From 485c74c9689854a3d56e58f30114954d493ddfee Mon Sep 17 00:00:00 2001 From: Colin Guthrie <colin@mageia.org> Date: Tue, 30 Aug 2011 20:28:57 +0100 Subject: [PATCH 302/303] Fix gdm pam.d configs. This ensures that pam_console is included in the gdm-welcome pam.d to allow e.g. the PulseAudio spawned by gdm to access bluetooth h/w. While this isn't in itself necessarily majorly useful, it does solve a problem where by bluetoothd is enabled, but not yet started when gdm's PulseAudio is launched. This will cause bus activation to kick in and attempt to lauch bluetoothd, but due to the default bluez dbus policy gdm will not be allowed to talk to to the necessary interfaces resulting in an activation failure and a 30s timeout before gdm appears. References: * https://bugs.mageia.org/show_bug.cgi?id=5148 The other fix is to ensure that pam_gnome_keyring.so is included after system-auth (or rather after pam_systemd specifically) to ensure that the XDG_RUNTIME_DIR variable is set. References: * http://pkgs.fedoraproject.org/gitweb/?p=gdm.git;a=commit;h=12886d9c0f01e4f52eea9a3b63602c996bd7f084 * https://bugzilla.gnome.org/show_bug.cgi?id=655867 * http://mail.gnome.org/archives/distributor-list/2012-April/msg00000.html Also add in pam_namespace.so which is needed for xguest. References: * https://bugs.mageia.org/show_bug.cgi?id=4950 --- data/pam-redhat/gdm-autologin.pam | 5 +---- data/pam-redhat/gdm-fingerprint.pam | 21 +++++++++++++-------- data/pam-redhat/gdm-launch-environment.pam | 1 + data/pam-redhat/gdm-password.pam | 15 +++++++-------- data/pam-redhat/gdm-smartcard.pam | 22 ++++++++++++++-------- data/pam-redhat/gdm.pam | 3 +++ 6 files changed, 39 insertions(+), 28 deletions(-) diff --git a/data/pam-redhat/gdm-autologin.pam b/data/pam-redhat/gdm-autologin.pam index 08d4543..f884c1d 100644 --- a/data/pam-redhat/gdm-autologin.pam +++ b/data/pam-redhat/gdm-autologin.pam @@ -1,14 +1,11 @@ - #%PAM-1.0 +#%PAM-1.0 auth required pam_env.so auth required pam_permit.so account required pam_nologin.so account include system-auth password include system-auth -session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so --session optional pam_ck_connector.so -session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session include system-auth diff --git a/data/pam-redhat/gdm-fingerprint.pam b/data/pam-redhat/gdm-fingerprint.pam index ee0635d..425cd49 100644 --- a/data/pam-redhat/gdm-fingerprint.pam +++ b/data/pam-redhat/gdm-fingerprint.pam @@ -1,15 +1,20 @@ -auth substack fingerprint-auth +# Sample PAM file for doing fingerprint authentication. +# Distros should replace this with what makes sense for them. +auth required pam_env.so +auth required pam_fprintd.so +auth sufficient pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so -account required pam_nologin.so -account include fingerprint-auth +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so -password include fingerprint-auth +password required pam_deny.so -session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so --session optional pam_ck_connector.so -session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so -session include fingerprint-auth +session required pam_limits.so +session required pam_unix.so diff --git a/data/pam-redhat/gdm-launch-environment.pam b/data/pam-redhat/gdm-launch-environment.pam index f1811f1..66ab89e 100644 --- a/data/pam-redhat/gdm-launch-environment.pam +++ b/data/pam-redhat/gdm-launch-environment.pam @@ -3,5 +3,6 @@ auth required pam_env.so auth required pam_permit.so account include system-auth password include system-auth +session optional pam_console.so session optional pam_keyinit.so force revoke session include system-auth diff --git a/data/pam-redhat/gdm-password.pam b/data/pam-redhat/gdm-password.pam index b95ca16..cbcc3d9 100644 --- a/data/pam-redhat/gdm-password.pam +++ b/data/pam-redhat/gdm-password.pam @@ -1,19 +1,18 @@ -auth [success=done ignore=ignore default=bad] pam_selinux_permit.so -auth substack password-auth +#%PAM-1.0 +auth required pam_env.so +auth sufficient pam_succeed_if.so user ingroup nopasswdlogin +auth substack system-auth auth optional pam_gnome_keyring.so account required pam_nologin.so -account include password-auth +account include system-auth -password substack password-auth +password substack system-auth -password optional pam_gnome_keyring.so use_authtok -session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so --session optional pam_ck_connector.so -session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so -session include password-auth +session include system-auth session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-redhat/gdm-smartcard.pam b/data/pam-redhat/gdm-smartcard.pam index d49eef9..306113c 100644 --- a/data/pam-redhat/gdm-smartcard.pam +++ b/data/pam-redhat/gdm-smartcard.pam @@ -1,15 +1,21 @@ -auth substack smartcard-auth +# Sample PAM file for doing smartcard authentication. +# Distros should replace this with what makes sense for them. +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so -account required pam_nologin.so -account include smartcard-auth +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so -password include smartcard-auth +password optional pam_pkcs11.so +password requisite pam_cracklib.so try_first_pass retry=3 type= -session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so --session optional pam_ck_connector.so -session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so -session include smartcard-auth +session required pam_limits.so +session required pam_unix.so diff --git a/data/pam-redhat/gdm.pam b/data/pam-redhat/gdm.pam index 9d95a51..d7e3a2f 100644 --- a/data/pam-redhat/gdm.pam +++ b/data/pam-redhat/gdm.pam @@ -2,9 +2,12 @@ auth required pam_env.so auth sufficient pam_succeed_if.so user ingroup nopasswdlogin auth include system-auth +auth optional pam_gnome_keyring.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke +session required pam_namespace.so session include system-auth session required pam_loginuid.so session optional pam_console.so +session optional pam_gnome_keyring.so auto_start -- 2.1.2