aboutsummaryrefslogtreecommitdiff
path: root/base/pam
diff options
context:
space:
mode:
Diffstat (limited to 'base/pam')
-rw-r--r--base/pam/pam-policy/90-nproc.conf6
-rw-r--r--base/pam/pam-policy/Makefile18
-rw-r--r--base/pam/pam-policy/other5
-rw-r--r--base/pam/pam-policy/system-auth17
-rw-r--r--base/pam/pam-policy/system-local-login6
-rw-r--r--base/pam/pam-policy/system-login19
-rw-r--r--base/pam/pam-policy/system-remote-login6
-rw-r--r--base/pam/pam-policy/system-services11
8 files changed, 88 insertions, 0 deletions
diff --git a/base/pam/pam-policy/90-nproc.conf b/base/pam/pam-policy/90-nproc.conf
new file mode 100644
index 0000000..104dffd
--- /dev/null
+++ b/base/pam/pam-policy/90-nproc.conf
@@ -0,0 +1,6 @@
+# Default limit for number of user's processes to prevent
+# accidental fork bombs.
+# See rhbz #432903 for reasoning.
+
+* soft nproc 1024
+root soft nproc unlimited
diff --git a/base/pam/pam-policy/Makefile b/base/pam/pam-policy/Makefile
new file mode 100644
index 0000000..860ae17
--- /dev/null
+++ b/base/pam/pam-policy/Makefile
@@ -0,0 +1,18 @@
+PAMCFG=other system-auth system-local-login system-login system-remote-login system-services
+LIMITSCFG=90-nproc.conf
+
+INSTALL=/usr/bin/install
+INSTALLDIR=$(INSTALL) -m 0755 -d
+INSTALLCFG=$(INSTALL) -m 0644
+
+SYSCONFDIR=/etc
+ETCPAMDDIR=$(SYSCONFDIR)/pam.d
+LIMITSDDIR=$(SYSCONFDIR)/security/limits.d
+
+install:
+ $(INSTALLDIR) $(DESTDIR)$(ETCPAMDDIR)
+ $(INSTALLCFG) $(PAMCFG) $(DESTDIR)$(ETCPAMDDIR)
+ $(INSTALLDIR) $(DESTDIR)$(LIMITSDDIR)
+ $(INSTALLCFG) $(LIMITSCFG) $(DESTDIR)$(LIMITSDDIR)
+
+.PHONY: install
diff --git a/base/pam/pam-policy/other b/base/pam/pam-policy/other
new file mode 100644
index 0000000..08498b4
--- /dev/null
+++ b/base/pam/pam-policy/other
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth required pam_unix.so
+account required pam_unix.so
+password required pam_unix.so
+session required pam_unix.so
diff --git a/base/pam/pam-policy/system-auth b/base/pam/pam-policy/system-auth
new file mode 100644
index 0000000..b28a7e9
--- /dev/null
+++ b/base/pam/pam-policy/system-auth
@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+auth required pam_env.so
+auth required pam_unix.so try_first_pass nullok
+auth optional pam_permit.so
+
+account required pam_unix.so
+account optional pam_permit.so
+account required pam_time.so
+
+password required pam_unix.so try_first_pass nullok sha512 shadow
+password optional pam_permit.so
+
+session required pam_limits.so
+session required pam_env.so
+session required pam_unix.so
+session optional pam_permit.so
diff --git a/base/pam/pam-policy/system-local-login b/base/pam/pam-policy/system-local-login
new file mode 100644
index 0000000..347b815
--- /dev/null
+++ b/base/pam/pam-policy/system-local-login
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include system-login
+account include system-login
+password include system-login
+session include system-login
diff --git a/base/pam/pam-policy/system-login b/base/pam/pam-policy/system-login
new file mode 100644
index 0000000..acb4e96
--- /dev/null
+++ b/base/pam/pam-policy/system-login
@@ -0,0 +1,19 @@
+#%PAM-1.0
+
+auth required pam_tally.so onerr=succeed file=/var/log/faillog
+auth required pam_shells.so
+auth requisite pam_nologin.so
+auth include system-auth
+
+account required pam_access.so
+account required pam_nologin.so
+account include system-auth
+
+password include system-auth
+
+session optional pam_loginuid.so
+session required pam_env.so
+session include system-auth
+session optional pam_motd.so motd=/etc/motd
+session optional pam_mail.so dir=/var/spool/mail standard quiet
+-session optional pam_systemd.so
diff --git a/base/pam/pam-policy/system-remote-login b/base/pam/pam-policy/system-remote-login
new file mode 100644
index 0000000..347b815
--- /dev/null
+++ b/base/pam/pam-policy/system-remote-login
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include system-login
+account include system-login
+password include system-login
+session include system-login
diff --git a/base/pam/pam-policy/system-services b/base/pam/pam-policy/system-services
new file mode 100644
index 0000000..311c0d6
--- /dev/null
+++ b/base/pam/pam-policy/system-services
@@ -0,0 +1,11 @@
+#%PAM-1.0
+
+auth sufficient pam_permit.so
+
+account include system-auth
+
+session optional pam_loginuid.so
+session required pam_limits.so
+session required pam_env.so
+session required pam_unix.so
+session optional pam_permit.so
generated by cgit v1.2.3-70-g09d2 (git 2.47.0) at 2024-11-15 08:54:17 +0000