[sojka/debian/lightdm.git] / debian / patches / 05_debianize-pam-files.patch

--- a/data/pam/lightdm
+++ b/data/pam/lightdm
@@ -1,20 +1,36 @@
 #%PAM-1.0
 
 # Block login if they are globally disabled
-auth      required pam_nologin.so
+auth      requisite pam_nologin.so
 
 # Load environment from /etc/environment and ~/.pam_environment
-auth      required pam_env.so
+session      required pam_env.so readenv=1
+session      required pam_env.so readenv=1 envfile=/etc/default/locale
 
-# Use /etc/passwd and /etc/shadow for passwords
-auth      required pam_unix.so
+@include common-auth
 
-# Check account is active, change password if required
-account   required pam_unix.so
+-auth  optional pam_gnome_keyring.so
 
-# Allow password to be changed
-password  required pam_unix.so
+@include common-account
 
-# Setup session
-session   required pam_unix.so
-session   optional pam_systemd.so
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+session  required        pam_limits.so
+session  required        pam_loginuid.so
+@include common-session
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+-session optional        pam_gnome_keyring.so auto_start
+
+@include common-password
--- a/data/pam/lightdm-greeter
+++ b/data/pam/lightdm-greeter
@@ -1,7 +1,8 @@
 #%PAM-1.0
 
 # Load environment from /etc/environment and ~/.pam_environment
-auth      required pam_env.so
+session      required pam_env.so readenv=1
+session      required pam_env.so readenv=1 envfile=/etc/default/locale
 
 # Always let the greeter start without authentication
 auth      required pam_permit.so
--- a/data/pam/lightdm-autologin
+++ b/data/pam/lightdm-autologin
@@ -1,20 +1,36 @@
 #%PAM-1.0
 
 # Block login if they are globally disabled
-auth      required pam_nologin.so
+auth      requisite pam_nologin.so
 
 # Load environment from /etc/environment and ~/.pam_environment
-auth      required pam_env.so
+session      required pam_env.so readenv=1
+session      required pam_env.so readenv=1 envfile=/etc/default/locale
 
 # Allow access without authentication
 auth      required pam_permit.so
 
-# Stop autologin if account requires action
-account   required pam_unix.so
+@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+session  required        pam_limits.so
+session  required        pam_loginuid.so
+@include common-session
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
 
 # Can't change password
 password  required pam_deny.so
 
-# Setup session
-session   required pam_unix.so
-session   optional pam_systemd.so
+@include common-password