From 46771a85b0cd8edeab2b2bb2b79754fb797f24b2 Mon Sep 17 00:00:00 2001 From: Kevin Tian Date: Tue, 3 Aug 2010 15:53:38 +0800 Subject: pam: rename to libpam and add core config files So far pam is not really functional as there no pam config files exists, here we borrow from openembedded to setup core /etc/pam.d to make it functional: * change 'pam' to 'libpam' following Debian naming convention, and change (R)DEPENDS in other recipes * borrow openembedded libpam-base-files with changes: - rename to libpam-runtime to follow Debian naming - only keep common-* core files which can be traced back to Debian libpam-runtime-1.0.1 for license track. Other service specific files (such as atd, cron, ...) are removed because either they may contaminate the license or it's right thing to have their own packages providing them - use same libpam recipe instead of creating a new. This way other /etc/ stuff are all contained by libpam-runtime * like openembedded, we package each pam plugin into seperate package now, with some differnce though: - Some ${sbindir} binaries are bound to specific PAM plugin. So better to package them together with corresponding plugin package - populate_sysroot_prepend is invoked before actual populate_sysroot, at that time ${D} binaries haven't been tripped. So it's difficult to specify -dev for those plugin pacakges from _prepend which are simply empty. actually one -dev/-doc per recipe is one good exercise here. Signed-off-by: Kevin Tian --- meta/packages/libcap/libcap.inc | 3 +- meta/packages/libcap/libcap_2.19.bb | 2 +- meta/packages/pam/libpam-1.1.1/99_pam | 1 + .../pam/libpam-1.1.1/disable_crossbinary.patch | 34 ++++++++++ .../packages/pam/libpam-1.1.1/pam.d/common-account | 25 +++++++ meta/packages/pam/libpam-1.1.1/pam.d/common-auth | 18 +++++ .../pam/libpam-1.1.1/pam.d/common-password | 26 ++++++++ .../packages/pam/libpam-1.1.1/pam.d/common-session | 19 ++++++ .../pam.d/common-session-noninteractive | 19 ++++++ meta/packages/pam/libpam-1.1.1/pam.d/other | 27 ++++++++ meta/packages/pam/libpam_1.1.1.bb | 77 ++++++++++++++++++++++ meta/packages/pam/pam-1.1.1/99_pam | 1 - .../pam/pam-1.1.1/disable_crossbinary.patch | 34 ---------- meta/packages/polkit/polkit_0.96.bb | 6 +- 14 files changed, 251 insertions(+), 41 deletions(-) create mode 100644 meta/packages/pam/libpam-1.1.1/99_pam create mode 100644 meta/packages/pam/libpam-1.1.1/disable_crossbinary.patch create mode 100644 meta/packages/pam/libpam-1.1.1/pam.d/common-account create mode 100644 meta/packages/pam/libpam-1.1.1/pam.d/common-auth create mode 100644 meta/packages/pam/libpam-1.1.1/pam.d/common-password create mode 100644 meta/packages/pam/libpam-1.1.1/pam.d/common-session create mode 100644 meta/packages/pam/libpam-1.1.1/pam.d/common-session-noninteractive create mode 100644 meta/packages/pam/libpam-1.1.1/pam.d/other create mode 100644 meta/packages/pam/libpam_1.1.1.bb delete mode 100644 meta/packages/pam/pam-1.1.1/99_pam delete mode 100644 meta/packages/pam/pam-1.1.1/disable_crossbinary.patch diff --git a/meta/packages/libcap/libcap.inc b/meta/packages/libcap/libcap.inc index 7bdecd78a..16eaae690 100644 --- a/meta/packages/libcap/libcap.inc +++ b/meta/packages/libcap/libcap.inc @@ -5,8 +5,7 @@ HOMEPAGE = "http://sites.google.com/site/fullycapable/" LICENSE = "BSD | GPL" LIC_FILES_CHKSUM = "file://License;md5=731de803c1ccbcb05a9b3523279c8d7f" -DEPENDS = "pam attr perl-native" -PR = "r0" +DEPENDS = "libpam attr perl-native" SRC_URI = "${KERNELORG_MIRROR}/pub/linux/libs/security/linux-privs/libcap2/${BPN}-${PV}.tar.bz2" diff --git a/meta/packages/libcap/libcap_2.19.bb b/meta/packages/libcap/libcap_2.19.bb index 474d06056..eb861535e 100644 --- a/meta/packages/libcap/libcap_2.19.bb +++ b/meta/packages/libcap/libcap_2.19.bb @@ -1,3 +1,3 @@ require libcap.inc -PR = "r0" +PR = "r1" diff --git a/meta/packages/pam/libpam-1.1.1/99_pam b/meta/packages/pam/libpam-1.1.1/99_pam new file mode 100644 index 000000000..97e990d10 --- /dev/null +++ b/meta/packages/pam/libpam-1.1.1/99_pam @@ -0,0 +1 @@ +d root root 0755 /var/run/sepermit none diff --git a/meta/packages/pam/libpam-1.1.1/disable_crossbinary.patch b/meta/packages/pam/libpam-1.1.1/disable_crossbinary.patch new file mode 100644 index 000000000..43359b08f --- /dev/null +++ b/meta/packages/pam/libpam-1.1.1/disable_crossbinary.patch @@ -0,0 +1,34 @@ +padout should be compiled using the native compiler but isn't. +Disable this piece of documentation for now. + +RP + +Index: Linux-PAM-1.0.2/doc/specs/Makefile.am +=================================================================== +--- Linux-PAM-1.0.2.orig/doc/specs/Makefile.am 2008-11-04 21:06:23.000000000 +0000 ++++ Linux-PAM-1.0.2/doc/specs/Makefile.am 2008-11-04 21:07:06.000000000 +0000 +@@ -2,21 +2,8 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-CLEANFILES = draft-morgan-pam-current.txt *~ ++CLEANFILES = *~ + +-EXTRA_DIST = draft-morgan-pam.raw std-agent-id.raw rfc86.0.txt ++EXTRA_DIST = std-agent-id.raw rfc86.0.txt + +-draft-morgan-pam-current.txt: padout draft-morgan-pam.raw +- ./padout < $(srcdir)/draft-morgan-pam.raw > draft-morgan-pam-current.txt +- +-AM_YFLAGS = -d +- +-BUILT_SOURCES = parse_y.h +- +-noinst_PROGRAMS = padout +- +-padout_SOURCES = parse_l.l parse_y.y +- +-padout_LDADD = @LEXLIB@ +- +-doc_DATA = draft-morgan-pam-current.txt rfc86.0.txt ++doc_DATA = rfc86.0.txt diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-account b/meta/packages/pam/libpam-1.1.1/pam.d/common-account new file mode 100644 index 000000000..316b17337 --- /dev/null +++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-auth b/meta/packages/pam/libpam-1.1.1/pam.d/common-auth new file mode 100644 index 000000000..460b69f19 --- /dev/null +++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-auth @@ -0,0 +1,18 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-password b/meta/packages/pam/libpam-1.1.1/pam.d/common-password new file mode 100644 index 000000000..389605732 --- /dev/null +++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-password @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-session b/meta/packages/pam/libpam-1.1.1/pam.d/common-session new file mode 100644 index 000000000..a594dd9d9 --- /dev/null +++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-session @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/common-session-noninteractive b/meta/packages/pam/libpam-1.1.1/pam.d/common-session-noninteractive new file mode 100644 index 000000000..b110bb2b4 --- /dev/null +++ b/meta/packages/pam/libpam-1.1.1/pam.d/common-session-noninteractive @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/meta/packages/pam/libpam-1.1.1/pam.d/other b/meta/packages/pam/libpam-1.1.1/pam.d/other new file mode 100644 index 000000000..6e40cd0c0 --- /dev/null +++ b/meta/packages/pam/libpam-1.1.1/pam.d/other @@ -0,0 +1,27 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. + +#If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We use pam_warn.so to generate syslog notes that the 'other' +#fallback rules are being used (as a hint to suggest you should setup +#specific PAM rules for the service and aid to debugging). We then +#fall back to the system default in /etc/pam.d/common-* + +auth required pam_warn.so +auth include common-auth + +account required pam_warn.so +account include common-account + +password required pam_warn.so +password include common-password + +session required pam_warn.so +session include common-session diff --git a/meta/packages/pam/libpam_1.1.1.bb b/meta/packages/pam/libpam_1.1.1.bb new file mode 100644 index 000000000..12c417227 --- /dev/null +++ b/meta/packages/pam/libpam_1.1.1.bb @@ -0,0 +1,77 @@ +DESCRIPTION = "Linux-PAM (Pluggable Authentication Modules for Linux), Basically, it is a flexible mechanism for authenticating users" +HOMEPAGE = "http://www.kernel.org/pub/linux/libs/pam/" +BUGTRACKER = "http://sourceforge.net/projects/pam/support" +# PAM allows dual licensed under GPL and BSD. +# /etc/pam.d comes from Debian libpam-runtime in 2009-11 (at that time +# libpam-runtime-1.0.1 is GPLv2+), by openembedded +LICENSE = "GPLv2+ | BSD" +PR = "r0" + +DEPENDS = "bison flex" +RDEPENDS_${PN}-runtime = "libpam pam-plugin-deny pam-plugin-permit pam-plugin-warn pam-plugin-unix" +RRECOMMENDS_${PN} = "libpam-runtime" + +SRC_URI = "http://www.kernel.org/pub/linux/libs/pam/library/Linux-PAM-${PV}.tar.bz2 \ + file://disable_crossbinary.patch \ + file://99_pam \ + file://pam.d/*" + +EXTRA_OECONF = "--with-db-uniquename=_pam \ + --includedir=${includedir}/security \ + --libdir=${base_libdir} \ + --disable-regenerate-docu" +CFLAGS_append = " -fPIC " + +S = "${WORKDIR}/Linux-PAM-${PV}" + +inherit autotools gettext + +PACKAGES += "${PN}-runtime" +FILES_${PN} = "${base_libdir}/lib*${SOLIBS}" +FILES_${PN}-dbg += "${base_libdir}/security/.debug \ + ${base_libdir}/security/pam_filter/.debug" +FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}" +FILES_${PN}-runtime = "${sysconfdir}" + +PACKAGES_DYNAMIC += " pam-plugin-*" + +python populate_packages_prepend () { + import os.path + + def pam_plugin_append_file(pn, dir, file): + nf = os.path.join(dir, file) + of = bb.data.getVar('FILES_' + pn, d, True) + if of: + nf = of + " " + nf + bb.data.setVar('FILES_' + pn, nf, d) + + dvar = bb.data.expand('${WORKDIR}/package', d, True) + pam_libdir = bb.data.expand('${base_libdir}/security', d) + pam_sbindir = bb.data.expand('${sbindir}', d) + pam_filterdir = bb.data.expand('${base_libdir}/security/pam_filter', d) + + do_split_packages(d, pam_libdir, '^pam(.*)\.so$', 'pam-plugin%s', 'PAM plugin for %s', extra_depends='') + pam_plugin_append_file('pam-plugin-unix', pam_sbindir, 'unix_chkpwd') + pam_plugin_append_file('pam-plugin-unix', pam_sbindir, 'unix_update') + pam_plugin_append_file('pam-plugin-tally', pam_sbindir, 'pam_tally') + pam_plugin_append_file('pam-plugin-tally2', pam_sbindir, 'pam_tally2') + pam_plugin_append_file('pam-plugin-timestamp', pam_sbindir, 'pam_timestamp_check') + pam_plugin_append_file('pam-plugin-mkhomedir', pam_sbindir, 'mkhomedir_helper') + do_split_packages(d, pam_filterdir, '^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='') +} + +do_install() { + autotools_do_install + + # don't install /var/run when populating rootfs. Do it through volatile + rm -rf ${D}/var + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/99_pam ${D}/etc/default/volatiles + + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ +} + +pkg_postinst_${PN} () { + /etc/init.d/populate-volatile.sh update +} diff --git a/meta/packages/pam/pam-1.1.1/99_pam b/meta/packages/pam/pam-1.1.1/99_pam deleted file mode 100644 index 97e990d10..000000000 --- a/meta/packages/pam/pam-1.1.1/99_pam +++ /dev/null @@ -1 +0,0 @@ -d root root 0755 /var/run/sepermit none diff --git a/meta/packages/pam/pam-1.1.1/disable_crossbinary.patch b/meta/packages/pam/pam-1.1.1/disable_crossbinary.patch deleted file mode 100644 index 43359b08f..000000000 --- a/meta/packages/pam/pam-1.1.1/disable_crossbinary.patch +++ /dev/null @@ -1,34 +0,0 @@ -padout should be compiled using the native compiler but isn't. -Disable this piece of documentation for now. - -RP - -Index: Linux-PAM-1.0.2/doc/specs/Makefile.am -=================================================================== ---- Linux-PAM-1.0.2.orig/doc/specs/Makefile.am 2008-11-04 21:06:23.000000000 +0000 -+++ Linux-PAM-1.0.2/doc/specs/Makefile.am 2008-11-04 21:07:06.000000000 +0000 -@@ -2,21 +2,8 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk - # - --CLEANFILES = draft-morgan-pam-current.txt *~ -+CLEANFILES = *~ - --EXTRA_DIST = draft-morgan-pam.raw std-agent-id.raw rfc86.0.txt -+EXTRA_DIST = std-agent-id.raw rfc86.0.txt - --draft-morgan-pam-current.txt: padout draft-morgan-pam.raw -- ./padout < $(srcdir)/draft-morgan-pam.raw > draft-morgan-pam-current.txt -- --AM_YFLAGS = -d -- --BUILT_SOURCES = parse_y.h -- --noinst_PROGRAMS = padout -- --padout_SOURCES = parse_l.l parse_y.y -- --padout_LDADD = @LEXLIB@ -- --doc_DATA = draft-morgan-pam-current.txt rfc86.0.txt -+doc_DATA = rfc86.0.txt diff --git a/meta/packages/polkit/polkit_0.96.bb b/meta/packages/polkit/polkit_0.96.bb index e17dc93f8..e6e030b19 100644 --- a/meta/packages/polkit/polkit_0.96.bb +++ b/meta/packages/polkit/polkit_0.96.bb @@ -6,9 +6,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb \ file://docs/polkit/html/license.html;md5=4c17ef1587e0f096c82157160d4e340e" SRC_URI = "http://hal.freedesktop.org/releases/polkit-${PV}.tar.gz" -PR="r1" -DEPENDS = "pam expat dbus-glib eggdbus intltool" -RDEPENDS = "pam" +PR = "r2" +DEPENDS = "libpam expat dbus-glib eggdbus intltool" +RDEPENDS = "libpam" EXTRA_OECONF = "--with-authfw=pam --with-os-type=moblin --disable-man-pages --disable-gtk-doc --disable-introspection" inherit autotools pkgconfig -- cgit v1.2.3