Attachment #6388 for bug #36743

View | Details | Raw Unified | Return to bug 36743
Collapse All | Expand All




@%@UCRWARNING=# @%@

@include common-auth
@!@
scope = "gdm"
accessfileFlag = "auth/%s/restrict" % (scope,)
if configRegistry.is_true(accessfileFlag, False):
	accessfileDefault = "/etc/security/access-%s.conf" % (scope,)
	accessfileKey = "auth/%s/accessfile" % (scope,)
	accessfile = configRegistry.get(accessfileKey, accessfileDefault)
	line =  [
		'account required pam_access.so',
		'accessfile=%s' % (accessfile,),
		'listsep=,',
		]
	maxent = configRegistry.get('pamaccess/maxent', False)
	if maxent:
		line.append('maxent=%s' % (maxent,))
	print ' '.join(line)
@!@
@include common-account
@include common-session
@include common-password




@%@UCRWARNING=# @%@

@include common-auth
@!@
scope = "kdm"
accessfileFlag = "auth/%s/restrict" % (scope,)
if configRegistry.is_true(accessfileFlag, False):
	accessfileDefault = "/etc/security/access-%s.conf" % (scope,)
	accessfileKey = "auth/%s/accessfile" % (scope,)
	accessfile = configRegistry.get(accessfileKey, accessfileDefault)
	line =  [
		'account required pam_access.so',
		'accessfile=%s' % (accessfile,),
		'listsep=,',
		]
	maxent = configRegistry.get('pamaccess/maxent', False)
	if maxent:
		line.append('maxent=%s' % (maxent,))
	print ' '.join(line)
@!@
@include common-account
@include common-session
@include common-password




@%@UCRWARNING=# @%@

@!@
from univention.lib.misc import custom_username, custom_groupname

scope = "gdm"
names = {}
for item in configRegistry.keys():
	if item.startswith("auth/" + scope + "/") and configRegistry.is_true(item, False):
		tmp = item.split("/")
		if len(tmp) >= 4:
			if tmp[2] == "group":
				names[custom_groupname(tmp[3])] = 1
			elif tmp[2] == "user":
				names[custom_username(tmp[3])] = 1

print "+:" + ",".join(names.keys()) + ":ALL"
print "-:ALL:ALL"
@!@




@%@UCRWARNING=# @%@

@!@
from univention.lib.misc import custom_username, custom_groupname

scope = "kdm"
names = {}
for item in configRegistry.keys():
	if item.startswith("auth/" + scope + "/") and configRegistry.is_true(item, False):
		tmp = item.split("/")
		if len(tmp) >= 4:
			if tmp[2] == "group":
				names[custom_groupname(tmp[3])] = 1
			elif tmp[2] == "user":
				names[custom_username(tmp[3])] = 1

print "+:" + ",".join(names.keys()) + ":ALL"
print "-:ALL:ALL"
@!@

(-)a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog (+6 lines)

Lines 1-3	Link Here

univention-pam (8.0.3-1) unstable; urgency=low

  * Bug #36743: Provide PAM configuration for KDM

 -- Philipp Hahn <hahn@univention.de>  Mon, 17 Nov 2014 12:31:41 +0100

univention-pam (8.0.2-1) unstable; urgency=medium

univention-pam (8.0.2-1) unstable; urgency=medium

  * Bug #36436: add spaces to commatas in the description of auth/.*/restrict

  * Bug #36436: add spaces to commatas in the description of auth/.*/restrict

(-)a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides (-1 / +1 lines)

Lines 3-9	Link Here

0004-12: conffiles/etc/pam.d/passwd

0004-12: conffiles/etc/pam.d/passwd

0004-12: conffiles/etc/pam.d/su

0004-12: conffiles/etc/pam.d/su

0004-12: conffiles/etc/pam.d/rsh

0004-12: conffiles/etc/pam.d/rsh

0004-12: conffiles/etc/pam.d/gdm

0004-12: conffiles/etc/pam.d/kdm

0004-12: conffiles/etc/pam.d/kscreensaver

0004-12: conffiles/etc/pam.d/kscreensaver

0004-12: conffiles/etc/pam.d/screen

0004-12: conffiles/etc/pam.d/screen

0004-12: conffiles/etc/pam.d/kcheckpass

0004-12: conffiles/etc/pam.d/kcheckpass

(-)a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript (+2 lines)

Line 0	Link Here

rm_conffile /etc/univention/templates/files/etc/pam.d/gdm 8.0.3-1~

rm_conffile /etc/security/access-gdm.conf 8.0.3-1~

(-)a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst (-4 / +10 lines)

Lines 69-78 univention-config-registry set \	Link Here

	"auth/ftp/group/Domain Admins?yes" \

	"auth/ftp/group/Domain Admins?yes" \

	auth/ftp/group/Administrators?"yes" \

	auth/ftp/group/Administrators?"yes" \

	auth/ftp/user/root?"yes" \

	auth/ftp/user/root?"yes" \

	auth/gdm/restrict?"yes" \

	auth/kdm/restrict?"yes" \

	"auth/gdm/group/Domain Admins?yes" \

	"auth/kdm/group/Domain Admins?yes" \

	auth/gdm/group/Administrators?"yes" \

	auth/kdm/group/Administrators?"yes" \

	auth/gdm/user/root?"yes" \

	auth/kdm/user/root?"yes" \

 	auth/login/restrict?"yes" \

 	auth/login/restrict?"yes" \

	"auth/login/group/Domain Admins?yes" \

	"auth/login/group/Domain Admins?yes" \

	auth/login/group/Administrators?"yes" \

	auth/login/group/Administrators?"yes" \

Lines 162-165 call_joinscript 11univention-pam.inst	Link Here

162

163

#DEBHELPER#

163

#DEBHELPER#

164

165

# Bug #36743: remove gdm PAM files

166

if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 8.0.3-1; then

167

	univention-config-registry update

168

	univention-config-registry unset auth/gdm/restrict auth/gdm/group/'Domain Admins' auth/gdm/group/Administrators auth/gdm/user/root

169

fi

170

165

exit 0

171

exit 0




Variables: groups/default/.*

Type: file
File: etc/pam.d/kdm
Variables: auth/kdm/restrict
Variables: auth/kdm/accessfile
Variables: pamaccess/maxent

Type: file
File: etc/security/access-kdm.conf
Variables: auth/kdm/group/.*
Variables: auth/kdm/user/.*
Variables: users/default/.*
Variables: groups/default/.*


(-)a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables (-3 / +2 lines)

Lines 233-240 Type=bool	Link Here

233

Categories=system-base

233

Categories=system-base

234

235

[auth/.*/restrict]

235

[auth/.*/restrict]

236

Description[de]=Die Option aktiviert über das PAM-Modul pam_access Anmeldebeschränkungen für den angegebenen Dienst. Ist die Variable auth/SERVICE/restrict aktiviert,  können sich nur Benutzer anmelden,  die über weitere Variablen in der Form auth/SERVICE/user/BENUTZERNAME=yes oder auth/SERVICE/group/GRUPPENNAME=yes zugelassen sind. Mögliche Werte als Service sind: chfn, chsh, cron, ftp, gdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su und sudo.

236

Description[de]=Die Option aktiviert über das PAM-Modul pam_access Anmeldebeschränkungen für den angegebenen Dienst. Ist die Variable auth/SERVICE/restrict aktiviert,  können sich nur Benutzer anmelden,  die über weitere Variablen in der Form auth/SERVICE/user/BENUTZERNAME=yes oder auth/SERVICE/group/GRUPPENNAME=yes zugelassen sind. Mögliche Werte als Service sind: chfn, chsh, cron, ftp, kdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su und sudo.

237

Description[en]=This option activates login restrictions for the given service using pam_access. If the variable auth/SERVICE/restrict is activated,  only users can login,  which are allows using variables in the form auth/SERVICE/user/USERNAME=yes or auth/SERVICE/group/GROUPNAME=yes. Possible values for the service are: chfn, chsh, cron, ftp, gdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su and sudo.

237

Description[en]=This option activates login restrictions for the given service using pam_access. If the variable auth/SERVICE/restrict is activated,  only users can login,  which are allows using variables in the form auth/SERVICE/user/USERNAME=yes or auth/SERVICE/group/GROUPNAME=yes. Possible values for the service are: chfn, chsh, cron, ftp, kdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su and sudo.

238

Type=bool

238

Type=bool

239

Categories=system-base

239

Categories=system-base

240

241

Return to bug 36743