* [PATCH 0/1] libpam: add system-auth in case of systemd @ 2014-10-30 9:08 Chen Qi 2014-10-30 9:08 ` [PATCH 1/1] " Chen Qi 0 siblings, 1 reply; 7+ messages in thread From: Chen Qi @ 2014-10-30 9:08 UTC (permalink / raw) To: openembedded-core The following changes since commit 4143f3b0ce0d0c52f5b0babc1bb16ac0ac9610eb: nativesdk-cmake: Adjust toolchain paths dynamically (2014-10-24 21:59:34 +0100) are available in the git repository at: git://git.openembedded.org/openembedded-core-contrib ChenQi/libpam-systemd http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=ChenQi/libpam-systemd Chen Qi (1): libpam: add system-auth in case of systemd meta/recipes-extended/pam/libpam/pam.d/system-auth | 12 ++++++++++++ meta/recipes-extended/pam/libpam_1.1.6.bb | 1 + 2 files changed, 13 insertions(+) create mode 100644 meta/recipes-extended/pam/libpam/pam.d/system-auth -- 1.9.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] libpam: add system-auth in case of systemd 2014-10-30 9:08 [PATCH 0/1] libpam: add system-auth in case of systemd Chen Qi @ 2014-10-30 9:08 ` Chen Qi 2014-10-30 13:27 ` Koen Kooi 0 siblings, 1 reply; 7+ messages in thread From: Chen Qi @ 2014-10-30 9:08 UTC (permalink / raw) To: openembedded-core systemd needs this file to be there because one of its configuration file in pam.d, systemd-user, requires it. Otherwise, we would have errors like below. systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- meta/recipes-extended/pam/libpam/pam.d/system-auth | 12 ++++++++++++ meta/recipes-extended/pam/libpam_1.1.6.bb | 1 + 2 files changed, 13 insertions(+) create mode 100644 meta/recipes-extended/pam/libpam/pam.d/system-auth diff --git a/meta/recipes-extended/pam/libpam/pam.d/system-auth b/meta/recipes-extended/pam/libpam/pam.d/system-auth new file mode 100644 index 0000000..ffb08ab --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam.d/system-auth @@ -0,0 +1,12 @@ +# This file comes from systemd. + +auth sufficient pam_unix.so nullok try_first_pass + +account required pam_nologin.so +account sufficient pam_unix.so + +password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok + +-session optional pam_loginuid.so +-session optional pam_systemd.so +session sufficient pam_unix.so diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.1.6.bb index a84e51e..0910b6f 100644 --- a/meta/recipes-extended/pam/libpam_1.1.6.bb +++ b/meta/recipes-extended/pam/libpam_1.1.6.bb @@ -17,6 +17,7 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ file://pam.d/common-session \ file://pam.d/common-session-noninteractive \ file://pam.d/other \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://pam.d/system-auth', '', d)} \ file://libpam-xtests.patch \ file://destdirfix.patch \ file://fixsepbuild.patch \ -- 1.9.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] libpam: add system-auth in case of systemd 2014-10-30 9:08 ` [PATCH 1/1] " Chen Qi @ 2014-10-30 13:27 ` Koen Kooi 2014-10-31 2:59 ` ChenQi 0 siblings, 1 reply; 7+ messages in thread From: Koen Kooi @ 2014-10-30 13:27 UTC (permalink / raw) To: Chen Qi; +Cc: openembedded-core > Op 30 okt. 2014, om 10:08 heeft Chen Qi <Qi.Chen@windriver.com> het volgende geschreven: > > systemd needs this file to be there because one of its configuration file > in pam.d, systemd-user, requires it. Otherwise, we would have errors like > below. > > systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth Isn't it the same as 'common-auth'? ISTR this is due to debian vs fedora naming of PAM stuff. I think it would make more sense to check what systemd actually wants and then see if a symlink to common-auth or patching systemd to use common-auth is the right answer instead of blindly adding system-auth. regards, Koen > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- > meta/recipes-extended/pam/libpam/pam.d/system-auth | 12 ++++++++++++ > meta/recipes-extended/pam/libpam_1.1.6.bb | 1 + > 2 files changed, 13 insertions(+) > create mode 100644 meta/recipes-extended/pam/libpam/pam.d/system-auth > > diff --git a/meta/recipes-extended/pam/libpam/pam.d/system-auth b/meta/recipes-extended/pam/libpam/pam.d/system-auth > new file mode 100644 > index 0000000..ffb08ab > --- /dev/null > +++ b/meta/recipes-extended/pam/libpam/pam.d/system-auth > @@ -0,0 +1,12 @@ > +# This file comes from systemd. > + > +auth sufficient pam_unix.so nullok try_first_pass > + > +account required pam_nologin.so > +account sufficient pam_unix.so > + > +password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok > + > +-session optional pam_loginuid.so > +-session optional pam_systemd.so > +session sufficient pam_unix.so > diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.1.6.bb > index a84e51e..0910b6f 100644 > --- a/meta/recipes-extended/pam/libpam_1.1.6.bb > +++ b/meta/recipes-extended/pam/libpam_1.1.6.bb > @@ -17,6 +17,7 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ > file://pam.d/common-session \ > file://pam.d/common-session-noninteractive \ > file://pam.d/other \ > + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://pam.d/system-auth', '', d)} \ > file://libpam-xtests.patch \ > file://destdirfix.patch \ > file://fixsepbuild.patch \ > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] libpam: add system-auth in case of systemd 2014-10-30 13:27 ` Koen Kooi @ 2014-10-31 2:59 ` ChenQi 2014-10-31 3:04 ` ChenQi 2014-10-31 7:22 ` Koen Kooi 0 siblings, 2 replies; 7+ messages in thread From: ChenQi @ 2014-10-31 2:59 UTC (permalink / raw) To: Koen Kooi; +Cc: openembedded-core On 10/30/2014 09:27 PM, Koen Kooi wrote: >> Op 30 okt. 2014, om 10:08 heeft Chen Qi <Qi.Chen@windriver.com> het volgende geschreven: >> >> systemd needs this file to be there because one of its configuration file >> in pam.d, systemd-user, requires it. Otherwise, we would have errors like >> below. >> >> systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth > Isn't it the same as 'common-auth'? ISTR this is due to debian vs fedora naming of PAM stuff. I think it would make more sense to check what systemd actually wants and then see if a symlink to common-auth or patching systemd to use common-auth is the right answer instead of blindly adding system-auth. > > regards, > > Koen > Hi Koen, An alternative is to patch systemd's source code to change the systemd-user configuration file. In fact, I have seen patches in OE whose purpose is merely changing 'system-auth' to 'common-auth' in the pam configuration files of the packages. So we have two options here: 1. Provide system-auth 2. Patch packages that make use of system-auth and maintain those patches. I think solution 1 is more reasonable but if you and other people in community think that solution 2 can bring us more benefits, I can send out a patch using solution 2. Best Regards, Chen Qi >> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >> --- >> meta/recipes-extended/pam/libpam/pam.d/system-auth | 12 ++++++++++++ >> meta/recipes-extended/pam/libpam_1.1.6.bb | 1 + >> 2 files changed, 13 insertions(+) >> create mode 100644 meta/recipes-extended/pam/libpam/pam.d/system-auth >> >> diff --git a/meta/recipes-extended/pam/libpam/pam.d/system-auth b/meta/recipes-extended/pam/libpam/pam.d/system-auth >> new file mode 100644 >> index 0000000..ffb08ab >> --- /dev/null >> +++ b/meta/recipes-extended/pam/libpam/pam.d/system-auth >> @@ -0,0 +1,12 @@ >> +# This file comes from systemd. >> + >> +auth sufficient pam_unix.so nullok try_first_pass >> + >> +account required pam_nologin.so >> +account sufficient pam_unix.so >> + >> +password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok >> + >> +-session optional pam_loginuid.so >> +-session optional pam_systemd.so >> +session sufficient pam_unix.so >> diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.1.6.bb >> index a84e51e..0910b6f 100644 >> --- a/meta/recipes-extended/pam/libpam_1.1.6.bb >> +++ b/meta/recipes-extended/pam/libpam_1.1.6.bb >> @@ -17,6 +17,7 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ >> file://pam.d/common-session \ >> file://pam.d/common-session-noninteractive \ >> file://pam.d/other \ >> + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://pam.d/system-auth', '', d)} \ >> file://libpam-xtests.patch \ >> file://destdirfix.patch \ >> file://fixsepbuild.patch \ >> -- >> 1.9.1 >> >> -- >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core >> > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] libpam: add system-auth in case of systemd 2014-10-31 2:59 ` ChenQi @ 2014-10-31 3:04 ` ChenQi 2014-10-31 7:22 ` Koen Kooi 1 sibling, 0 replies; 7+ messages in thread From: ChenQi @ 2014-10-31 3:04 UTC (permalink / raw) To: Koen Kooi; +Cc: openembedded-core On 10/31/2014 10:59 AM, ChenQi wrote: > On 10/30/2014 09:27 PM, Koen Kooi wrote: >>> Op 30 okt. 2014, om 10:08 heeft Chen Qi <Qi.Chen@windriver.com> het >>> volgende geschreven: >>> >>> systemd needs this file to be there because one of its configuration >>> file >>> in pam.d, systemd-user, requires it. Otherwise, we would have errors >>> like >>> below. >>> >>> systemd: PAM _pam_load_conf_file: unable to open >>> /etc/pam.d/system-auth >> Isn't it the same as 'common-auth'? ISTR this is due to debian vs >> fedora naming of PAM stuff. I think it would make more sense to check >> what systemd actually wants and then see if a symlink to common-auth >> or patching systemd to use common-auth is the right answer instead of >> blindly adding system-auth. >> >> regards, >> >> Koen >> > > Hi Koen, > > An alternative is to patch systemd's source code to change the > systemd-user configuration file. > > In fact, I have seen patches in OE whose purpose is merely changing > 'system-auth' to 'common-auth' in the pam configuration files of the > packages. It might be 'common-passwd', 'common-session', not just 'common-auth'. You can see this from the contents of system-auth file. > > So we have two options here: > 1. Provide system-auth > 2. Patch packages that make use of system-auth and maintain those > patches. > > I think solution 1 is more reasonable but if you and other people in > community think that solution 2 can bring us more benefits, I can send > out a patch using solution 2. > > Best Regards, > Chen Qi > >>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >>> --- >>> meta/recipes-extended/pam/libpam/pam.d/system-auth | 12 ++++++++++++ >>> meta/recipes-extended/pam/libpam_1.1.6.bb | 1 + >>> 2 files changed, 13 insertions(+) >>> create mode 100644 meta/recipes-extended/pam/libpam/pam.d/system-auth >>> >>> diff --git a/meta/recipes-extended/pam/libpam/pam.d/system-auth >>> b/meta/recipes-extended/pam/libpam/pam.d/system-auth >>> new file mode 100644 >>> index 0000000..ffb08ab >>> --- /dev/null >>> +++ b/meta/recipes-extended/pam/libpam/pam.d/system-auth >>> @@ -0,0 +1,12 @@ >>> +# This file comes from systemd. >>> + >>> +auth sufficient pam_unix.so nullok try_first_pass >>> + >>> +account required pam_nologin.so >>> +account sufficient pam_unix.so >>> + >>> +password sufficient pam_unix.so nullok sha512 shadow try_first_pass >>> try_authtok >>> + >>> +-session optional pam_loginuid.so >>> +-session optional pam_systemd.so >>> +session sufficient pam_unix.so >>> diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb >>> b/meta/recipes-extended/pam/libpam_1.1.6.bb >>> index a84e51e..0910b6f 100644 >>> --- a/meta/recipes-extended/pam/libpam_1.1.6.bb >>> +++ b/meta/recipes-extended/pam/libpam_1.1.6.bb >>> @@ -17,6 +17,7 @@ SRC_URI = >>> "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ >>> file://pam.d/common-session \ >>> file://pam.d/common-session-noninteractive \ >>> file://pam.d/other \ >>> + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', >>> 'file://pam.d/system-auth', '', d)} \ >>> file://libpam-xtests.patch \ >>> file://destdirfix.patch \ >>> file://fixsepbuild.patch \ >>> -- >>> 1.9.1 >>> >>> -- >>> _______________________________________________ >>> Openembedded-core mailing list >>> Openembedded-core@lists.openembedded.org >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core >>> >> > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] libpam: add system-auth in case of systemd 2014-10-31 2:59 ` ChenQi 2014-10-31 3:04 ` ChenQi @ 2014-10-31 7:22 ` Koen Kooi 2014-11-05 4:47 ` ChenQi 1 sibling, 1 reply; 7+ messages in thread From: Koen Kooi @ 2014-10-31 7:22 UTC (permalink / raw) To: ChenQi; +Cc: openembedded-core > Op 31 okt. 2014, om 03:59 heeft ChenQi <Qi.Chen@windriver.com> het volgende geschreven: > > On 10/30/2014 09:27 PM, Koen Kooi wrote: >>> Op 30 okt. 2014, om 10:08 heeft Chen Qi <Qi.Chen@windriver.com> het volgende geschreven: >>> >>> systemd needs this file to be there because one of its configuration file >>> in pam.d, systemd-user, requires it. Otherwise, we would have errors like >>> below. >>> >>> systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth >> Isn't it the same as 'common-auth'? ISTR this is due to debian vs fedora naming of PAM stuff. I think it would make more sense to check what systemd actually wants and then see if a symlink to common-auth or patching systemd to use common-auth is the right answer instead of blindly adding system-auth. >> >> regards, >> >> Koen >> > > Hi Koen, > > An alternative is to patch systemd's source code to change the systemd-user configuration file. > > In fact, I have seen patches in OE whose purpose is merely changing 'system-auth' to 'common-auth' in the pam configuration files of the packages. > > So we have two options here: > 1. Provide system-auth > 2. Patch packages that make use of system-auth and maintain those patches. > > I think solution 1 is more reasonable but if you and other people in community think that solution 2 can bring us more benefits, I can send out a patch using solution 2. Solution 1) introduces a new PAM file that seems to do the same as one of the common-<foo> files we have. So from a reuse and maintainability standpoint 2) would be better. regards, Koen > > Best Regards, > Chen Qi > >>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >>> --- >>> meta/recipes-extended/pam/libpam/pam.d/system-auth | 12 ++++++++++++ >>> meta/recipes-extended/pam/libpam_1.1.6.bb | 1 + >>> 2 files changed, 13 insertions(+) >>> create mode 100644 meta/recipes-extended/pam/libpam/pam.d/system-auth >>> >>> diff --git a/meta/recipes-extended/pam/libpam/pam.d/system-auth b/meta/recipes-extended/pam/libpam/pam.d/system-auth >>> new file mode 100644 >>> index 0000000..ffb08ab >>> --- /dev/null >>> +++ b/meta/recipes-extended/pam/libpam/pam.d/system-auth >>> @@ -0,0 +1,12 @@ >>> +# This file comes from systemd. >>> + >>> +auth sufficient pam_unix.so nullok try_first_pass >>> + >>> +account required pam_nologin.so >>> +account sufficient pam_unix.so >>> + >>> +password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok >>> + >>> +-session optional pam_loginuid.so >>> +-session optional pam_systemd.so >>> +session sufficient pam_unix.so >>> diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.1.6.bb >>> index a84e51e..0910b6f 100644 >>> --- a/meta/recipes-extended/pam/libpam_1.1.6.bb >>> +++ b/meta/recipes-extended/pam/libpam_1.1.6.bb >>> @@ -17,6 +17,7 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ >>> file://pam.d/common-session \ >>> file://pam.d/common-session-noninteractive \ >>> file://pam.d/other \ >>> + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://pam.d/system-auth', '', d)} \ >>> file://libpam-xtests.patch \ >>> file://destdirfix.patch \ >>> file://fixsepbuild.patch \ >>> -- >>> 1.9.1 >>> >>> -- >>> _______________________________________________ >>> Openembedded-core mailing list >>> Openembedded-core@lists.openembedded.org >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core >>> >> > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] libpam: add system-auth in case of systemd 2014-10-31 7:22 ` Koen Kooi @ 2014-11-05 4:47 ` ChenQi 0 siblings, 0 replies; 7+ messages in thread From: ChenQi @ 2014-11-05 4:47 UTC (permalink / raw) To: Koen Kooi; +Cc: openembedded-core On 10/31/2014 03:22 PM, Koen Kooi wrote: >> Op 31 okt. 2014, om 03:59 heeft ChenQi <Qi.Chen@windriver.com> het volgende geschreven: >> >> On 10/30/2014 09:27 PM, Koen Kooi wrote: >>>> Op 30 okt. 2014, om 10:08 heeft Chen Qi <Qi.Chen@windriver.com> het volgende geschreven: >>>> >>>> systemd needs this file to be there because one of its configuration file >>>> in pam.d, systemd-user, requires it. Otherwise, we would have errors like >>>> below. >>>> >>>> systemd: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth >>> Isn't it the same as 'common-auth'? ISTR this is due to debian vs fedora naming of PAM stuff. I think it would make more sense to check what systemd actually wants and then see if a symlink to common-auth or patching systemd to use common-auth is the right answer instead of blindly adding system-auth. >>> >>> regards, >>> >>> Koen >>> >> Hi Koen, >> >> An alternative is to patch systemd's source code to change the systemd-user configuration file. >> >> In fact, I have seen patches in OE whose purpose is merely changing 'system-auth' to 'common-auth' in the pam configuration files of the packages. >> >> So we have two options here: >> 1. Provide system-auth >> 2. Patch packages that make use of system-auth and maintain those patches. >> >> I think solution 1 is more reasonable but if you and other people in community think that solution 2 can bring us more benefits, I can send out a patch using solution 2. > Solution 1) introduces a new PAM file that seems to do the same as one of the common-<foo> files we have. So from a reuse and maintainability standpoint 2) would be better. > > regards, > > Koen > Hi Koen, I've sent out a new patch. [OE-core] [PATCH 0/1] systemd: avoid using system-auth Best Regards, Chen Qi > >> Best Regards, >> Chen Qi >> >>>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >>>> --- >>>> meta/recipes-extended/pam/libpam/pam.d/system-auth | 12 ++++++++++++ >>>> meta/recipes-extended/pam/libpam_1.1.6.bb | 1 + >>>> 2 files changed, 13 insertions(+) >>>> create mode 100644 meta/recipes-extended/pam/libpam/pam.d/system-auth >>>> >>>> diff --git a/meta/recipes-extended/pam/libpam/pam.d/system-auth b/meta/recipes-extended/pam/libpam/pam.d/system-auth >>>> new file mode 100644 >>>> index 0000000..ffb08ab >>>> --- /dev/null >>>> +++ b/meta/recipes-extended/pam/libpam/pam.d/system-auth >>>> @@ -0,0 +1,12 @@ >>>> +# This file comes from systemd. >>>> + >>>> +auth sufficient pam_unix.so nullok try_first_pass >>>> + >>>> +account required pam_nologin.so >>>> +account sufficient pam_unix.so >>>> + >>>> +password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok >>>> + >>>> +-session optional pam_loginuid.so >>>> +-session optional pam_systemd.so >>>> +session sufficient pam_unix.so >>>> diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.1.6.bb >>>> index a84e51e..0910b6f 100644 >>>> --- a/meta/recipes-extended/pam/libpam_1.1.6.bb >>>> +++ b/meta/recipes-extended/pam/libpam_1.1.6.bb >>>> @@ -17,6 +17,7 @@ SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ >>>> file://pam.d/common-session \ >>>> file://pam.d/common-session-noninteractive \ >>>> file://pam.d/other \ >>>> + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://pam.d/system-auth', '', d)} \ >>>> file://libpam-xtests.patch \ >>>> file://destdirfix.patch \ >>>> file://fixsepbuild.patch \ >>>> -- >>>> 1.9.1 >>>> >>>> -- >>>> _______________________________________________ >>>> Openembedded-core mailing list >>>> Openembedded-core@lists.openembedded.org >>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core >>>> >> > ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-11-05 4:45 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-10-30 9:08 [PATCH 0/1] libpam: add system-auth in case of systemd Chen Qi 2014-10-30 9:08 ` [PATCH 1/1] " Chen Qi 2014-10-30 13:27 ` Koen Kooi 2014-10-31 2:59 ` ChenQi 2014-10-31 3:04 ` ChenQi 2014-10-31 7:22 ` Koen Kooi 2014-11-05 4:47 ` ChenQi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox