diff options
Diffstat (limited to 'base/pam/pam-policy')
-rw-r--r-- | base/pam/pam-policy/90-nproc.conf | 6 | ||||
-rw-r--r-- | base/pam/pam-policy/Makefile | 18 | ||||
-rw-r--r-- | base/pam/pam-policy/other | 5 | ||||
-rw-r--r-- | base/pam/pam-policy/system-auth | 17 | ||||
-rw-r--r-- | base/pam/pam-policy/system-local-login | 6 | ||||
-rw-r--r-- | base/pam/pam-policy/system-login | 19 | ||||
-rw-r--r-- | base/pam/pam-policy/system-remote-login | 6 | ||||
-rw-r--r-- | base/pam/pam-policy/system-services | 11 |
8 files changed, 88 insertions, 0 deletions
diff --git a/base/pam/pam-policy/90-nproc.conf b/base/pam/pam-policy/90-nproc.conf new file mode 100644 index 0000000..104dffd --- /dev/null +++ b/base/pam/pam-policy/90-nproc.conf @@ -0,0 +1,6 @@ +# Default limit for number of user's processes to prevent +# accidental fork bombs. +# See rhbz #432903 for reasoning. + +* soft nproc 1024 +root soft nproc unlimited diff --git a/base/pam/pam-policy/Makefile b/base/pam/pam-policy/Makefile new file mode 100644 index 0000000..860ae17 --- /dev/null +++ b/base/pam/pam-policy/Makefile @@ -0,0 +1,18 @@ +PAMCFG=other system-auth system-local-login system-login system-remote-login system-services +LIMITSCFG=90-nproc.conf + +INSTALL=/usr/bin/install +INSTALLDIR=$(INSTALL) -m 0755 -d +INSTALLCFG=$(INSTALL) -m 0644 + +SYSCONFDIR=/etc +ETCPAMDDIR=$(SYSCONFDIR)/pam.d +LIMITSDDIR=$(SYSCONFDIR)/security/limits.d + +install: + $(INSTALLDIR) $(DESTDIR)$(ETCPAMDDIR) + $(INSTALLCFG) $(PAMCFG) $(DESTDIR)$(ETCPAMDDIR) + $(INSTALLDIR) $(DESTDIR)$(LIMITSDDIR) + $(INSTALLCFG) $(LIMITSCFG) $(DESTDIR)$(LIMITSDDIR) + +.PHONY: install diff --git a/base/pam/pam-policy/other b/base/pam/pam-policy/other new file mode 100644 index 0000000..08498b4 --- /dev/null +++ b/base/pam/pam-policy/other @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required pam_unix.so +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so diff --git a/base/pam/pam-policy/system-auth b/base/pam/pam-policy/system-auth new file mode 100644 index 0000000..b28a7e9 --- /dev/null +++ b/base/pam/pam-policy/system-auth @@ -0,0 +1,17 @@ +#%PAM-1.0 + +auth required pam_env.so +auth required pam_unix.so try_first_pass nullok +auth optional pam_permit.so + +account required pam_unix.so +account optional pam_permit.so +account required pam_time.so + +password required pam_unix.so try_first_pass nullok sha512 shadow +password optional pam_permit.so + +session required pam_limits.so +session required pam_env.so +session required pam_unix.so +session optional pam_permit.so diff --git a/base/pam/pam-policy/system-local-login b/base/pam/pam-policy/system-local-login new file mode 100644 index 0000000..347b815 --- /dev/null +++ b/base/pam/pam-policy/system-local-login @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include system-login +account include system-login +password include system-login +session include system-login diff --git a/base/pam/pam-policy/system-login b/base/pam/pam-policy/system-login new file mode 100644 index 0000000..acb4e96 --- /dev/null +++ b/base/pam/pam-policy/system-login @@ -0,0 +1,19 @@ +#%PAM-1.0 + +auth required pam_tally.so onerr=succeed file=/var/log/faillog +auth required pam_shells.so +auth requisite pam_nologin.so +auth include system-auth + +account required pam_access.so +account required pam_nologin.so +account include system-auth + +password include system-auth + +session optional pam_loginuid.so +session required pam_env.so +session include system-auth +session optional pam_motd.so motd=/etc/motd +session optional pam_mail.so dir=/var/spool/mail standard quiet +-session optional pam_systemd.so diff --git a/base/pam/pam-policy/system-remote-login b/base/pam/pam-policy/system-remote-login new file mode 100644 index 0000000..347b815 --- /dev/null +++ b/base/pam/pam-policy/system-remote-login @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include system-login +account include system-login +password include system-login +session include system-login diff --git a/base/pam/pam-policy/system-services b/base/pam/pam-policy/system-services new file mode 100644 index 0000000..311c0d6 --- /dev/null +++ b/base/pam/pam-policy/system-services @@ -0,0 +1,11 @@ +#%PAM-1.0 + +auth sufficient pam_permit.so + +account include system-auth + +session optional pam_loginuid.so +session required pam_limits.so +session required pam_env.so +session required pam_unix.so +session optional pam_permit.so |