Context Navigation

← Previous Changeset
Next Changeset →

Changeset 74f20a1

Timestamp:

06/01/2015 07:35:45 PM (9 years ago)

Author:

Bruce Dubbs <bdubbs@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

Parents:

Message:

Move 'other' pam configuration from shadow to pam

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@16059 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

: 2 edited

linux-pam.xml (modified) (2 diffs)
shadow.xml (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

postlfs/security/linux-pam.xml

-              r78b5501
+              r74f20a1
     </para>
 <screen role="root"><userinput>rm -rfv /etc/pam.d</userinput></screen>
+<screen role="root"><userinput>rm -fv /etc/pam.d/*</userinput></screen>
     <para>
 …
 # End /etc/pam.d/system-password</literal>
+EOF</userinput></screen>
+      <para>Now add a restrictive <filename>/etc/pam.d/other</filename>
+      configuration file.  With this file, programs that are PAM aware will not
+      run unless a configuration file specifically for that application is
+      created.</para>
+<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/other
+auth        required        pam_warn.so
+auth        required        pam_deny.so
+account     required        pam_warn.so
+account     required        pam_deny.so
+password    required        pam_warn.so
+password    required        pam_deny.so
+session     required        pam_warn.so
+session     required        pam_deny.so
+# End /etc/pam.d/other</literal>
 EOF</userinput></screen>

postlfs/security/shadow.xml

-              r78b5501
+              r74f20a1
       </sect4>
-      <sect4>
-        <title>Other</title>
-        <para>
-          Currently, <filename>/etc/pam.d/other</filename> is configured to
-          allow anyone with an account on the machine to use PAM-aware programs
-          without a configuration file for that program. After testing
-          <application>Linux-PAM</application> for proper configuration, install
-          a more restrictive <filename>other</filename> file so that
-          program-specific configuration files are required:
-        </para>
-<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
-<literal># Begin /etc/pam.d/other
-auth        required        pam_warn.so
-auth        required        pam_deny.so
-account     required        pam_warn.so
-account     required        pam_deny.so
-password    required        pam_warn.so
-password    required        pam_deny.so
-session     required        pam_warn.so
-session     required        pam_deny.so
-# End /etc/pam.d/other</literal>
-EOF</userinput></screen>
-      </sect4>
       <sect4 id="pam-access">
         <title>Configuring Login Access</title>
 …
 <screen role="root"><userinput>[ -f /etc/limits ] &amp;&amp; mv -v /etc/limits{,.NOUSE}</userinput></screen>
+        <caution><para>Be sure to test the login capabilities of the system
+        before logging out.  Errors in the configuration can casue a permanent
+        lockout requiring a boot from an external source to correct the
+        problem.</para></caution>
       </sect4>
     </sect3>
   </sect2>

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: