From: Ming Liu Date: Fri, 26 Jul 2013 09:51:02 +0000 (+0800) Subject: libpam: deny all services for the OTHER entries X-Git-Tag: 2015-4~5689 X-Git-Url: https://code.ossystems.io/gitweb?a=commitdiff_plain;h=4ca0af699b5b4b3cf95b3e76482651949fd922ac;p=openembedded-core.git libpam: deny all services for the OTHER entries To be secure, change behavior of the OTHER entries to warn and deny access to everything by stating pam_deny.so on all services. Signed-off-by: Ming Liu Signed-off-by: Saul Wold --- diff --git a/meta/recipes-extended/pam/libpam/pam.d/other b/meta/recipes-extended/pam/libpam/pam.d/other index 6e40cd0c02..ec970ecbe0 100644 --- a/meta/recipes-extended/pam/libpam/pam.d/other +++ b/meta/recipes-extended/pam/libpam/pam.d/other @@ -6,22 +6,19 @@ #pam_open_session, the session module out of /etc/pam.d/other is #used. -#If you really want nothing to happen then use pam_permit.so or -#pam_deny.so as appropriate. - # We use pam_warn.so to generate syslog notes that the 'other' #fallback rules are being used (as a hint to suggest you should setup -#specific PAM rules for the service and aid to debugging). We then -#fall back to the system default in /etc/pam.d/common-* +#specific PAM rules for the service and aid to debugging). Then to be +#secure, deny access to all services by default. auth required pam_warn.so -auth include common-auth +auth required pam_deny.so account required pam_warn.so -account include common-account +account required pam_deny.so password required pam_warn.so -password include common-password +password required pam_deny.so session required pam_warn.so -session include common-session +session required pam_deny.so