Univention Bugzilla – Attachment 6388 Details for
Bug 36743
/etc/pam.d/kdm allows normal user login
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Bug #36743: Provide PAM configuration for KDM
36743-Provide-PAM-configuration-for-KDM.patch (text/plain), 11.57 KB, created by
Philipp Hahn
on 2014-11-17 12:43 CET
(
hide
)
Description:
Bug #36743: Provide PAM configuration for KDM
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2014-11-17 12:43 CET
Size:
11.57 KB
patch
obsolete
>From 6521e06ad5abcac804b8e33f8b121d93a6ae4f2c Mon Sep 17 00:00:00 2001 >Message-Id: <6521e06ad5abcac804b8e33f8b121d93a6ae4f2c.1416224590.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Mon, 17 Nov 2014 12:42:38 +0100 >Subject: [PATCH] Bug #36743: Provide PAM configuration for KDM >Organization: Univention GmbH, Bremen, Germany > >Remove PAM configuration for GDM in favour of KDM. >--- > .../base/univention-pam/conffiles/etc/pam.d/gdm | 23 ---------------------- > .../base/univention-pam/conffiles/etc/pam.d/kdm | 23 ++++++++++++++++++++++ > .../conffiles/etc/security/access-gdm.conf | 19 ------------------ > .../conffiles/etc/security/access-kdm.conf | 19 ++++++++++++++++++ > .../ucs-4.0-0/base/univention-pam/debian/changelog | 6 ++++++ > .../base/univention-pam/debian/ucslint.overrides | 2 +- > .../debian/univention-pam.maintscript | 2 ++ > .../univention-pam/debian/univention-pam.postinst | 14 +++++++++---- > .../univention-pam.univention-config-registry | 12 +++++------ > ...ention-pam.univention-config-registry-variables | 4 ++-- > 10 files changed, 69 insertions(+), 55 deletions(-) > delete mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/gdm > create mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/kdm > delete mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-gdm.conf > create mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-kdm.conf > create mode 100644 branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript > >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/gdm b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/gdm >deleted file mode 100644 >index 45b7fc7..0000000 >--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/gdm >+++ /dev/null >@@ -1,23 +0,0 @@ >-@%@UCRWARNING=# @%@ >- >-@include common-auth >-@!@ >-scope = "gdm" >-accessfileFlag = "auth/%s/restrict" % (scope,) >-if configRegistry.is_true(accessfileFlag, False): >- accessfileDefault = "/etc/security/access-%s.conf" % (scope,) >- accessfileKey = "auth/%s/accessfile" % (scope,) >- accessfile = configRegistry.get(accessfileKey, accessfileDefault) >- line = [ >- 'account required pam_access.so', >- 'accessfile=%s' % (accessfile,), >- 'listsep=,', >- ] >- maxent = configRegistry.get('pamaccess/maxent', False) >- if maxent: >- line.append('maxent=%s' % (maxent,)) >- print ' '.join(line) >-@!@ >-@include common-account >-@include common-session >-@include common-password >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/kdm b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/kdm >new file mode 100644 >index 0000000..51c6cbd >--- /dev/null >+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/pam.d/kdm >@@ -0,0 +1,23 @@ >+@%@UCRWARNING=# @%@ >+ >+@include common-auth >+@!@ >+scope = "kdm" >+accessfileFlag = "auth/%s/restrict" % (scope,) >+if configRegistry.is_true(accessfileFlag, False): >+ accessfileDefault = "/etc/security/access-%s.conf" % (scope,) >+ accessfileKey = "auth/%s/accessfile" % (scope,) >+ accessfile = configRegistry.get(accessfileKey, accessfileDefault) >+ line = [ >+ 'account required pam_access.so', >+ 'accessfile=%s' % (accessfile,), >+ 'listsep=,', >+ ] >+ maxent = configRegistry.get('pamaccess/maxent', False) >+ if maxent: >+ line.append('maxent=%s' % (maxent,)) >+ print ' '.join(line) >+@!@ >+@include common-account >+@include common-session >+@include common-password >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-gdm.conf b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-gdm.conf >deleted file mode 100644 >index db8a9a8..0000000 >--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-gdm.conf >+++ /dev/null >@@ -1,19 +0,0 @@ >-@%@UCRWARNING=# @%@ >- >-@!@ >-from univention.lib.misc import custom_username, custom_groupname >- >-scope = "gdm" >-names = {} >-for item in configRegistry.keys(): >- if item.startswith("auth/" + scope + "/") and configRegistry.is_true(item, False): >- tmp = item.split("/") >- if len(tmp) >= 4: >- if tmp[2] == "group": >- names[custom_groupname(tmp[3])] = 1 >- elif tmp[2] == "user": >- names[custom_username(tmp[3])] = 1 >- >-print "+:" + ",".join(names.keys()) + ":ALL" >-print "-:ALL:ALL" >-@!@ >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-kdm.conf b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-kdm.conf >new file mode 100644 >index 0000000..b7cda50 >--- /dev/null >+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/conffiles/etc/security/access-kdm.conf >@@ -0,0 +1,19 @@ >+@%@UCRWARNING=# @%@ >+ >+@!@ >+from univention.lib.misc import custom_username, custom_groupname >+ >+scope = "kdm" >+names = {} >+for item in configRegistry.keys(): >+ if item.startswith("auth/" + scope + "/") and configRegistry.is_true(item, False): >+ tmp = item.split("/") >+ if len(tmp) >= 4: >+ if tmp[2] == "group": >+ names[custom_groupname(tmp[3])] = 1 >+ elif tmp[2] == "user": >+ names[custom_username(tmp[3])] = 1 >+ >+print "+:" + ",".join(names.keys()) + ":ALL" >+print "-:ALL:ALL" >+@!@ >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog >index 1041fd2..67cd6c9 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog >+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/changelog >@@ -1,3 +1,9 @@ >+univention-pam (8.0.3-1) unstable; urgency=low >+ >+ * Bug #36743: Provide PAM configuration for KDM >+ >+ -- Philipp Hahn <hahn@univention.de> Mon, 17 Nov 2014 12:31:41 +0100 >+ > univention-pam (8.0.2-1) unstable; urgency=medium > > * Bug #36436: add spaces to commatas in the description of auth/.*/restrict >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides >index 0948860..a5d6a2a 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides >+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/ucslint.overrides >@@ -3,7 +3,7 @@ > 0004-12: conffiles/etc/pam.d/passwd > 0004-12: conffiles/etc/pam.d/su > 0004-12: conffiles/etc/pam.d/rsh >-0004-12: conffiles/etc/pam.d/gdm >+0004-12: conffiles/etc/pam.d/kdm > 0004-12: conffiles/etc/pam.d/kscreensaver > 0004-12: conffiles/etc/pam.d/screen > 0004-12: conffiles/etc/pam.d/kcheckpass >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript >new file mode 100644 >index 0000000..3b44d63 >--- /dev/null >+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.maintscript >@@ -0,0 +1,2 @@ >+rm_conffile /etc/univention/templates/files/etc/pam.d/gdm 8.0.3-1~ >+rm_conffile /etc/security/access-gdm.conf 8.0.3-1~ >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst >index e96ba31..6693fc2 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst >+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.postinst >@@ -69,10 +69,10 @@ univention-config-registry set \ > "auth/ftp/group/Domain Admins?yes" \ > auth/ftp/group/Administrators?"yes" \ > auth/ftp/user/root?"yes" \ >- auth/gdm/restrict?"yes" \ >- "auth/gdm/group/Domain Admins?yes" \ >- auth/gdm/group/Administrators?"yes" \ >- auth/gdm/user/root?"yes" \ >+ auth/kdm/restrict?"yes" \ >+ "auth/kdm/group/Domain Admins?yes" \ >+ auth/kdm/group/Administrators?"yes" \ >+ auth/kdm/user/root?"yes" \ > auth/login/restrict?"yes" \ > "auth/login/group/Domain Admins?yes" \ > auth/login/group/Administrators?"yes" \ >@@ -162,4 +162,10 @@ call_joinscript 11univention-pam.inst > > #DEBHELPER# > >+# Bug #36743: remove gdm PAM files >+if [ "$1" = configure ] && dpkg --compare-versions "$2" lt-nl 8.0.3-1; then >+ univention-config-registry update >+ univention-config-registry unset auth/gdm/restrict auth/gdm/group/'Domain Admins' auth/gdm/group/Administrators auth/gdm/user/root >+fi >+ > exit 0 >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry >index f31b8c2..99933fe 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry >+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry >@@ -194,15 +194,15 @@ Variables: users/default/.* > Variables: groups/default/.* > > Type: file >-File: etc/pam.d/gdm >-Variables: auth/gdm/restrict >-Variables: auth/gdm/accessfile >+File: etc/pam.d/kdm >+Variables: auth/kdm/restrict >+Variables: auth/kdm/accessfile > Variables: pamaccess/maxent > > Type: file >-File: etc/security/access-gdm.conf >-Variables: auth/gdm/group/.* >-Variables: auth/gdm/user/.* >+File: etc/security/access-kdm.conf >+Variables: auth/kdm/group/.* >+Variables: auth/kdm/user/.* > Variables: users/default/.* > Variables: groups/default/.* > >diff --git a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables >index 91449b7..e2e10c2 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables >+++ b/branches/ucs-4.0/ucs-4.0-0/base/univention-pam/debian/univention-pam.univention-config-registry-variables >@@ -233,8 +233,8 @@ Type=bool > Categories=system-base > > [auth/.*/restrict] >-Description[de]=Die Option aktiviert über das PAM-Modul pam_access Anmeldebeschränkungen für den angegebenen Dienst. Ist die Variable auth/SERVICE/restrict aktiviert, können sich nur Benutzer anmelden, die über weitere Variablen in der Form auth/SERVICE/user/BENUTZERNAME=yes oder auth/SERVICE/group/GRUPPENNAME=yes zugelassen sind. Mögliche Werte als Service sind: chfn, chsh, cron, ftp, gdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su und sudo. >-Description[en]=This option activates login restrictions for the given service using pam_access. If the variable auth/SERVICE/restrict is activated, only users can login, which are allows using variables in the form auth/SERVICE/user/USERNAME=yes or auth/SERVICE/group/GROUPNAME=yes. Possible values for the service are: chfn, chsh, cron, ftp, gdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su and sudo. >+Description[de]=Die Option aktiviert über das PAM-Modul pam_access Anmeldebeschränkungen für den angegebenen Dienst. Ist die Variable auth/SERVICE/restrict aktiviert, können sich nur Benutzer anmelden, die über weitere Variablen in der Form auth/SERVICE/user/BENUTZERNAME=yes oder auth/SERVICE/group/GRUPPENNAME=yes zugelassen sind. Mögliche Werte als Service sind: chfn, chsh, cron, ftp, kdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su und sudo. >+Description[en]=This option activates login restrictions for the given service using pam_access. If the variable auth/SERVICE/restrict is activated, only users can login, which are allows using variables in the form auth/SERVICE/user/USERNAME=yes or auth/SERVICE/group/GROUPNAME=yes. Possible values for the service are: chfn, chsh, cron, ftp, kdm, kcheckpass, kde, kscreensaver, login, other, passwd, ppp, rlogin, rsh, screen, sshd, su and sudo. > Type=bool > Categories=system-base > >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6388">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 36743
: 6388