summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Tian <kevin.tian@intel.com>2010-08-03 15:53:38 +0800
committerRichard Purdie <rpurdie@linux.intel.com>2010-08-13 13:36:01 +0100
commit46771a85b0cd8edeab2b2bb2b79754fb797f24b2 (patch)
tree4b85393e5ddf09f5f45f64388c0105f361640be8
parent59e30ad05f3d51f5ebaaa7ffc855ce93a676a986 (diff)
downloadopenembedded-core-46771a85b0cd8edeab2b2bb2b79754fb797f24b2.tar.gz
openembedded-core-46771a85b0cd8edeab2b2bb2b79754fb797f24b2.tar.bz2
openembedded-core-46771a85b0cd8edeab2b2bb2b79754fb797f24b2.tar.xz
openembedded-core-46771a85b0cd8edeab2b2bb2b79754fb797f24b2.zip
pam: rename to libpam and add core config files
So far pam is not really functional as there no pam config files exists, here we borrow from openembedded to setup core /etc/pam.d to make it functional: * change 'pam' to 'libpam' following Debian naming convention, and change (R)DEPENDS in other recipes * borrow openembedded libpam-base-files with changes: - rename to libpam-runtime to follow Debian naming - only keep common-* core files which can be traced back to Debian libpam-runtime-1.0.1 for license track. Other service specific files (such as atd, cron, ...) are removed because either they may contaminate the license or it's right thing to have their own packages providing them - use same libpam recipe instead of creating a new. This way other /etc/ stuff are all contained by libpam-runtime * like openembedded, we package each pam plugin into seperate package now, with some differnce though: - Some ${sbindir} binaries are bound to specific PAM plugin. So better to package them together with corresponding plugin package - populate_sysroot_prepend is invoked before actual populate_sysroot, at that time ${D} binaries haven't been tripped. So it's difficult to specify -dev for those plugin pacakges from _prepend which are simply empty. actually one -dev/-doc per recipe is one good exercise here. Signed-off-by: Kevin Tian <kevin.tian@intel.com>
-rw-r--r--meta/packages/libcap/libcap.inc3
-rw-r--r--meta/packages/libcap/libcap_2.19.bb2
-rw-r--r--meta/packages/pam/libpam-1.1.1/99_pam (renamed from meta/packages/pam/pam-1.1.1/99_pam)0
-rw-r--r--meta/packages/pam/libpam-1.1.1/disable_crossbinary.patch (renamed from meta/packages/pam/pam-1.1.1/disable_crossbinary.patch)0
-rw-r--r--meta/packages/pam/libpam-1.1.1/pam.d/common-account25
-rw-r--r--meta/packages/pam/libpam-1.1.1/pam.d/common-auth18
-rw-r--r--meta/packages/pam/libpam-1.1.1/pam.d/common-password26
-rw-r--r--meta/packages/pam/libpam-1.1.1/pam.d/common-session19
-rw-r--r--meta/packages/pam/libpam-1.1.1/pam.d/common-session-noninteractive19
-rw-r--r--meta/packages/pam/libpam-1.1.1/pam.d/other27
-rw-r--r--meta/packages/pam/libpam_1.1.1.bb77
-rw-r--r--meta/packages/polkit/polkit_0.96.bb6
12 files changed, 216 insertions, 6 deletions
diff --git a/meta/packages/libcap/libcap.inc b/meta/packages/libcap/libcap.inc
index 7bdecd78a..16eaae690 100644
--- a/meta/packages/libcap/libcap.inc
+++ b/meta/packages/libcap/libcap.inc
@@ -5,8 +5,7 @@ HOMEPAGE = "http://sites.google.com/site/fullycapable/"
LICENSE = "BSD | GPL"
LIC_FILES_CHKSUM = "file://License;md5=731de803c1ccbcb05a9b3523279c8d7f"
-DEPENDS = "pam attr perl-native"
-PR = "r0"
+DEPENDS = "libpam attr perl-native"
SRC_URI = "${KERNELORG_MIRROR}/pub/linux/libs/security/linux-privs/libcap2/${BPN}-${PV}.tar.bz2"
diff --git a/meta/packages/libcap/libcap_2.19.bb b/meta/packages/libcap/libcap_2.19.bb
index 474d06056..eb861535e 100644
--- a/meta/packages/libcap/libcap_2.19.bb
+++ b/meta/packages/libcap/libcap_2.19.bb
@@ -1,3 +1,3 @@
require libcap.inc
-PR = "r0"
+PR = "r1"
diff --git a/meta/packages/pam/pam-1.1.1/99_pam b/meta/packages/pam/libpam-1.1.1/99_pam
index 97e990d10..97e990d10 100644
--- a/meta/packages/pam/pam-1.1.1/99_pam
+++ b/meta/packages/pam/libpam-1.1.1/99_pam
diff --git a/meta/packages/pam/pam-1.1.1/disable_crossbinary.patch b/meta/packages/pam/libpam-1.1.1/disable_crossbinary.patch
index 43359b08f..43359b08f 100644
--- a/meta/packages/pam/pam-1.1.1/disable_crossbinary.patch
+++ b/meta/packages/pam/libpam-1.1.1/disable_crossbinary.patch
diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-account b/meta/packages/pam/libpam-1.1.1/pam.d/common-account
new file mode 100644
index 000000000..316b17337
--- /dev/null
+++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-account
@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system. The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
+# here's the fallback if no module succeeds
+account requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-auth b/meta/packages/pam/libpam-1.1.1/pam.d/common-auth
new file mode 100644
index 000000000..460b69f19
--- /dev/null
+++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-auth
@@ -0,0 +1,18 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+
+# here are the per-package modules (the "Primary" block)
+auth [success=1 default=ignore] pam_unix.so nullok_secure
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-password b/meta/packages/pam/libpam-1.1.1/pam.d/common-password
new file mode 100644
index 000000000..389605732
--- /dev/null
+++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-password
@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords. The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords. Without this option,
+# the default is Unix crypt. Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# here are the per-package modules (the "Primary" block)
+password [success=1 default=ignore] pam_unix.so obscure sha512
+# here's the fallback if no module succeeds
+password requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-session b/meta/packages/pam/libpam-1.1.1/pam.d/common-session
new file mode 100644
index 000000000..a594dd9d9
--- /dev/null
+++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-session
@@ -0,0 +1,19 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-session-noninteractive b/meta/packages/pam/libpam-1.1.1/pam.d/common-session-noninteractive
new file mode 100644
index 000000000..b110bb2b4
--- /dev/null
+++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-session-noninteractive
@@ -0,0 +1,19 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/other b/meta/packages/pam/libpam-1.1.1/pam.d/other
new file mode 100644
index 000000000..6e40cd0c0
--- /dev/null
+++ b/meta/packages/pam/libpam-1.1.1/pam.d/other
@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.
+
+#If you really want nothing to happen then use pam_permit.so or
+#pam_deny.so as appropriate.
+
+# We use pam_warn.so to generate syslog notes that the 'other'
+#fallback rules are being used (as a hint to suggest you should setup
+#specific PAM rules for the service and aid to debugging). We then
+#fall back to the system default in /etc/pam.d/common-*
+
+auth required pam_warn.so
+auth include common-auth
+
+account required pam_warn.so
+account include common-account
+
+password required pam_warn.so
+password include common-password
+
+session required pam_warn.so
+session include common-session
diff --git a/meta/packages/pam/libpam_1.1.1.bb b/meta/packages/pam/libpam_1.1.1.bb
new file mode 100644
index 000000000..12c417227
--- /dev/null
+++ b/meta/packages/pam/libpam_1.1.1.bb
@@ -0,0 +1,77 @@
+DESCRIPTION = "Linux-PAM (Pluggable Authentication Modules for Linux), Basically, it is a flexible mechanism for authenticating users"
+HOMEPAGE = "http://www.kernel.org/pub/linux/libs/pam/"
+BUGTRACKER = "http://sourceforge.net/projects/pam/support"
+# PAM allows dual licensed under GPL and BSD.
+# /etc/pam.d comes from Debian libpam-runtime in 2009-11 (at that time
+# libpam-runtime-1.0.1 is GPLv2+), by openembedded
+LICENSE = "GPLv2+ | BSD"
+PR = "r0"
+
+DEPENDS = "bison flex"
+RDEPENDS_${PN}-runtime = "libpam pam-plugin-deny pam-plugin-permit pam-plugin-warn pam-plugin-unix"
+RRECOMMENDS_${PN} = "libpam-runtime"
+
+SRC_URI = "http://www.kernel.org/pub/linux/libs/pam/library/Linux-PAM-${PV}.tar.bz2 \
+ file://disable_crossbinary.patch \
+ file://99_pam \
+ file://pam.d/*"
+
+EXTRA_OECONF = "--with-db-uniquename=_pam \
+ --includedir=${includedir}/security \
+ --libdir=${base_libdir} \
+ --disable-regenerate-docu"
+CFLAGS_append = " -fPIC "
+
+S = "${WORKDIR}/Linux-PAM-${PV}"
+
+inherit autotools gettext
+
+PACKAGES += "${PN}-runtime"
+FILES_${PN} = "${base_libdir}/lib*${SOLIBS}"
+FILES_${PN}-dbg += "${base_libdir}/security/.debug \
+ ${base_libdir}/security/pam_filter/.debug"
+FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}"
+FILES_${PN}-runtime = "${sysconfdir}"
+
+PACKAGES_DYNAMIC += " pam-plugin-*"
+
+python populate_packages_prepend () {
+ import os.path
+
+ def pam_plugin_append_file(pn, dir, file):
+ nf = os.path.join(dir, file)
+ of = bb.data.getVar('FILES_' + pn, d, True)
+ if of:
+ nf = of + " " + nf
+ bb.data.setVar('FILES_' + pn, nf, d)
+
+ dvar = bb.data.expand('${WORKDIR}/package', d, True)
+ pam_libdir = bb.data.expand('${base_libdir}/security', d)
+ pam_sbindir = bb.data.expand('${sbindir}', d)
+ pam_filterdir = bb.data.expand('${base_libdir}/security/pam_filter', d)
+
+ do_split_packages(d, pam_libdir, '^pam(.*)\.so$', 'pam-plugin%s', 'PAM plugin for %s', extra_depends='')
+ pam_plugin_append_file('pam-plugin-unix', pam_sbindir, 'unix_chkpwd')
+ pam_plugin_append_file('pam-plugin-unix', pam_sbindir, 'unix_update')
+ pam_plugin_append_file('pam-plugin-tally', pam_sbindir, 'pam_tally')
+ pam_plugin_append_file('pam-plugin-tally2', pam_sbindir, 'pam_tally2')
+ pam_plugin_append_file('pam-plugin-timestamp', pam_sbindir, 'pam_timestamp_check')
+ pam_plugin_append_file('pam-plugin-mkhomedir', pam_sbindir, 'mkhomedir_helper')
+ do_split_packages(d, pam_filterdir, '^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='')
+}
+
+do_install() {
+ autotools_do_install
+
+ # don't install /var/run when populating rootfs. Do it through volatile
+ rm -rf ${D}/var
+ install -d ${D}${sysconfdir}/default/volatiles
+ install -m 0644 ${WORKDIR}/99_pam ${D}/etc/default/volatiles
+
+ install -d ${D}${sysconfdir}/pam.d/
+ install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
+}
+
+pkg_postinst_${PN} () {
+ /etc/init.d/populate-volatile.sh update
+}
diff --git a/meta/packages/polkit/polkit_0.96.bb b/meta/packages/polkit/polkit_0.96.bb
index e17dc93f8..e6e030b19 100644
--- a/meta/packages/polkit/polkit_0.96.bb
+++ b/meta/packages/polkit/polkit_0.96.bb
@@ -6,9 +6,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb \
file://docs/polkit/html/license.html;md5=4c17ef1587e0f096c82157160d4e340e"
SRC_URI = "http://hal.freedesktop.org/releases/polkit-${PV}.tar.gz"
-PR="r1"
-DEPENDS = "pam expat dbus-glib eggdbus intltool"
-RDEPENDS = "pam"
+PR = "r2"
+DEPENDS = "libpam expat dbus-glib eggdbus intltool"
+RDEPENDS = "libpam"
EXTRA_OECONF = "--with-authfw=pam --with-os-type=moblin --disable-man-pages --disable-gtk-doc --disable-introspection"
inherit autotools pkgconfig