From 6521e06ad5abcac804b8e33f8b121d93a6ae4f2c Mon Sep 17 00:00:00 2001
Message-Id: <6521e06ad5abcac804b8e33f8b121d93a6ae4f2c.1416224590.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Mon, 17 Nov 2014 12:42:38 +0100
Subject: [PATCH] Bug #36743: Provide PAM configuration for KDM
Organization: Univention GmbH, Bremen, Germany

Remove PAM configuration for GDM in favour of KDM.
---
 .../base/univention-pam/conffiles/etc/pam.d/gdm    | 23 ----------------------
 .../base/univention-pam/conffiles/etc/pam.d/kdm    | 23 ++++++++++++++++++++++
 .../conffiles/etc/security/access-gdm.conf         | 19 ------------------
 .../conffiles/etc/security/access-kdm.conf         | 19 ++++++++++++++++++
 .../ucs-4.0-0/base/univention-pam/debian/changelog |  6 ++++++
 .../base/univention-pam/debian/ucslint.overrides   |  2 +-
 .../debian/univention-pam.maintscript              |  2 ++
 .../univention-pam/debian/univention-pam.postinst  | 14 +++++++++----
 .../univention-pam.univention-config-registry      | 12 +++++------
 ...ention-pam.univention-config-registry-variables |  4 ++--
 10 files changed, 69 insertions(+), 55 deletions(-)
 delete mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/gdm
 create mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/kdm
 delete mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-gdm.conf
 create mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-kdm.conf
 create mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript

diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/gdm b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/gdm
deleted file mode 100644
index 45b7fc7..0000000
--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/gdm
+++ /dev/null
@@ -1,23 +0,0 @@
-@%@UCRWARNING=# @%@
-
-@include common-auth
-@!@
-scope = "gdm"
-accessfileFlag = "auth/%s/restrict" % (scope,)
-if configRegistry.is_true(accessfileFlag, False):
-	accessfileDefault = "/etc/security/access-%s.conf" % (scope,)
-	accessfileKey = "auth/%s/accessfile" % (scope,)
-	accessfile = configRegistry.get(accessfileKey, accessfileDefault)
-	line =  [
-		'account required pam_access.so',
-		'accessfile=%s' % (accessfile,),
-		'listsep=,',
-		]
-	maxent = configRegistry.get('pamaccess/maxent', False)
-	if maxent:
-		line.append('maxent=%s' % (maxent,))
-	print ' '.join(line)
-@!@
-@include common-account
-@include common-session
-@include common-password
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/kdm b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/kdm
new file mode 100644
index 0000000..51c6cbd
--- /dev/null
+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/kdm
@@ -0,0 +1,23 @@
+@%@UCRWARNING=# @%@
+
+@include common-auth
+@!@
+scope = "kdm"
+accessfileFlag = "auth/%s/restrict" % (scope,)
+if configRegistry.is_true(accessfileFlag, False):
+	accessfileDefault = "/etc/security/access-%s.conf" % (scope,)
+	accessfileKey = "auth/%s/accessfile" % (scope,)
+	accessfile = configRegistry.get(accessfileKey, accessfileDefault)
+	line =  [
+		'account required pam_access.so',
+		'accessfile=%s' % (accessfile,),
+		'listsep=,',
+		]
+	maxent = configRegistry.get('pamaccess/maxent', False)
+	if maxent:
+		line.append('maxent=%s' % (maxent,))
+	print ' '.join(line)
+@!@
+@include common-account
+@include common-session
+@include common-password
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-gdm.conf b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-gdm.conf
deleted file mode 100644
index db8a9a8..0000000
--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-gdm.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-@%@UCRWARNING=# @%@
-
-@!@
-from univention.lib.misc import custom_username, custom_groupname
-
-scope = "gdm"
-names = {}
-for item in configRegistry.keys():
-	if item.startswith("auth/" + scope + "/") and configRegistry.is_true(item, False):
-		tmp = item.split("/")
-		if len(tmp) >= 4:
-			if tmp[2] == "group":
-				names[custom_groupname(tmp[3])] = 1
-			elif tmp[2] == "user":
-				names[custom_username(tmp[3])] = 1
-
-print "+:" + ",".join(names.keys()) + ":ALL"
-print "-:ALL:ALL"
-@!@
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-kdm.conf b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-kdm.conf
new file mode 100644
index 0000000..b7cda50
--- /dev/null
+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-kdm.conf
@@ -0,0 +1,19 @@
+@%@UCRWARNING=# @%@
+
+@!@
+from univention.lib.misc import custom_username, custom_groupname
+
+scope = "kdm"
+names = {}
+for item in configRegistry.keys():
+	if item.startswith("auth/" + scope + "/") and configRegistry.is_true(item, False):
+		tmp = item.split("/")
+		if len(tmp) >= 4:
+			if tmp[2] == "group":
+				names[custom_groupname(tmp[3])] = 1
+			elif tmp[2] == "user":
+				names[custom_username(tmp[3])] = 1
+
+print "+:" + ",".join(names.keys()) + ":ALL"
+print "-:ALL:ALL"
+@!@
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog
index 1041fd2..67cd6c9 100644
--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog
+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog
@@ -1,3 +1,9 @@
+univention-pam (8.0.3-1) unstable; urgency=low
+
+  * Bug #36743: Provide PAM configuration for KDM
+
+ -- Philipp Hahn <hahn@univention.de>  Mon, 17 Nov 2014 12:31:41 +0100
+
 univention-pam (8.0.2-1) unstable; urgency=medium
 
   * Bug #36436: add spaces to commatas in the description of auth/.*/restrict
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides
index 0948860..a5d6a2a 100644
--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides
+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides
@@ -3,7 +3,7 @@
 0004-12: conffiles/etc/pam.d/passwd
 0004-12: conffiles/etc/pam.d/su
 0004-12: conffiles/etc/pam.d/rsh
-0004-12: conffiles/etc/pam.d/gdm
+0004-12: conffiles/etc/pam.d/kdm
 0004-12: conffiles/etc/pam.d/kscreensaver
 0004-12: conffiles/etc/pam.d/screen
 0004-12: conffiles/etc/pam.d/kcheckpass
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript
new file mode 100644
index 0000000..3b44d63
--- /dev/null
+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript
@@ -0,0 +1,2 @@
+rm_conffile /etc/univention/templates/files/etc/pam.d/gdm 8.0.3-1~
+rm_conffile /etc/security/access-gdm.conf 8.0.3-1~
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst
index e96ba31..6693fc2 100644
--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst
+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst
@@ -69,10 +69,10 @@ univention-config-registry set \
 	"auth/ftp/group/Domain Admins?yes" \
 	auth/ftp/group/Administrators?"yes" \
 	auth/ftp/user/root?"yes" \
-	auth/gdm/restrict?"yes" \
-	"auth/gdm/group/Domain Admins?yes" \
-	auth/gdm/group/Administrators?"yes" \
-	auth/gdm/user/root?"yes" \
+	auth/kdm/restrict?"yes" \
+	"auth/kdm/group/Domain Admins?yes" \
+	auth/kdm/group/Administrators?"yes" \
+	auth/kdm/user/root?"yes" \
  	auth/login/restrict?"yes" \
 	"auth/login/group/Domain Admins?yes" \
 	auth/login/group/Administrators?"yes" \
@@ -162,4 +162,10 @@ call_joinscript 11univention-pam.inst
 
 #DEBHELPER#
 
+# Bug #36743: remove gdm PAM files
+if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 8.0.3-1; then
+	univention-config-registry update
+	univention-config-registry unset auth/gdm/restrict auth/gdm/group/'Domain Admins' auth/gdm/group/Administrators auth/gdm/user/root
+fi
+
 exit 0
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry
index f31b8c2..99933fe 100644
--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry
+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry
@@ -194,15 +194,15 @@ Variables: users/default/.*
 Variables: groups/default/.*
 
 Type: file
-File: etc/pam.d/gdm
-Variables: auth/gdm/restrict
-Variables: auth/gdm/accessfile
+File: etc/pam.d/kdm
+Variables: auth/kdm/restrict
+Variables: auth/kdm/accessfile
 Variables: pamaccess/maxent
 
 Type: file
-File: etc/security/access-gdm.conf
-Variables: auth/gdm/group/.*
-Variables: auth/gdm/user/.*
+File: etc/security/access-kdm.conf
+Variables: auth/kdm/group/.*
+Variables: auth/kdm/user/.*
 Variables: users/default/.*
 Variables: groups/default/.*
 
diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables
index 91449b7..e2e10c2 100644
--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables
+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables
@@ -233,8 +233,8 @@ Type=bool
 Categories=system-base
 
 [auth/.*/restrict]
-Description[de]=Die Option aktiviert über das PAM-Modul pam_access Anmeldebeschränkungen für den angegebenen Dienst. Ist die Variable auth/SERVICE/restrict aktiviert,  können sich nur Benutzer anmelden,  die über weitere Variablen in der Form auth/SERVICE/user/BENUTZERNAME=yes oder auth/SERVICE/group/GRUPPENNAME=yes zugelassen sind. Mögliche Werte als Service sind: chfn, chsh, cron, ftp, gdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su und sudo.
-Description[en]=This option activates login restrictions for the given service using pam_access. If the variable auth/SERVICE/restrict is activated,  only users can login,  which are allows using variables in the form auth/SERVICE/user/USERNAME=yes or auth/SERVICE/group/GROUPNAME=yes. Possible values for the service are: chfn, chsh, cron, ftp, gdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su and sudo.
+Description[de]=Die Option aktiviert über das PAM-Modul pam_access Anmeldebeschränkungen für den angegebenen Dienst. Ist die Variable auth/SERVICE/restrict aktiviert,  können sich nur Benutzer anmelden,  die über weitere Variablen in der Form auth/SERVICE/user/BENUTZERNAME=yes oder auth/SERVICE/group/GRUPPENNAME=yes zugelassen sind. Mögliche Werte als Service sind: chfn, chsh, cron, ftp, kdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su und sudo.
+Description[en]=This option activates login restrictions for the given service using pam_access. If the variable auth/SERVICE/restrict is activated,  only users can login,  which are allows using variables in the form auth/SERVICE/user/USERNAME=yes or auth/SERVICE/group/GROUPNAME=yes. Possible values for the service are: chfn, chsh, cron, ftp, kdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su and sudo.
 Type=bool
 Categories=system-base
 
-- 
1.9.1