[SCM] sddm packaging branch, master, updated. a84bdd6bcf7666a0aa5bdf4f6986a9a04eb2b0d4

[Maximiliano Curia]

Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-std/sddm.git;a=commitdiff;h=ebfe27d

The following commit has been merged in the master branch:
commit ebfe27d43edba563e441a60ca758f9fa704f72e0
Author: Maximiliano Curia <maxy at gnuservers.com.ar>
Date:   Sat Oct 11 14:19:30 2014 +0200

    Change pam files
    
     - Check that user is not root
     - Add keyinit
     - Make gnome-keyring and kwallet pam modules optional
     - Add missing loginuid (is still this needed?)
     - Read locale environment once
---
 debian/sddm.pam                | 29 ++++++++++++++++++++++-------
 debian/sddm.sddm-autologin.pam | 20 +++++++++++++++++---
 debian/sddm.sddm-greeter.pam   | 22 ++++++++++++++++------
 3 files changed, 55 insertions(+), 16 deletions(-)

diff --git a/debian/sddm.pam b/debian/sddm.pam
index 9bc58b5..e8893f2 100644
--- a/debian/sddm.pam
+++ b/debian/sddm.pam
@@ -1,16 +1,31 @@
 #%PAM-1.0
+
+# Block login if they are globally disabled
 auth    requisite       pam_nologin.so
-auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
+auth    required        pam_succeed_if.so user != root quiet_success
+# Load environment from /etc/default/locale and ~/.pam_environment
+auth    required        pam_env.so envfile=/etc/default/locale
+# auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
 @include common-auth
-auth    optional        pam_gnome_keyring.so
-auth    optional        pam_kwallet.so
+-auth   optional        pam_gnome_keyring.so
+-auth   optional        pam_kwallet.so
+
 @include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# Create a new session keyring.
+session optional        pam_keyinit.so force revoke
 session required        pam_limits.so
+session required        pam_loginuid.so
 @include common-session
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional        pam_gnome_keyring.so auto_start
-session optional        pam_kwallet.so auto_start
-session required        pam_env.so readenv=1
-session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+-session optional       pam_gnome_keyring.so auto_start
+-session optional       pam_kwallet.so auto_start
+
 @include common-password
diff --git a/debian/sddm.sddm-autologin.pam b/debian/sddm.sddm-autologin.pam
index d38e7a8..138d9eb 100644
--- a/debian/sddm.sddm-autologin.pam
+++ b/debian/sddm.sddm-autologin.pam
@@ -1,11 +1,25 @@
 #%PAM-1.0
+
+# Block login if they are globally disabled
 auth    requisite       pam_nologin.so
-auth    required        pam_permit.so
+auth    required        pam_succeed_if.so user != root quiet_success
+# Load environment from /etc/default/locale and ~/.pam_environment
+auth    required        pam_env.so envfile=/etc/default/locale
+
 @include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# Create a new session keyring.
+session optional        pam_keyinit.so force revoke
 session required        pam_limits.so
+session required        pam_loginuid.so
 @include common-session
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session required        pam_env.so readenv=1
-session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+
 @include common-password
diff --git a/debian/sddm.sddm-greeter.pam b/debian/sddm.sddm-greeter.pam
index e7d21e3..2030859 100644
--- a/debian/sddm.sddm-greeter.pam
+++ b/debian/sddm.sddm-greeter.pam
@@ -1,13 +1,23 @@
 #%PAM-1.0
+
+# Load environment from /etc/default/locale and ~/.pam_environment
+auth    required        pam_env.so envfile=/etc/default/locale
 auth    required        pam_permit.so
-auth    optional        pam_gnome_keyring.so
-auth    optional        pam_kwallet.so
+
 @include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# Create a new session keyring.
+session optional        pam_keyinit.so force revoke
 session required        pam_limits.so
+session required        pam_loginuid.so
 @include common-session
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional        pam_gnome_keyring.so auto_start
-session optional        pam_kwallet.so auto_start
-session required        pam_env.so readenv=1
-session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+
+ at include common-password

-- 
sddm packaging