From: Karel Zak <kzak@redhat.com>
To: util-linux@vger.kernel.org
Cc: Ludwig Nussel <ludwig.nussel@suse.de>, Thorsten Kukuk <kukuk@suse.de>
Subject: login: PAM-only, login.defs, -H
Date: Mon, 17 Oct 2011 13:02:11 +0200 [thread overview]
Message-ID: <20111017110210.GA22648@nb.net.home> (raw)
I did some changes to login(1) in last weeks. The goal is to have one PAM-only
login(1) for all mainstream distributions.
The code is based on the original util-linux login(1) and pam_login-4.0
package from Suse.
Git tree: https://karelzak@github.com/karelzak/util-linux.git branch 'login'.
URL: https://github.com/karelzak/util-linux/tree/login
Changes:
- remove kerberos specific code
- remove non-PAM code
- remove checktty stuff
- remove ugly macros (e.g. PAM_END)
- add syslog LOG_ERR on failed tty ch{mod,own} (based on Suse version)
- move all important/global variables to 'struct login_context'
- indent to Linux coding style
- use xalloc.h functions
- lastlog, utmp, btmp, audit and syslog code refactoring
- don't log unknown usernames to system log files (may be a security issue if
an user enter her password instead of her login name) -- controlled by
LOG_UNKFAIL_ENAB login.defs variable
- support /etc/login.defs, supported variables:
name default
------------------------------
DEFAULT_HOME yes (means chdir("/") if pwd->pw_dir does not exist)
ENV_PATH "/usr/local/bin:/bin:/usr/bin"
ENV_{ROOT,SU}PATH "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
FAIL_DELAY 5s
HUSHLOGIN_FILE /etc/hushlogins and ~/.hushlog
LOGIN_TIMEOUT 60s
LOG_UNKFAIL_ENAB yes
MOTD_FILE /etc/motd
TTYGROUP 'tty' (otherwise pwd->pw_gid is used)
TTYPERM 0620 (or 0600 for --disable-use-tty-group)
Note that Suse version does not use any defaults for *_FILE and TTYGROUP.
- print hostname in the login prompt, for example:
"foo login: "
Note that Suse version uses hostname with domain (e.g. foo.example.com), our
goal is to be compatible with the default agetty behavior.
- add new -H option to suppress hostname in the login prompt (already in Suse
version)
- call setgroups(0, NULL) rather than initgroups() for root user
(this avoids the need to step through the whole group file, which can cause
problems if NIS, NIS+, LDAP or something similar is used and the machine
has network problems)
- improve hushed mode (moslty based on Suse version)
* accepts HUSHLOGIN_FILE from /etc/login.defs
* empty /etc/hushlogins file enables hushed mode for all accounts
(this new feature is necessary if you want to use PAM for motd and last
login messages)
Comments?
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
next reply other threads:[~2011-10-17 11:02 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-17 11:02 Karel Zak [this message]
2011-10-17 11:14 ` [PATCH 00/49] login refactoring Karel Zak
2011-10-17 11:14 ` [PATCH 01/49] login: remove kerberos specific code Karel Zak
2011-10-17 11:14 ` [PATCH 02/49] login: remove dead code and comments Karel Zak
2011-10-17 11:14 ` [PATCH 03/49] login: move _PATH_BTMP to pathnames.h Karel Zak
2011-10-17 11:14 ` [PATCH 04/49] login: remove non-PAM code Karel Zak
2011-10-17 11:14 ` [PATCH 05/49] build-sys: require PAM for login-utils Karel Zak
2011-10-17 11:14 ` [PATCH 06/49] login: remove PAM_FAIL_CHECK and PAM_END macros Karel Zak
2011-10-17 11:14 ` [PATCH 07/49] lib: cleanup setproctitle.c Karel Zak
2011-10-17 11:14 ` [PATCH 08/49] login: cleanup begin of the login.c file Karel Zak
2011-10-17 11:14 ` [PATCH 09/49] login: remove obsolete code, clean up macros names Karel Zak
2011-10-17 11:14 ` [PATCH 10/49] login: indent -linux Karel Zak
2011-10-17 11:14 ` [PATCH 11/49] login: add struct login_context, consolidate tty code Karel Zak
2011-10-17 11:14 ` [PATCH 12/49] login: add hostname to login_context struct Karel Zak
2011-10-17 11:14 ` [PATCH 13/49] login: add pid " Karel Zak
2011-10-17 11:14 ` [PATCH 14/49] login: add username " Karel Zak
2011-10-17 11:14 ` [PATCH 15/49] login: use login_context struct in audit stuff Karel Zak
2011-10-17 11:14 ` [PATCH 16/49] login: lastlog code refactoring Karel Zak
2011-10-17 11:14 ` [PATCH 17/49] login: utmp " Karel Zak
2011-10-17 11:14 ` [PATCH 18/49] login: use getpwnam_r() rather than manually copy passwd struct Karel Zak
2011-10-17 11:14 ` [PATCH 19/49] login: tty chown.chmod refactoring Karel Zak
2011-10-17 11:14 ` [PATCH 20/49] login: use setgroups(0, NULL) for root Karel Zak
2011-10-17 11:15 ` [PATCH 21/49] login: improve hushed mode (merge suse changes) Karel Zak
2011-10-17 11:15 ` [PATCH 22/49] login: remove unused code and tests Karel Zak
2011-10-17 11:15 ` [PATCH 23/49] login: PAM initialization refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 24/49] login: PAM auth refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 25/49] login: PAM account checks refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 26/49] login: PAM session initialization refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 27/49] login: remove pam_handle_t from main() Karel Zak
2011-10-17 11:15 ` [PATCH 28/49] login: fork & session initialization refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 29/49] login: env " Karel Zak
2011-10-17 11:15 ` [PATCH 30/49] login: use xalloc.h Karel Zak
2011-10-17 11:15 ` [PATCH 31/49] login: log good logins refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 32/49] login: move signal stuff to the one place Karel Zak
2011-10-17 11:15 ` [PATCH 33/49] login: remove unnecessary variables Karel Zak
2011-10-17 11:15 ` [PATCH 34/49] login: host{name,address} initialization refactoring Karel Zak
2011-10-17 11:15 ` [PATCH 35/49] tests: cleanup islocal test Karel Zak
2011-10-17 11:15 ` [PATCH 36/49] login: add login.defs code and tests Karel Zak
2011-10-17 11:15 ` [PATCH 37/49] tests: remove obsolete checktty test Karel Zak
2011-10-17 11:15 ` [PATCH 38/49] login: remove obsolete info from man page Karel Zak
2011-10-17 11:15 ` [PATCH 39/49] login: rewrite motd(), use MOTD_FILE from login.defs Karel Zak
2011-10-17 11:15 ` [PATCH 40/49] login: use LOGIN_TIMEOUT " Karel Zak
2011-10-17 11:15 ` [PATCH 41/49] login: use FAIL_DELAY " Karel Zak
2011-10-17 11:15 ` [PATCH 42/49] login: use TTYPERM " Karel Zak
2011-10-17 11:15 ` [PATCH 43/49] login: use TTYGROUP " Karel Zak
2011-10-17 11:15 ` [PATCH 44/49] login: use HUSHLOGIN_FILE " Karel Zak
2011-10-17 11:15 ` [PATCH 45/49] login: use DEFAULT_HOME " Karel Zak
2011-10-17 11:15 ` [PATCH 46/49] login: use LOG_UNKFAIL_ENAB from login.defs, improve logging Karel Zak
2011-10-17 11:15 ` [PATCH 47/49] login: add -H option for compatibility with Suse Karel Zak
2011-10-17 11:15 ` [PATCH 48/49] login: use ENV_PATH and ENV_{ROOT,SU}PATH from login.defs Karel Zak
2011-10-17 11:15 ` [PATCH 49/49] login: cosmetic changes in docs Karel Zak
2011-11-17 10:31 ` login: PAM-only, login.defs, -H Thorsten Kukuk
2011-11-18 12:14 ` Karel Zak
2011-11-24 9:29 ` Ludwig Nussel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111017110210.GA22648@nb.net.home \
--to=kzak@redhat.com \
--cc=kukuk@suse.de \
--cc=ludwig.nussel@suse.de \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).