[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Dmitry]

Signed-off-by: Dmitry <golubovsky@gmail.com>
---
 package/busybox/Config.in  |   11 +++++++++++
 package/busybox/busybox.mk |   12 ++++++++++++
 2 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index dedcf18..2a9cbf1 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -62,6 +62,17 @@ config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	  Install the watchdog daemon startup script,
 	  that just start at the boot the busybox watchdog daemon.
 
+config BR2_PACKAGE_BUSYBOX_PAM
+	bool "Enable PAM support in Busybox"
+	default n
+	depends on BR2_PACKAGE_LINUX_PAM
+	help
+	  If this item is selected, Busybox login will use the PAM stack
+	  for local logins. Local logins with null password are allowed
+	  for users with records in /etc/passwd ("default" and "root").
+	  The default PAM configuration file requires user accounts with
+	  nonzero length passwords.
+
 if BR2_PACKAGE_BUSYBOX_WATCHDOG
 
 config BR2_PACKAGE_BUSYBOX_WATCHDOG_PERIOD
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 17ee50a..c97ce77 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -161,6 +161,17 @@ define BUSYBOX_INSTALL_WATCHDOG_SCRIPT
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_PAM),y)
+BUSYBOX_DEPENDENCIES += linux-pam
+define BUSYBOX_ENABLE_PAM
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+else
+define BUSYBOX_ENABLE_PAM
+	$(call KCONFIG_DISABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
 # We do this here to avoid busting a modified .config in configure
 BUSYBOX_POST_EXTRACT_HOOKS += BUSYBOX_COPY_CONFIG
 
@@ -176,6 +187,7 @@ define BUSYBOX_CONFIGURE_CMDS
 	$(BUSYBOX_DISABLE_MMU_APPLETS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
+	$(BUSYBOX_ENABLE_PAM)
 	@yes "" | $(MAKE) ARCH=$(KERNEL_ARCH) CROSS_COMPILE="$(TARGET_CROSS)" \
 		-C $(@D) oldconfig
 endef
-- 
1.7.2.5

[Buildroot] [PATCH 2/2] Provide PAM configuration files in the fs skeleton

[Dmitry]

The default PAM configuration file requires valid user accounts with
non-blank passwords.

The PAM configuration file for busybox login allows local authentication
with blank passwords thus emulating the non-PAM login configuration.

Signed-off-by: Dmitry <golubovsky@gmail.com>
---
 fs/skeleton/etc/pam.d/default |    8 ++++++++
 fs/skeleton/etc/pam.d/login   |    9 +++++++++
 2 files changed, 17 insertions(+), 0 deletions(-)
 create mode 100644 fs/skeleton/etc/pam.d/default
 create mode 100644 fs/skeleton/etc/pam.d/login

diff --git a/fs/skeleton/etc/pam.d/default b/fs/skeleton/etc/pam.d/default
new file mode 100644
index 0000000..0bd5ba0
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/default
@@ -0,0 +1,8 @@
+#
+# default; standard UN*X access
+#
+auth     required       pam_unix.so
+account  required       pam_unix.so
+password required       pam_unix.so
+session  required       pam_unix.so
+
diff --git a/fs/skeleton/etc/pam.d/login b/fs/skeleton/etc/pam.d/login
new file mode 100644
index 0000000..d65a9d4
--- /dev/null
+++ b/fs/skeleton/etc/pam.d/login
@@ -0,0 +1,9 @@
+#
+# login: allow local logins to users with entries in /etc/passwd and
+# /etc/shadow even with null password
+#
+auth      required       pam_unix.so nullok
+account   required       pam_unix.so nullok
+password  required       pam_unix.so nullok
+session   required       pam_unix.so nullok
+
-- 
1.7.2.5

[Buildroot] [PATCH 2/2] Provide PAM configuration files in the fs skeleton

[Thomas Petazzoni]

Le Mon, 13 Aug 2012 22:24:49 -0400,
Dmitry <golubovsky@gmail.com> a ?crit :

> The default PAM configuration file requires valid user accounts with
> non-blank passwords.
> 
> The PAM configuration file for busybox login allows local authentication
> with blank passwords thus emulating the non-PAM login configuration.
> 
> Signed-off-by: Dmitry <golubovsky@gmail.com>

Thanks!

I'm not sure we want these in the default fs skeleton. Shouldn't the
linux-pam package install these instead?

Best regards,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH 2/2] Provide PAM configuration files in the fs skeleton

[Dmitry Golubovsky]

Hi,

On Tue, Aug 14, 2012 at 9:41 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:

>> The PAM configuration file for busybox login allows local authentication
>> with blank passwords thus emulating the non-PAM login configuration.

>
> I'm not sure we want these in the default fs skeleton. Shouldn't the
> linux-pam package install these instead?
>

Well, I thought that such files (just like /etc/passwd) could be made static.

I can change this to make them installed by linux-pam itself.

Thanks.

-- 
Dmitry Golubovsky

Anywhere on the Web

[Buildroot] [PATCH 2/2] Provide PAM configuration files in the fs skeleton

[Dmitry Golubovsky]

Hi,

On Tue, Aug 14, 2012 at 9:41 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
>
> I'm not sure we want these in the default fs skeleton. Shouldn't the
> linux-pam package install these instead?
>

I have resent the patch: now these PAM config files are part of the
linux-pam package files. The reason why they are copied in a
post-patch hook: $(RAWNAME) does not seem to be available inside
post-install hooks.

Hope this is an acceptable way to distribute non-patch files along
with package itself, or is there a better way?

Thanks.

-- 
Dmitry Golubovsky

Anywhere on the Web