[PATCH] libpam: deny all services for the OTHER entries

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Ming Liu <ming.liu@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [PATCH] libpam: deny all services for the OTHER entries
Date: Fri, 26 Jul 2013 17:51:02 +0800	[thread overview]
Message-ID: <1374832262-18765-1-git-send-email-ming.liu@windriver.com> (raw)

To be secure, change behavior of the OTHER entries to warn and deny
access to everything by stating pam_deny.so on all services.

Signed-off-by: Ming Liu <ming.liu@windriver.com>
---
 meta/recipes-extended/pam/libpam/pam.d/other |   15 ++++++---------
 1 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/meta/recipes-extended/pam/libpam/pam.d/other b/meta/recipes-extended/pam/libpam/pam.d/other
index 6e40cd0..ec970ec 100644
--- a/meta/recipes-extended/pam/libpam/pam.d/other
+++ b/meta/recipes-extended/pam/libpam/pam.d/other
@@ -6,22 +6,19 @@
 #pam_open_session, the session module out of /etc/pam.d/other is
 #used.  
 
-#If you really want nothing to happen then use pam_permit.so or
-#pam_deny.so as appropriate.
-
 # We use pam_warn.so to generate syslog notes that the 'other'
 #fallback rules are being used (as a hint to suggest you should setup
-#specific PAM rules for the service and aid to debugging). We then 
-#fall back to the system default in /etc/pam.d/common-*
+#specific PAM rules for the service and aid to debugging). Then to be
+#secure, deny access to all services by default. 
 
 auth       required     pam_warn.so
-auth       include      common-auth
+auth       required     pam_deny.so
 
 account    required     pam_warn.so
-account    include      common-account
+account    required     pam_deny.so
 
 password   required     pam_warn.so
-password   include      common-password
+password   required     pam_deny.so
 
 session    required     pam_warn.so
-session    include      common-session
+session    required     pam_deny.so
-- 
1.7.1

                 reply	other threads:[~2013-07-26  9:51 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6e40cd0 dfblob:ec970ec )
 OR (
bs:"[PATCH] libpam: deny all services for the OTHER entries" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1374832262-18765-1-git-send-email-ming.liu@windriver.com \
    --to=ming.liu@windriver.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox