From 6fe46e2c055a64325dfad428eccd29ebb51e763d Mon Sep 17 00:00:00 2001 From: root Date: Tue, 30 Sep 2008 14:32:51 +0000 Subject: [PATCH 01/16] bash: Add initial bashrc. --- etc/bash.bashrc | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 etc/bash.bashrc diff --git a/etc/bash.bashrc b/etc/bash.bashrc new file mode 100644 index 0000000..3f8ba6b --- /dev/null +++ b/etc/bash.bashrc @@ -0,0 +1,47 @@ +# System-wide .bashrc file for interactive bash(1) shells. + +# To enable the settings / commands in this file for login shells as well, +# this file has to be sourced in /etc/profile. + +# If not running interactively, don't do anything +[ -z "$PS1" ] && return + +# check the window size after each command and, if necessary, +# update the values of LINES and COLUMNS. +shopt -s checkwinsize + +# set variable identifying the chroot you work in (used in the prompt below) +if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then + debian_chroot=$(cat /etc/debian_chroot) +fi + +# set a fancy prompt (non-color, overwrite the one in /etc/profile) +PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' + +# Commented out, don't overwrite xterm -T "title" -n "icontitle" by default. +# If this is an xterm set the title to user@host:dir +#case "$TERM" in +#xterm*|rxvt*) +# PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' +# ;; +#*) +# ;; +#esac + +# enable bash completion in interactive shells +#if [ -f /etc/bash_completion ]; then +# . /etc/bash_completion +#fi + +# if the command-not-found package is installed, use it +if [ -x /usr/lib/command-not-found ]; then + function command_not_found_handle { + # check because c-n-f could've been removed in the meantime + if [ -x /usr/lib/command-not-found ]; then + /usr/bin/python /usr/lib/command-not-found -- $1 + return $? + else + return 127 + fi + } +fi -- 2.30.2 From 745f3b46e06f064a46ef68a6900e0b39ece66884 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 30 Sep 2008 14:33:29 +0000 Subject: [PATCH 02/16] bash: Enable extended completion. --- etc/bash.bashrc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/bash.bashrc b/etc/bash.bashrc index 3f8ba6b..4203390 100644 --- a/etc/bash.bashrc +++ b/etc/bash.bashrc @@ -29,9 +29,9 @@ PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' #esac # enable bash completion in interactive shells -#if [ -f /etc/bash_completion ]; then -# . /etc/bash_completion -#fi +if [ -f /etc/bash_completion ]; then + . /etc/bash_completion +fi # if the command-not-found package is installed, use it if [ -x /usr/lib/command-not-found ]; then -- 2.30.2 From 5982446ea38f03cc4521a6946a566404d8b55269 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 30 Sep 2008 14:49:56 +0000 Subject: [PATCH 03/16] bash: Add default global profile script. --- etc/profile | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 etc/profile diff --git a/etc/profile b/etc/profile new file mode 100644 index 0000000..7bb5659 --- /dev/null +++ b/etc/profile @@ -0,0 +1,24 @@ +# /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) +# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). + +if [ "`id -u`" -eq 0 ]; then + PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +else + PATH="/usr/local/bin:/usr/bin:/bin:/usr/games" +fi + +if [ "$PS1" ]; then + if [ "$BASH" ]; then + PS1='\u@\h:\w\$ ' + else + if [ "`id -u`" -eq 0 ]; then + PS1='# ' + else + PS1='$ ' + fi + fi +fi + +export PATH + +umask 022 -- 2.30.2 From d6c0ba2dbc0587a2c8afce9cc061a14e72a5b602 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 9 Oct 2008 13:14:52 +0000 Subject: [PATCH 04/16] system: Add resolv.conf, pointing to the DNS vserver. --- etc/resolv.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/resolv.conf diff --git a/etc/resolv.conf b/etc/resolv.conf new file mode 100644 index 0000000..3758504 --- /dev/null +++ b/etc/resolv.conf @@ -0,0 +1 @@ +nameserver 10.42.0.5 -- 2.30.2 From b716ce5f6fcb581c27694ef24f3a637319360c44 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 9 Oct 2008 13:15:34 +0000 Subject: [PATCH 05/16] bash: Include bash.bashrc from /etc/profile. --- etc/profile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/profile b/etc/profile index 7bb5659..03dfd4d 100644 --- a/etc/profile +++ b/etc/profile @@ -22,3 +22,7 @@ fi export PATH umask 022 + +if [ "$SHELL" = "/bin/bash" ]; then + source /etc/bash.bashrc +fi -- 2.30.2 From a6a7d37d7f49c938ac2528b9a08051ce43a779d9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 9 Oct 2008 15:46:18 +0000 Subject: [PATCH 06/16] apt: Move local repository from ~matthijs to /data. --- etc/apt/sources.list | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/apt/sources.list b/etc/apt/sources.list index d4f3638..6b38f75 100644 --- a/etc/apt/sources.list +++ b/etc/apt/sources.list @@ -3,4 +3,4 @@ deb-src http://ftp.nl.debian.org/debian/ lenny main deb http://security.debian.org lenny/updates main -deb file:///home/matthijs/debs/ debian-local main +deb file:///data/apt-repository/public/ stderr main -- 2.30.2 From eb4921f5698756c6334672c94df431b5d7e2b1fe Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 9 Oct 2008 22:20:13 +0200 Subject: [PATCH 07/16] system: Set the timezone to Europe/Amsterdam. --- etc/localtime | 1 + 1 file changed, 1 insertion(+) create mode 120000 etc/localtime diff --git a/etc/localtime b/etc/localtime new file mode 120000 index 0000000..0639c90 --- /dev/null +++ b/etc/localtime @@ -0,0 +1 @@ +/usr/share/zoneinfo/Europe/Amsterdam \ No newline at end of file -- 2.30.2 From 627032c23577a4bb67738436dc3de6e8226968b7 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 29 Dec 2008 20:03:15 +0100 Subject: [PATCH 08/16] pam: Add default pam.d/su file. --- etc/pam.d/su | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 etc/pam.d/su diff --git a/etc/pam.d/su b/etc/pam.d/su new file mode 100644 index 0000000..c1a84ae --- /dev/null +++ b/etc/pam.d/su @@ -0,0 +1,62 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +# auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits, please uncomment and read /etc/security/limits.conf +# to enable this functionality. +# (Replaces the use of /etc/limits in old login) +# session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session + + -- 2.30.2 From 48299dd4965f8142a3bd7150c0af104459082cef Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 29 Dec 2008 20:03:51 +0100 Subject: [PATCH 09/16] pam: Remove all but one line from pam.d/su. The session modules seem useless, and the common files only include ldap and don't know about root, so that only gives warnings when root is trying to su. This makes it impossible for non-root users to use su, but that's a feature. --- etc/pam.d/su | 56 ---------------------------------------------------- 1 file changed, 56 deletions(-) diff --git a/etc/pam.d/su b/etc/pam.d/su index c1a84ae..ab107da 100644 --- a/etc/pam.d/su +++ b/etc/pam.d/su @@ -4,59 +4,3 @@ # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so - -# Uncomment this to force users to be a member of group root -# before they can use `su'. You can also add "group=foo" -# to the end of this line if you want to use a group other -# than the default "root" (but this may have side effect of -# denying "root" user, unless she's a member of "foo" or explicitly -# permitted earlier by e.g. "sufficient pam_rootok.so"). -# (Replaces the `SU_WHEEL_ONLY' option from login.defs) -# auth required pam_wheel.so - -# Uncomment this if you want wheel members to be able to -# su without a password. -# auth sufficient pam_wheel.so trust - -# Uncomment this if you want members of a specific group to not -# be allowed to use su at all. -# auth required pam_wheel.so deny group=nosu - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on su usage. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 -# locale variables are also kept into /etc/default/locale in etch -# reading this file *in addition to /etc/environment* does not hurt -session required pam_env.so readenv=1 envfile=/etc/default/locale - -# Defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -# -# "nopen" stands to avoid reporting new mail when su'ing to another user -session optional pam_mail.so nopen - -# Sets up user limits, please uncomment and read /etc/security/limits.conf -# to enable this functionality. -# (Replaces the use of /etc/limits in old login) -# session required pam_limits.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -@include common-auth -@include common-account -@include common-session - - -- 2.30.2 From 402c0201e31b02d3e3e8ceb11cd8953eda5ddb15 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 30 Dec 2008 11:24:58 +0100 Subject: [PATCH 10/16] pam: Add default pamd.d/{chfn,chsh,cron,login} files. --- etc/pam.d/chfn | 16 ++++++++++ etc/pam.d/chsh | 20 ++++++++++++ etc/pam.d/cron | 13 ++++++++ etc/pam.d/login | 83 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 132 insertions(+) create mode 100644 etc/pam.d/chfn create mode 100644 etc/pam.d/chsh create mode 100644 etc/pam.d/cron create mode 100644 etc/pam.d/login diff --git a/etc/pam.d/chfn b/etc/pam.d/chfn new file mode 100644 index 0000000..10fcf07 --- /dev/null +++ b/etc/pam.d/chfn @@ -0,0 +1,16 @@ +# +# The PAM configuration file for the Shadow `chfn' service +# + +# This allows root to change user infomation without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session + + diff --git a/etc/pam.d/chsh b/etc/pam.d/chsh new file mode 100644 index 0000000..7eb604d --- /dev/null +++ b/etc/pam.d/chsh @@ -0,0 +1,20 @@ +# +# The PAM configuration file for the Shadow `chsh' service +# + +# This will not allow a user to change their shell unless +# their current one is listed in /etc/shells. This keeps +# accounts with special shells from changing them. +auth required pam_shells.so + +# This allows root to change user shell without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session + diff --git a/etc/pam.d/cron b/etc/pam.d/cron new file mode 100644 index 0000000..2a58ec2 --- /dev/null +++ b/etc/pam.d/cron @@ -0,0 +1,13 @@ +# +# The PAM configuration file for the cron daemon +# + +@include common-auth +auth required pam_env.so +@include common-account +@include common-session +# Sets up user limits, please define limits for cron tasks +# through /etc/security/limits.conf +session required pam_limits.so + + diff --git a/etc/pam.d/login b/etc/pam.d/login new file mode 100644 index 0000000..cc8e1e4 --- /dev/null +++ b/etc/pam.d/login @@ -0,0 +1,83 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. +# Uncomment the following line to enable SELinux +# session required pam_selinux.so select_context + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password -- 2.30.2 From be9653e724e667b5fc9cf18678b2fe99e9b2b085 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 30 Dec 2008 11:36:39 +0100 Subject: [PATCH 11/16] pam: Allow only root to change shells and user info. Since changing user info and shells for ldap users is not supported by chfn and chsh anyway, and we have no real users that are not in ldap, limiting this to just root makes sense. --- etc/pam.d/chfn | 14 ++------------ etc/pam.d/chsh | 18 ++---------------- 2 files changed, 4 insertions(+), 28 deletions(-) diff --git a/etc/pam.d/chfn b/etc/pam.d/chfn index 10fcf07..efbc34b 100644 --- a/etc/pam.d/chfn +++ b/etc/pam.d/chfn @@ -2,15 +2,5 @@ # The PAM configuration file for the Shadow `chfn' service # -# This allows root to change user infomation without being -# prompted for a password -auth sufficient pam_rootok.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -@include common-auth -@include common-account -@include common-session - - +# This allows only root to change user infomation at all. +auth required pam_rootok.so diff --git a/etc/pam.d/chsh b/etc/pam.d/chsh index 7eb604d..2458371 100644 --- a/etc/pam.d/chsh +++ b/etc/pam.d/chsh @@ -2,19 +2,5 @@ # The PAM configuration file for the Shadow `chsh' service # -# This will not allow a user to change their shell unless -# their current one is listed in /etc/shells. This keeps -# accounts with special shells from changing them. -auth required pam_shells.so - -# This allows root to change user shell without being -# prompted for a password -auth sufficient pam_rootok.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -@include common-auth -@include common-account -@include common-session - +# This allows only root to change user shells at all. +auth required pam_rootok.so -- 2.30.2 From f1c51e2595f6db76715de2ae5c670b812de1be36 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 30 Dec 2008 11:38:15 +0100 Subject: [PATCH 12/16] pam: Don't allow console logins. We don't have a console on a vserver anyway... --- etc/pam.d/login | 83 +++---------------------------------------------- 1 file changed, 4 insertions(+), 79 deletions(-) diff --git a/etc/pam.d/login b/etc/pam.d/login index cc8e1e4..a5092af 100644 --- a/etc/pam.d/login +++ b/etc/pam.d/login @@ -2,82 +2,7 @@ # The PAM configuration file for the Shadow `login' service # -# Enforce a minimal delay in case of failure (in microseconds). -# (Replaces the `FAIL_DELAY' setting from login.defs) -# Note that other modules may require another minimal delay. (for example, -# to disable any delay, you should add the nodelay option to pam_unix) -auth optional pam_faildelay.so delay=3000000 - -# Outputs an issue file prior to each login prompt (Replaces the -# ISSUE_FILE option from login.defs). Uncomment for use -# auth required pam_issue.so issue=/etc/issue - -# Disallows root logins except on tty's listed in /etc/securetty -# (Replaces the `CONSOLE' setting from login.defs) -auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so - -# Disallows other than root logins when /etc/nologin exists -# (Replaces the `NOLOGINS_FILE' option from login.defs) -auth requisite pam_nologin.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 -# locale variables are also kept into /etc/default/locale in etch -# reading this file *in addition to /etc/environment* does not hurt -session required pam_env.so readenv=1 envfile=/etc/default/locale - -# Standard Un*x authentication. -@include common-auth - -# This allows certain extra groups to be granted to a user -# based on things like time of day, tty, service, and user. -# Please edit /etc/security/group.conf to fit your needs -# (Replaces the `CONSOLE_GROUPS' option in login.defs) -auth optional pam_group.so - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on logins. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# Uncomment and edit /etc/security/access.conf if you need to -# set access limits. -# (Replaces /etc/login.access file) -# account required pam_access.so - -# Sets up user limits according to /etc/security/limits.conf -# (Replaces the use of /etc/limits in old login) -session required pam_limits.so - -# Prints the last login info upon succesful login -# (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so - -# Prints the motd upon succesful login -# (Replaces the `MOTD_FILE' option in login.defs) -session optional pam_motd.so - -# Prints the status of the user's mailbox upon succesful login -# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). -# -# This also defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -session optional pam_mail.so standard - -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. -# Uncomment the following line to enable SELinux -# session required pam_selinux.so select_context - -# Standard Un*x account and session -@include common-account -@include common-session -@include common-password +# We don't have a console, so deny all logins. +auth required pam_deny.so +account required pam_deny.so +session required pam_deny.so -- 2.30.2 From 74bb11bba73d6b940e1d698794c365ca09a1d359 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 30 Dec 2008 16:50:45 +0100 Subject: [PATCH 13/16] pam: Fix pam configuration for cron. This allows non-ldap users (say, root) to use cron. --- etc/pam.d/cron | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/etc/pam.d/cron b/etc/pam.d/cron index 2a58ec2..938d30f 100644 --- a/etc/pam.d/cron +++ b/etc/pam.d/cron @@ -2,12 +2,18 @@ # The PAM configuration file for the cron daemon # -@include common-auth -auth required pam_env.so -@include common-account -@include common-session +auth sufficient pam_unix.so +@include common-auth + +# This is required instead of sufficient, since pam_unix mostly does checks +# based on NSS, so this will also work for ldap users. +account required pam_unix.so +# We use a custom control spec so we won't fail on user_unknown special +account [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so + + +@include common-session + # Sets up user limits, please define limits for cron tasks # through /etc/security/limits.conf session required pam_limits.so - - -- 2.30.2 From 23cc9f1b95a44b8ae01e114b26f92db96a8aea6e Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 30 Dec 2008 17:01:26 +0100 Subject: [PATCH 14/16] pam: Add default pam.d/other file. --- etc/pam.d/other | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/pam.d/other diff --git a/etc/pam.d/other b/etc/pam.d/other new file mode 100644 index 0000000..59d776c --- /dev/null +++ b/etc/pam.d/other @@ -0,0 +1,16 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We fall back to the system default in /etc/pam.d/common-* +# + +@include common-auth +@include common-account +@include common-password +@include common-session -- 2.30.2 From dc84e38a62813df639ae0478fe47441f732044a4 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 30 Dec 2008 17:04:28 +0100 Subject: [PATCH 15/16] pam: Deny everything in pam.d/other. --- etc/pam.d/other | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/etc/pam.d/other b/etc/pam.d/other index 59d776c..867cf91 100644 --- a/etc/pam.d/other +++ b/etc/pam.d/other @@ -4,13 +4,11 @@ # Note that this file is used for any unspecified service; for example #if /etc/pam.d/cron specifies no session modules but cron calls #pam_open_session, the session module out of /etc/pam.d/other is -#used. If you really want nothing to happen then use pam_permit.so or -#pam_deny.so as appropriate. - -# We fall back to the system default in /etc/pam.d/common-* -# +#used. +# +# We deny any pam calls not explicitely allowed elsewhere. -@include common-auth -@include common-account -@include common-password -@include common-session +auth required pam_deny +account required pam_deny +session required pam_deny +password required pam_deny -- 2.30.2 From 9ebef4e9fb2d18357b7cfff2932d424805607a1e Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Fri, 17 Apr 2009 15:15:44 +0200 Subject: [PATCH 16/16] system: Set hostname and mailname --- etc/hostname | 1 + etc/mailname | 1 + 2 files changed, 2 insertions(+) create mode 100644 etc/hostname create mode 100644 etc/mailname diff --git a/etc/hostname b/etc/hostname new file mode 100644 index 0000000..382a72a --- /dev/null +++ b/etc/hostname @@ -0,0 +1 @@ +backup.drsnuggles.stderr.nl diff --git a/etc/mailname b/etc/mailname new file mode 100644 index 0000000..382a72a --- /dev/null +++ b/etc/mailname @@ -0,0 +1 @@ +backup.drsnuggles.stderr.nl -- 2.30.2