[SCM] sddm packaging branch, master, updated. a84bdd6bcf7666a0aa5bdf4f6986a9a04eb2b0d4
Maximiliano Curia
maxy at moszumanska.debian.org
Sat Oct 11 12:33:18 UTC 2014
Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-std/sddm.git;a=commitdiff;h=ebfe27d
The following commit has been merged in the master branch:
commit ebfe27d43edba563e441a60ca758f9fa704f72e0
Author: Maximiliano Curia <maxy at gnuservers.com.ar>
Date: Sat Oct 11 14:19:30 2014 +0200
Change pam files
- Check that user is not root
- Add keyinit
- Make gnome-keyring and kwallet pam modules optional
- Add missing loginuid (is still this needed?)
- Read locale environment once
---
debian/sddm.pam | 29 ++++++++++++++++++++++-------
debian/sddm.sddm-autologin.pam | 20 +++++++++++++++++---
debian/sddm.sddm-greeter.pam | 22 ++++++++++++++++------
3 files changed, 55 insertions(+), 16 deletions(-)
diff --git a/debian/sddm.pam b/debian/sddm.pam
index 9bc58b5..e8893f2 100644
--- a/debian/sddm.pam
+++ b/debian/sddm.pam
@@ -1,16 +1,31 @@
#%PAM-1.0
+
+# Block login if they are globally disabled
auth requisite pam_nologin.so
-auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
+auth required pam_succeed_if.so user != root quiet_success
+# Load environment from /etc/default/locale and ~/.pam_environment
+auth required pam_env.so envfile=/etc/default/locale
+# auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet.so
+-auth optional pam_gnome_keyring.so
+-auth optional pam_kwallet.so
+
@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible that a
+# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# Create a new session keyring.
+session optional pam_keyinit.so force revoke
session required pam_limits.so
+session required pam_loginuid.so
@include common-session
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context. Only sessions which are intended
+# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet.so auto_start
-session required pam_env.so readenv=1
-session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+-session optional pam_gnome_keyring.so auto_start
+-session optional pam_kwallet.so auto_start
+
@include common-password
diff --git a/debian/sddm.sddm-autologin.pam b/debian/sddm.sddm-autologin.pam
index d38e7a8..138d9eb 100644
--- a/debian/sddm.sddm-autologin.pam
+++ b/debian/sddm.sddm-autologin.pam
@@ -1,11 +1,25 @@
#%PAM-1.0
+
+# Block login if they are globally disabled
auth requisite pam_nologin.so
-auth required pam_permit.so
+auth required pam_succeed_if.so user != root quiet_success
+# Load environment from /etc/default/locale and ~/.pam_environment
+auth required pam_env.so envfile=/etc/default/locale
+
@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible that a
+# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# Create a new session keyring.
+session optional pam_keyinit.so force revoke
session required pam_limits.so
+session required pam_loginuid.so
@include common-session
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context. Only sessions which are intended
+# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session required pam_env.so readenv=1
-session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+
@include common-password
diff --git a/debian/sddm.sddm-greeter.pam b/debian/sddm.sddm-greeter.pam
index e7d21e3..2030859 100644
--- a/debian/sddm.sddm-greeter.pam
+++ b/debian/sddm.sddm-greeter.pam
@@ -1,13 +1,23 @@
#%PAM-1.0
+
+# Load environment from /etc/default/locale and ~/.pam_environment
+auth required pam_env.so envfile=/etc/default/locale
auth required pam_permit.so
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet.so
+
@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible that a
+# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# Create a new session keyring.
+session optional pam_keyinit.so force revoke
session required pam_limits.so
+session required pam_loginuid.so
@include common-session
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context. Only sessions which are intended
+# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet.so auto_start
-session required pam_env.so readenv=1
-session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+
+ at include common-password
--
sddm packaging
More information about the pkg-kde-commits
mailing list