libpam-base-files: Start to add default config files for libpam

* This will start to get Linux-PAM into a usable state. Default config files derived from Debian with tweaks. Some are not needed and will be dropped later and some should really be packaged elsewhere.
* Also update libpam_1.0.2 to depend on this package and the meta package with auth systems as it is not a lot of use without them (it works but can't do anything).
* Add 1.1.0 and tweaks to 1.0.2.
*  Update all the pam.d base config files to support the suggested upstream layout not patches legacy layouts used but some Linux distros.
* Use the proper include layouts
* Still package some 'suggested' files for common services that do not pack there own pam.d files (TODO: move these to the package recipies not this one).

20 files changed, 361 insertions, 2 deletions

diff --git a/recipes/pam/libpam-1.1.0/pam-nodocs.patch b/recipes/pam/libpam-1.1.0/pam-nodocs.patch
new file mode 100644
index 0000000000..895f0e182a
--- /dev/null
+++ b/recipes/pam/libpam-1.1.0/pam-nodocs.patch
@@ -0,0 +1,35 @@
+--- /tmp/Makefile.am	2008-09-05 15:16:21.000000000 +0200
++++ Linux-PAM-1.0.2/Makefile.am	2008-09-05 15:16:56.153198000 +0200
+@@ -5,9 +5,9 @@
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
+ 
+ if STATIC_MODULES
+-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
++SUBDIRS = modules libpam libpamc libpam_misc tests po conf examples xtests
+ else
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
++SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+ endif
+ 
+ CLEANFILES = *~
+@@ -28,19 +28,7 @@
+ 
+ ACLOCAL_AMFLAGS = -I m4
+ 
+-release: dist releasedocs
+-
+-release-docs: releasedocs
+-
+-releasedocs:
+-	rm -rf Linux-PAM-$(VERSION)
+-	mkdir -p Linux-PAM-$(VERSION)/doc
+-	make -C doc releasedocs
+-	tar zfc Linux-PAM-$(VERSION)-docs.tar.gz \
+-		Linux-PAM-$(VERSION)/doc
+-	tar jfc Linux-PAM-$(VERSION)-docs.tar.bz2 \
+-		Linux-PAM-$(VERSION)/doc
+-	rm -rf Linux-PAM-$(VERSION)
++release: dist 
+ 
+ xtests:
+ 	make -C xtests xtests
diff --git a/recipes/pam/libpam-base-files.bb b/recipes/pam/libpam-base-files.bb
new file mode 100644
index 0000000000..0fa11d8051
--- /dev/null
+++ b/recipes/pam/libpam-base-files.bb
@@ -0,0 +1,18 @@
+DESCRIPTION = "Linux-PAM authentication library for Linux. Base configuration files"
+
+SECTION = "libs"
+PRIORITY = "optional"
+LICENSE = "GPLv2"
+DEPENDS = ""
+RDEPENDS = "libpam"
+
+PR = "r1"
+
+SRC_URI = " \
+           file://pam.d/* \
+"
+
+do_install() {         
+          install -d ${D}${sysconfdir}/pam.d/     
+          install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
+}
diff --git a/recipes/pam/libpam-base-files/pam.d/atd b/recipes/pam/libpam-base-files/pam.d/atd
new file mode 100644
index 0000000000..17ffb134d3
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/atd
@@ -0,0 +1,10 @@
+#
+# The PAM configuration file for the at daemon
+#
+
+auth       required     pam_env.so
+auth       include      common-auth
+account    include      common-account
+password   include      common-password
+session    required     pam_limits.so
+session    include      common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/common-account b/recipes/pam/libpam-base-files/pam.d/common-account
new file mode 100644
index 0000000000..316b17337b
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-account
@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
+# here's the fallback if no module succeeds
+account	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
diff --git a/recipes/pam/libpam-base-files/pam.d/common-auth b/recipes/pam/libpam-base-files/pam.d/common-auth
new file mode 100644
index 0000000000..460b69f198
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-auth
@@ -0,0 +1,18 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+
+# here are the per-package modules (the "Primary" block)
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
diff --git a/recipes/pam/libpam-base-files/pam.d/common-password b/recipes/pam/libpam-base-files/pam.d/common-password
new file mode 100644
index 0000000000..bc98f199b9
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-password
@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# here are the per-package modules (the "Primary" block)
+password	[success=1 default=ignore]	pam_unix.so obscure sha512
+# here's the fallback if no module succeeds
+password	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+password	optional	pam_gnome_keyring.so 
diff --git a/recipes/pam/libpam-base-files/pam.d/common-session b/recipes/pam/libpam-base-files/pam.d/common-session
new file mode 100644
index 0000000000..2123967d15
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-session
@@ -0,0 +1,20 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so 
+session	optional			pam_ck_connector.so nox11
diff --git a/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive
new file mode 100644
index 0000000000..b110bb2b49
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive
@@ -0,0 +1,19 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so 
diff --git a/recipes/pam/libpam-base-files/pam.d/cron b/recipes/pam/libpam-base-files/pam.d/cron
new file mode 100644
index 0000000000..743c0ed31f
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cron
@@ -0,0 +1,11 @@
+#
+# The PAM configuration file for the cron daemon
+#
+
+auth       include      common-auth
+session    required     pam_env.so
+account    include      common-account
+session    include      common-session-noninteractive
+# Sets up user limits, please define limits for cron tasks
+# through /etc/security/limits.conf
+session    required   pam_limits.so
diff --git a/recipes/pam/libpam-base-files/pam.d/cups b/recipes/pam/libpam-base-files/pam.d/cups
new file mode 100644
index 0000000000..8e7f973a2c
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cups
@@ -0,0 +1,3 @@
+auth       include      common-auth
+account    include      common-account
+session    include      common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/cvs b/recipes/pam/libpam-base-files/pam.d/cvs
new file mode 100644
index 0000000000..9627c4f7bf
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cvs
@@ -0,0 +1,12 @@
+#
+# /etc/pam.d/cvs - specify the PAM behaviour of CVS
+#
+
+# We fall back to the system default in /etc/pam.d/common-*
+
+auth       include      common-auth
+account    include      common-account
+
+# We don't use password or session modules at all
+# password   include      common-password
+# session    include      common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/libcupsys2 b/recipes/pam/libpam-base-files/pam.d/libcupsys2
new file mode 100644
index 0000000000..8e7f973a2c
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/libcupsys2
@@ -0,0 +1,3 @@
+auth       include      common-auth
+account    include      common-account
+session    include      common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/other b/recipes/pam/libpam-base-files/pam.d/other
new file mode 100644
index 0000000000..6e40cd0c02
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/other
@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron  specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.  
+
+#If you really want nothing to happen then use pam_permit.so or
+#pam_deny.so as appropriate.
+
+# We use pam_warn.so to generate syslog notes that the 'other'
+#fallback rules are being used (as a hint to suggest you should setup
+#specific PAM rules for the service and aid to debugging). We then 
+#fall back to the system default in /etc/pam.d/common-*
+
+auth       required     pam_warn.so
+auth       include      common-auth
+
+account    required     pam_warn.so
+account    include      common-account
+
+password   required     pam_warn.so
+password   include      common-password
+
+session    required     pam_warn.so
+session    include      common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/polkit b/recipes/pam/libpam-base-files/pam.d/polkit
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/polkit
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth       include      common-auth
+account    include      common-account
+password   include      common-password
+session    include      common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/polkit-1 b/recipes/pam/libpam-base-files/pam.d/polkit-1
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/polkit-1
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth       include      common-auth
+account    include      common-account
+password   include      common-password
+session    include      common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/ppp b/recipes/pam/libpam-base-files/pam.d/ppp
new file mode 100644
index 0000000000..aed08fd1b2
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/ppp
@@ -0,0 +1,8 @@
+#%PAM-1.0
+# Information for the PPPD process with the 'login' option.
+
+auth       required     pam_nologin.so
+auth       include      common-auth
+account    include      common-account
+session    include      common-session
+
diff --git a/recipes/pam/libpam-base-files/pam.d/sesman b/recipes/pam/libpam-base-files/pam.d/sesman
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/sesman
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth       include      common-auth
+account    include      common-account
+password   include      common-password
+session    include      common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/sshd b/recipes/pam/libpam-base-files/pam.d/sshd
new file mode 100644
index 0000000000..c0028ff3cb
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/sshd
@@ -0,0 +1,33 @@
+# PAM configuration for the Secure Shell service
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+auth       required     pam_env.so # [1]
+
+# Standard Un*x authentication.
+auth       include      common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+account    include      common-accountt
+
+# Standard Un*x session setup and teardown.
+session    include      common-session
+
+# Print the message of the day upon successful login.
+session    optional     pam_motd.so # [1]
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Standard Un*x password updating.
+password   include      common-password
diff --git a/recipes/pam/libpam_1.0.2.bb b/recipes/pam/libpam_1.0.2.bb
index b288458e98..1ab7fa95f9 100644
--- a/recipes/pam/libpam_1.0.2.bb
+++ b/recipes/pam/libpam_1.0.2.bb
@@ -12,7 +12,10 @@ LICENSE = "GPLv2"
 
 DEPENDS = "flex flex-native"
 
-PR = "r4"
+# PAM is not a lot of use without configuration files and the plugins
+RRECOMMENDS_${PN} = "libpam-meta libpam-base-files"
+
+PR = "r5"
 
 # The project is actually called Linux-PAM but that gives
 # a bad OE package name because of the upper case characters
@@ -66,7 +69,6 @@ python populate_packages_prepend () {
 	bb.data.setVar('PACKAGES', ' '.join(packages), d)
 }
 
-
 do_stage() {
 	autotools_stage_all
 }
diff --git a/recipes/pam/libpam_1.1.0.bb b/recipes/pam/libpam_1.1.0.bb
new file mode 100644
index 0000000000..32dc9e15cb
--- /dev/null
+++ b/recipes/pam/libpam_1.1.0.bb
@@ -0,0 +1,70 @@
+DESCRIPTION = "\
+PAM authentication library for Linux.  \
+Linux-PAM (Pluggable Authentication Modules for Linux) is a \
+library that enables the local system administrator to choose \
+how individual applications authenticate users. For an \
+overview of the Linux-PAM library see the Linux-PAM System \
+Administrators' Guide."
+HOMEPAGE = "http://kernel.org/pub/linux/libs/pam"
+SECTION = "libs"
+PRIORITY = "optional"
+LICENSE = "GPLv2"
+
+DEFAULT_PREFERENCE_libc-uclibc = "-1"
+
+DEPENDS = "flex flex-native"
+
+# PAM is not a lot of use without configuration files and the plugins
+RRECOMMENDS_${PN} = "libpam-meta libpam-base-files"
+
+PR = "r0"
+
+# The project is actually called Linux-PAM but that gives
+# a bad OE package name because of the upper case characters
+pn = "Linux-PAM"
+p = "${pn}-${PV}"
+S = "${WORKDIR}/${p}"
+
+SRC_URI = "${KERNELORG_MIRROR}/pub/linux/libs/pam/library/${p}.tar.bz2 \
+           file://pam-nodocs.patch;patch=1 "
+
+inherit autotools
+
+LEAD_SONAME = "libpam.so.*"
+
+# maintain the pam default layout
+EXTRA_OECONF += " --includedir=${includedir}/security"
+
+PACKAGES_DYNAMIC += " libpam-meta pam-plugin-*"
+
+python populate_packages_prepend () {
+	import os.path
+
+	pam_libdir = bb.data.expand('${libdir}/security', d)
+	pam_libdirdebug = bb.data.expand('${libdir}/security/.debug', d)
+	pam_filterdir = bb.data.expand('${libdir}/security/pam_filter', d)
+	do_split_packages(d, pam_libdir, '^pam(.*)\.so$', 'pam-plugin%s', 'PAM plugin for %s', extra_depends='')
+	do_split_packages(d, pam_libdir, '^pam(.*)\.la$', 'pam-plugin%s-dev', 'PAM plugin for %s dev', extra_depends='')
+	if os.path.exists(pam_libdirdebug):
+		do_split_packages(d, pam_libdirdebug, '^pam(.*)\.so$', 'pam-plugin%s-dbg', 'PAM plugin for %s debugging symbols', extra_depends='')
+	do_split_packages(d, pam_filterdir, '^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='')
+
+	pn = bb.data.getVar('PN', d, 1)
+	metapkg =  pn + '-meta'
+	bb.data.setVar('ALLOW_EMPTY_' + metapkg, "1", d)
+	bb.data.setVar('FILES_' + metapkg, "", d)
+	blacklist = [ pn + '-locale', pn + '-dev', pn + '-dbg', pn + '-doc' ]
+	metapkg_rdepends = []
+	packages = bb.data.getVar('PACKAGES', d, 1).split()
+	for pkg in packages[1:]:
+		if not pkg in blacklist and not pkg in metapkg_rdepends and not pkg.endswith('-dev') and not pkg.count('locale') and pkg.count('plugin'):
+			metapkg_rdepends.append(pkg)
+	bb.data.setVar('RDEPENDS_' + metapkg, ' '.join(metapkg_rdepends), d)
+	bb.data.setVar('DESCRIPTION_' + metapkg, pn + ' meta package', d)
+	packages.append(metapkg)
+	bb.data.setVar('PACKAGES', ' '.join(packages), d)
+}
+
+do_stage() {
+	autotools_stage_all
+}