Ticket #1710: pam_console.diff

postlfs/security/linux-pam.xml

@@ -11 +11 @@
   <!ENTITY linux-pam-buildsize     "19.8 MB">
   <!ENTITY linux-pam-time          "0.5 SBU">
   <!ENTITY linux-pam-docs-download "http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&linux-pam-version;-docs.tar.bz2">
+  <!-- FIXME: Need more permanent location for pam-redhat -->
+  <!ENTITY linux-pam-redhat-version  "0.99.5-1">
+  <!ENTITY linux-pam-redhat-download "http://www.linuxfromscratch.org/~dnicholson/pam-redhat-&linux-pam-redhat-version;.tar.bz2">
 ]>
 
 <sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
@@ -60 +63 @@
     <bridgehead renderas="sect3">Additional Downloads</bridgehead>
     <itemizedlist spacing='compact'>
       <listitem>
+        <para>Optional RedHat modules including pam_console:
+        <ulink url="&linux-pam-redhat-download;"/></para>
+      </listitem>
+      <listitem>
         <para>Optional documentation:
         <ulink url="&linux-pam-docs-download;"/></para>
       </listitem>
@@ -94 +101 @@
 
 <screen><userinput>tar -xf ../Linux-PAM-&linux-pam-version;-docs.tar.bz2 -C doc</userinput></screen>
 
+    <para>RedHat develops a few external <application>Linux-PAM</application>
+    modules. This includes the pam_console module which can be used by
+    some programs such as <xref linkend="hal"/> and <xref
+    linkend="gnome-volume-manager"/>. The purpose of pam_console is indicate
+    which user is active at the console and take appropriate actions. It does
+    this by noting active users in the <filename
+    class='directory'>/var/run/console</filename> directory. If you
+    downloaded these additional modules and would like to build pam_console,
+    unpack the tarball from the root of the source tree and prepare the build
+    files:</para>
+
+<screen><userinput>tar -xf ../pam-redhat-&linux-pam-redhat-version;.tar.bz2 &amp;&amp;
+sed -i 's,modules/Makefile,&amp; modules/pam_console/Makefile,' \
+    configure.in &amp;&amp;
+sed -i 's/SUBDIRS =/&amp; pam_console/' modules/Makefile.am &amp;&amp;
+sed -i '/^permsd_DATA/d' modules/pam_console/Makefile.am &amp;&amp;
+autoreconf -v</userinput></screen>
+
     <para>Install <application>Linux-PAM</application> by
     running the following commands:</para>
 
@@ -142 +167 @@
   <sect2 role="commands">
     <title>Command Explanations</title>
 
+    <para><command>sed -i '/^permsd_DATA/d' modules/pam_console/Makefile.am</command>:
+    The default configuration for pam_console is to change device permissions
+    for users when it is determined who is the console user. However, the
+    BLFS system expects that users will be members of the groups that the
+    relevant devices are part of. This makes the device permission
+    changing unnecessary, so the installation of a configuration file is
+    suppressed.</para>
+
     <para><parameter>--libdir=/usr/lib</parameter>: This parameter results in
     the libraries being installed in
     <filename class='directory'>/usr/lib</filename>.</para>
@@ -244 +277 @@
       url="http://www.kernel.org/pub/linux/libs/pam/modules.html"/>
       for a list of various modules available.</para>
 
+      <para>If you installed the pam_console module from RedHat, we would
+      like to suppress the default actions taken to set device permissions
+      since they are unnecessary for the BLFS system. Since we would only
+      like to use the console locking actions in <filename
+      class='directory'>/var/run/console</filename>, replace one of the
+      configuration files with the following:</para>
+
+<screen><userinput>cat &gt; /etc/security/console.handlers &lt;&lt; "EOF"
+<literal># Begin /etc/security/console.handlers
+console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]</literal>
+EOF</userinput></screen>
+
       <important>
         <para>You should now reinstall the <xref linkend="shadow"/>
         package.</para>