From 4ca0af699b5b4b3cf95b3e76482651949fd922ac Mon Sep 17 00:00:00 2001 From: Ming Liu Date: Fri, 26 Jul 2013 17:51:02 +0800 Subject: libpam: deny all services for the OTHER entries To be secure, change behavior of the OTHER entries to warn and deny access to everything by stating pam_deny.so on all services. Signed-off-by: Ming Liu Signed-off-by: Saul Wold --- meta/recipes-extended/pam/libpam/pam.d/other | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'meta/recipes-extended') diff --git a/meta/recipes-extended/pam/libpam/pam.d/other b/meta/recipes-extended/pam/libpam/pam.d/other index 6e40cd0c02..ec970ecbe0 100644 --- a/meta/recipes-extended/pam/libpam/pam.d/other +++ b/meta/recipes-extended/pam/libpam/pam.d/other @@ -6,22 +6,19 @@ #pam_open_session, the session module out of /etc/pam.d/other is #used. -#If you really want nothing to happen then use pam_permit.so or -#pam_deny.so as appropriate. - # We use pam_warn.so to generate syslog notes that the 'other' #fallback rules are being used (as a hint to suggest you should setup -#specific PAM rules for the service and aid to debugging). We then -#fall back to the system default in /etc/pam.d/common-* +#specific PAM rules for the service and aid to debugging). Then to be +#secure, deny access to all services by default. auth required pam_warn.so -auth include common-auth +auth required pam_deny.so account required pam_warn.so -account include common-account +account required pam_deny.so password required pam_warn.so -password include common-password +password required pam_deny.so session required pam_warn.so -session include common-session +session required pam_deny.so -- cgit 1.2.3-korg