chfn b/etc/pam.d/chfn
new file mode 100644
index 0000000..efbc34b
--- /dev/null
+++ b/etc/pam.d/chfn
@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows only root to change user infomation at all.
+auth		required	pam_rootok.so
diff --git a/etc/pam.d/chsh b/etc/pam.d/chsh
new file mode 100644
index 0000000..2458371
--- /dev/null
+++ b/etc/pam.d/chsh
@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `chsh' service
+#
+
+# This allows only root to change user shells at all.
+auth		required	pam_rootok.so
diff --git a/etc/pam.d/cron b/etc/pam.d/cron
new file mode 100644
index 0000000..938d30f
--- /dev/null
+++ b/etc/pam.d/cron
@@ -0,0 +1,19 @@
+#
+# The PAM configuration file for the cron daemon
+#
+
+auth          sufficient          pam_unix.so
+@include      common-auth
+
+# This is required instead of sufficient, since pam_unix mostly does checks
+# based on NSS, so this will also work for ldap users.
+account       required          pam_unix.so
+# We use a custom control spec so we won't fail on user_unknown special
+account       [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so
+
+
+@include      common-session
+
+# Sets up user limits, please define limits for cron tasks
+# through /etc/security/limits.conf
+session    required   pam_limits.so
diff --git a/etc/pam.d/login b/etc/pam.d/login
new file mode 100644
index 0000000..a5092af
--- /dev/null
+++ b/etc/pam.d/login
@@ -0,0 +1,8 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# We don't have a console, so deny all logins.
+auth            required   pam_deny.so
+account         required   pam_deny.so
+session         required   pam_deny.so
diff --git a/etc/pam.d/other b/etc/pam.d/other
new file mode 100644
index 0000000..867cf91
--- /dev/null
+++ b/etc/pam.d/other
@@ -0,0 +1,14 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron  specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.  
+#
+# We deny any pam calls not explicitely allowed elsewhere.
+
+auth        required pam_deny
+account     required pam_deny
+session     required pam_deny
+password    required pam_deny
diff --git a/etc/pam.d/su b/etc/pam.d/su
new file mode 100644
index 0000000..ab107da
--- /dev/null
+++ b/etc/pam.d/su
@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so