blob: d9ffdac9b009caecf8a21bedf2af444f4bd6ac40 [file] [log] [blame]
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += " file://pam.d/common-password \
file://pam.d/common-account \
file://pam.d/common-auth \
file://pam.d/common-session \
file://faillock.conf \
file://convert-pam-configs.service \
file://convert-pam-configs.sh \
"
inherit systemd
SYSTEMD_SERVICE:${PN} += "convert-pam-configs.service"
FILES:${PN} += "${bindir}/convert-pam-configs.sh \
${systemd_system_unitdir}/convert-pam-configs.service \
"
do_install:append() {
# The libpam recipe will always add a pam_systemd.so line to
# common-session if systemd is enabled; however systemd only
# builds pam_systemd.so if logind is enabled, and we disable
# that package. So, remove the pam_systemd.so line here.
sed -i '/pam_systemd.so/d' ${D}${sysconfdir}/pam.d/common-session
install -d ${D}/etc/security
install -m 0644 ${WORKDIR}/faillock.conf ${D}/etc/security
install -d ${D}${bindir}
install -m 0755 ${WORKDIR}/convert-pam-configs.sh ${D}${bindir}
install -d ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/convert-pam-configs.service ${D}${systemd_system_unitdir}
}
RDEPENDS:${PN}-runtime += "libpwquality \
${MLPREFIX}pam-plugin-faillock-${libpam_suffix} \
${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \
${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \
${MLPREFIX}pam-plugin-localuser-${libpam_suffix} \
"
#
# Background:
# 1. Linux-PAM modules tally2 and cracklib were removed in libpam_1.5,
# which prompted OpenBMC to change to the faillock and pwquality modules.
# The PAM config files under /etc/pam.d were changed accordingly.
# 2. OpenBMC implementations store Redfish property values in PAM config files.
# For example, the D-Bus property maxLoginAttemptBeforeLockout is stored in
# /etc/pam.d/common-auth as the pam_tally2.so deny= parameter value.
# 3. The /etc directory is readonly and has a readwrite overlayfs. That
# means when a config file changes, an overlay file is created which hides
# the readonly version.
#
# Problem scenario:
# 1. Begin with a BMC that has a firmware image which has the old PAM
# modules and the old PAM config files which have modified parameters.
# For example, there is an overlay file for /etc/pam.d/common-auth.
# 2. Perform a firmware update to a firmware image which has the new PAM
# modules. The updated image will have not have the old PAM modules.
# It will have the new PAM config files in its readonly file system and
# the old PAM config files in its readwrite overlay.
# 3. Note that PAM authentication will always fail at this point because
# the old PAM config files in the overlay tell PAM to use the old PAM
# modules which are not present on the system.
#
# Two possible recoveries are:
# A. Factory reset the BMC. This will clear the readwrite overlay,
# allowing PAM to use the readonly version.
# B. Convert the old PAM config files to the new style. See below.
#
# Service: The convert-pam-configs.service updates the old-style PAM config
# files on the BMC: it changes uses of the old modules to the new modules
# and carries forward configuration parameters. A key point is that files
# are written to *only* as needed to convert uses of the old modules to the
# new modules. See the conversion tool for details.
#
# This service can be removed when the BMC no longer supports a direct
# firware update path from a version which has the old PAM configs to a
# version which has the new PAM configs.
#
# In case of downgrade, Factory reset is recommended. Current logic in existing
# images won't be able to take care of these settings during downgrade.