Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / meta-phosphor / 15a293b458ef2f013356f9746c0ac7a20e59c1c1^! / .
commit15a293b458ef2f013356f9746c0ac7a20e59c1c1[log] [tgz]
authorRichard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>Sat Nov 02 21:24:29 2019 +0530
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Tue Nov 05 13:46:47 2019 +0000
tree48dd5aebfefa4ec1d73938433025f05062b43475
parent9257b20e3d83be1e7f0350080efac62de44c3600 [diff]
pam: Disable sensitive log & nullok

pam_unix logs user name when sessions are established, quiet
the same in configuraiton. This is done to avoid logging user name
as logs will be exported as part of debug log dump etc, thereby
compramising sensitive information.
Also disallow nullok login from security point of it.

Tested:
1. Verified that session establishment are not recorded with user
name.
2. Verfieid webui, redfish, ipmi, ssh login works as expected.

Change-Id: I3ddd0644fdc9c25f8252d0ca82d0d62b597c4447
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

diff --git a/recipes-extended/pam/libpam/pam.d/common-auth b/recipes-extended/pam/libpam/pam.d/common-auth
index 58ed74f..8eef164 100644
--- a/recipes-extended/pam/libpam/pam.d/common-auth
+++ b/recipes-extended/pam/libpam/pam.d/common-auth

@@ -10,7 +10,7 @@
 # here are the per-package modules (the "Primary" block)
 auth	[success=ok user_unknown=ignore default=2]	pam_tally2.so deny=0 unlock_time=0
 # Try for local user first, and then try for ldap
-auth	[success=2 default=ignore]	pam_unix.so nullok_secure
+auth	[success=2 default=ignore]	pam_unix.so quiet
 -auth    [success=1 default=ignore]  	pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so

diff --git a/recipes-extended/pam/libpam/pam.d/common-session b/recipes-extended/pam/libpam/pam.d/common-session
new file mode 100644
index 0000000..e8751d2
--- /dev/null
+++ b/recipes-extended/pam/libpam/pam.d/common-session

@@ -0,0 +1,19 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so quiet

diff --git a/recipes-extended/pam/libpam_%.bbappend b/recipes-extended/pam/libpam_%.bbappend
index f97664f..770ffea 100644
--- a/recipes-extended/pam/libpam_%.bbappend
+++ b/recipes-extended/pam/libpam_%.bbappend

@@ -3,6 +3,7 @@
 SRC_URI += " file://pam.d/common-password \
              file://pam.d/common-account \
              file://pam.d/common-auth \
+             file://pam.d/common-session \
             "
 
 RDEPENDS_${PN}-runtime += "${MLPREFIX}pam-plugin-cracklib-${libpam_suffix} \