From: Karel Zak <kzak@redhat.com>
To: util-linux@vger.kernel.org
Cc: Ludwig Nussel <ludwig.nussel@suse.de>, Thorsten Kukuk <kukuk@suse.de>
Subject: login: PAM-only, login.defs, -H
Date: Mon, 17 Oct 2011 13:02:11 +0200 [thread overview]
Message-ID: <20111017110210.GA22648@nb.net.home> (raw)
I did some changes to login(1) in last weeks. The goal is to have one PAM-only
login(1) for all mainstream distributions.
The code is based on the original util-linux login(1) and pam_login-4.0
package from Suse.
Git tree: https://karelzak@github.com/karelzak/util-linux.git branch 'login'.
URL: https://github.com/karelzak/util-linux/tree/login
Changes:
- remove kerberos specific code
- remove non-PAM code
- remove checktty stuff
- remove ugly macros (e.g. PAM_END)
- add syslog LOG_ERR on failed tty ch{mod,own} (based on Suse version)
- move all important/global variables to 'struct login_context'
- indent to Linux coding style
- use xalloc.h functions
- lastlog, utmp, btmp, audit and syslog code refactoring
- don't log unknown usernames to system log files (may be a security issue if
an user enter her password instead of her login name) -- controlled by
LOG_UNKFAIL_ENAB login.defs variable
- support /etc/login.defs, supported variables:
name default
------------------------------
DEFAULT_HOME yes (means chdir("/") if pwd->pw_dir does not exist)
ENV_PATH "/usr/local/bin:/bin:/usr/bin"
ENV_{ROOT,SU}PATH "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
FAIL_DELAY 5s
HUSHLOGIN_FILE /etc/hushlogins and ~/.hushlog
LOGIN_TIMEOUT 60s
LOG_UNKFAIL_ENAB yes
MOTD_FILE /etc/motd
TTYGROUP 'tty' (otherwise pwd->pw_gid is used)
TTYPERM 0620 (or 0600 for --disable-use-tty-group)
Note that Suse version does not use any defaults for *_FILE and TTYGROUP.
- print hostname in the login prompt, for example:
"foo login: "
Note that Suse version uses hostname with domain (e.g. foo.example.com), our
goal is to be compatible with the default agetty behavior.
- add new -H option to suppress hostname in the login prompt (already in Suse
version)
- call setgroups(0, NULL) rather than initgroups() for root user
(this avoids the need to step through the whole group file, which can cause
problems if NIS, NIS+, LDAP or something similar is used and the machine
has network problems)
- improve hushed mode (moslty based on Suse version)
* accepts HUSHLOGIN_FILE from /etc/login.defs
* empty /etc/hushlogins file enables hushed mode for all accounts
(this new feature is necessary if you want to use PAM for motd and last
login messages)
Comments?
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
next reply other threads:[~2011-10-17 11:02 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-17 11:02 Karel Zak [this message]
2011-10-17 11:14 ` [PATCH 00/49] login refactoring Karel Zak
2011-10-17 11:14 ` [PATCH 01/49] login: remove kerberos specific code Karel Zak
2011-10-17 11:14 ` [PATCH 02/49] login: remove dead code and comments Karel Zak
2011-10-17 11:14 ` [PATCH 03/49] login: move _PATH_BTMP to pathnames.h Karel Zak
2011-10-17 11:14 ` [PATCH 04/49] login: remove non-PAM code Karel Zak
2011-10-17 11:14 ` [PATCH 05/49] build-sys: require PAM for login-utils Karel Zak
2011-10-17 11:14 ` [PATCH 06/49] login: remove PAM_FAIL_CHECK and PAM_END macros Karel Zak
2011-10-17 11:14 ` [PATCH 07/49] lib: cleanup setproctitle.c Karel Zak
2011-10-17 11:14 ` [PATCH 08/49] login: cleanup begin of the login.c file Karel Zak
2011-10-17 11:14 ` [PATCH 09/49] login: remove obsolete code, clean up macros names Karel Zak
2011-10-17 11:14 ` [PATCH 10/49] login: indent -linux Karel Zak
2011-10-17 11:14 ` [PATCH 11/49] login: add struct login_context, consolidate tty code Karel Zak
2011-10-17 11:14 ` [PATCH 12/49] login: add hostname to login_context struct Karel Zak
2011-10-17 11:14 ` [PATCH 13/49] login: add pid " Karel Zak
2011-10-17 11:14 ` [PATCH 14/49] login: add username " Karel Zak
2011-10-17 11:14 ` [PATCH 15/49] login: use login_context struct in audit stuff Karel Zak
2011-10-17 11:14 ` [PATCH 16/49] login: lastlog code refactoring Karel Zak
2011-10-17 11:14 ` [PATCH 17/49] login: utmp " Karel Zak
2011-10-17 11:14 ` [PATCH 18/49] login: use getpwnam_r() rather than manually copy passwd struct Karel Zak
2011-10-17 11:14 ` [PATCH 19/49] login: tty chown.chmod refactoring Karel Zak
2011-10-17 11:14 ` [PATCH 20/49] login: use setgroups(0, NULL) for root Karel Zak
2011-10-17 11:15 ` [PATCH 21/49] login: improve hushed mode (merge suse changes) Karel Zak
2011-10-17 11:15 ` [PATCH 22/49] login: remove unused code and tests Karel Zak
2011-10-17 11:15 ` [PATCH 23/49] login: PAM initialization refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 24/49] login: PAM auth refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 25/49] login: PAM account checks refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 26/49] login: PAM session initialization refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 27/49] login: remove pam_handle_t from main() Karel Zak
2011-10-17 11:15 ` [PATCH 28/49] login: fork & session initialization refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 29/49] login: env " Karel Zak
2011-10-17 11:15 ` [PATCH 30/49] login: use xalloc.h Karel Zak
2011-10-17 11:15 ` [PATCH 31/49] login: log good logins refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 32/49] login: move signal stuff to the one place Karel Zak
2011-10-17 11:15 ` [PATCH 33/49] login: remove unnecessary variables Karel Zak
2011-10-17 11:15 ` [PATCH 34/49] login: host{name,address} initialization refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 35/49] tests: cleanup islocal test Karel Zak
2011-10-17 11:15 ` [PATCH 36/49] login: add login.defs code and tests Karel Zak
2011-10-17 11:15 ` [PATCH 37/49] tests: remove obsolete checktty test Karel Zak
2011-10-17 11:15 ` [PATCH 38/49] login: remove obsolete info from man page Karel Zak
2011-10-17 11:15 ` [PATCH 39/49] login: rewrite motd(), use MOTD_FILE from login.defs Karel Zak
2011-10-17 11:15 ` [PATCH 40/49] login: use LOGIN_TIMEOUT " Karel Zak
2011-10-17 11:15 ` [PATCH 41/49] login: use FAIL_DELAY " Karel Zak
2011-10-17 11:15 ` [PATCH 42/49] login: use TTYPERM " Karel Zak
2011-10-17 11:15 ` [PATCH 43/49] login: use TTYGROUP " Karel Zak
2011-10-17 11:15 ` [PATCH 44/49] login: use HUSHLOGIN_FILE " Karel Zak
2011-10-17 11:15 ` [PATCH 45/49] login: use DEFAULT_HOME " Karel Zak
2011-10-17 11:15 ` [PATCH 46/49] login: use LOG_UNKFAIL_ENAB from login.defs, improve logging Karel Zak
2011-10-17 11:15 ` [PATCH 47/49] login: add -H option for compatibility with Suse Karel Zak
2011-10-17 11:15 ` [PATCH 48/49] login: use ENV_PATH and ENV_{ROOT,SU}PATH from login.defs Karel Zak
2011-10-17 11:15 ` [PATCH 49/49] login: cosmetic changes in docs Karel Zak
2011-11-17 10:31 ` login: PAM-only, login.defs, -H Thorsten Kukuk
2011-11-18 12:14 ` Karel Zak
2011-11-24 9:29 ` Ludwig Nussel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111017110210.GA22648@nb.net.home \
--to=kzak@redhat.com \
--cc=kukuk@suse.de \
--cc=ludwig.nussel@suse.de \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.