Commit Graph

21 Commits

Author SHA1 Message Date
Lennart Poettering
75f8b0fe70 man: don't suggest using pam_unix.so's use_authtok switch
Our dumbed down example PAM stacks do not contain cracklib/pwq modules,
hence using use_authtok on the pam_unix.so password change stack won't
work, because it has the effect that pam_unix.so never asks for a
password on its own, expecting the cracklib/pwq modules to have
queried/validated them beforehand.

I noticed this issue because of #30969: Debian's PAM setup suffers by
the same issue – even though they don't actually use our suggested PAM
fragments at all.

See: #30969
2024-01-17 23:59:05 +00:00
Lennart Poettering
02e9308751 docs: excorcise NIS from nsswitch.conf
Let's replace the "compat" module in our proposed nsswitch.conf
configuration with "files", since it is not 1995 anymore.

Fedora and other distros have deprecated and removed NIS support a while
back. While others still retain some support I am not sure we should
advertise it in our examples. Downstream can of course still use
"compat" instead of "files" if they want to, but let's not confuse
people who don't care about NIS anymore with this.

Also, bring the nsswitch.conf snippet in README in line with what our
man pages say.

Also see: https://fedoraproject.org/wiki/Changes/retire_NIS_user_space_utils
2023-09-20 15:17:52 +02:00
Mike Yuan
f129d0e77c vconsole: allow setting default keymap through build option
Allow defining the default keymap to be used by
vconsole-setup through a build option. A template
vconsole.conf also gets populated by tmpfiles if
it doesn't exist.
2023-02-15 20:00:51 +00:00
Zbigniew Jędrzejewski-Szmek
8f04a1ca2b meson: also allow setting GIT_VERSION via templates
GIT_VERSION is not available as a config.h variable, because it's rendered
into version.h during builds. Let's rework jinja2 rendering to also
parse version.h. No functional change, the new variable is so far unused.

I guess this will make partial rebuilds a bit slower, but it's useful
to be able to use the full version string.
2022-04-05 22:18:31 +02:00
Luca BRUNO
8e85924fd6
factory/locale.conf: mention systemd ownership
This explicitly mentions that comments and empty lines are supported
(and ignored) in /etc/locale.conf. It then adds ownership reference
to the factory default.
2021-12-23 14:18:02 +00:00
Luca BRUNO
623370e643
factory: populate /etc/locale.conf with systemd build-time setting
This adds /etc/locale.conf to the set of configuration files
populated by tmpfiles.d factory /etc handling.
In particular, the build-time locale configuration in systemd is
now wired to a /usr factory file, and installed to the system.
On boot, if other locale customization tools did not write
/etc/locale.conf on the system, the factory default file gets
copied to /etc by systemd-tmpfiles.
This is done in order to avoid skews between different system
components when no locale settings are configured. At that point,
systemd can safely act as the fallback owner of /etc/locale.conf.
2021-12-23 11:01:12 +00:00
Lennart Poettering
971c07fc68 pam: fix typo try_authtok → use_authtok
This was a copy/paste mistae apparently, there's not "try_authtok" and
this was supposed to copy what Fedora uses, which uses "use_authtok"
correctly. Hence adjust this.

Fixes: #19369
2021-05-12 12:14:17 +02:00
Lennart Poettering
f43a19ecd6 nss-systemd: synthesize NSS shadow/gshadow records from userdb, as well
This ensures we not only synthesize regular paswd/group records of
userdb records, but shadow records as well. This should make sure that
userdb can be used as comprehensive superset of the classic
passwd/group/shadow/gshadow functionality.
2021-05-08 14:35:28 +02:00
Lennart Poettering
d296c20f1f man: move 'files' module in NSS 'hosts:' line before myhostname
I am pretty sure /etc/hosts (i.e. an explicitly configured, local,
trusted database) should be useful for overriding the automatic
myhostname logic.

resolved's internal logic handles it that way and hence we should
suggest it in the NSS fallback line, too.

Let's also bring the factory file back into sync with what the docs say.

And update the prose a bit too, to actually match what we recommend.
2020-08-17 18:55:59 +02:00
Lennart Poettering
38ccb55731 nss-mymachines: drop support for UID/GID resolving
Now that we make the user/group name resolving available via userdb and
thus nss-systemd, we do not need the UID/GID resolving support in
nss-mymachines anymore. Let's drop it hence.

We keep the module around, since besides UID/GID resolving it also does
hostname resolving, which we care about. (One of those days we should
replace that by some Varlink logic between
nss-resolve/systemd-resolved.service too)

The hooks are kept in the NSS module, but they do not resolve anything
anymore, in order to keep compat at a maximum.
2020-07-14 17:08:12 +02:00
Lennart Poettering
26cf9fb7f8 home: add pam_systemd_home.so PAM hookup
In a way fixes: https://bugs.freedesktop.org/show_bug.cgi?id=67474
2020-01-28 22:36:41 +01:00
Lennart Poettering
1684c56f40 nss: hook up nss-systemd with userdb varlink bits
This changes nss-systemd to use the new varlink user/group APIs for
looking up everything.

(This also changes the factory /etc/nsswitch.conf line to use for
hooking up nss-system to use glibc's [SUCCESS=merge] feature so that we
can properly merge group membership lists).

Fixes: #12492
2020-01-15 15:29:07 +01:00
Lennart Poettering
062666c7c4 factory: add default /etc/issue file
Booting up an image with --volatile=yes otherwise looks so naked, so
let's include this file in the default factory too. It's common and
simple and should be safe to ship.
2019-07-24 08:57:23 +09:00
Lennart Poettering
4c92bf408d factory: include pam_keyinit.so in PAM factory configuration
We use the keyring, so let's make sure it gets properly initialized for
sessions in factory reset mode.
2019-07-13 11:06:24 +02:00
Lennart Poettering
29d30ae7b6 factory: add comment to PAM file, explaining that the defaults are not useful 2019-07-13 11:06:24 +02:00
Lennart Poettering
ed40cb82f7 factory: tighten PAM configuration
Apparently PAM reacts differently on different systems (?) and if no
authoritative matching module is found might either succeed/fail,
depending on the system.

Let's lock this down explicitly, by hooking in pam_deny.so.

Of course, these PAM files are just examples, and no distro in its right
mind would ship these unmodified, but let's default to something safe.

Fixes: #12950
2019-07-13 11:06:24 +02:00
Zbigniew Jędrzejewski-Szmek
94f760ec9d man,factory: update factory config for nsswitch.conf to match the man pages
Also add a note in the man pages to remind people to adjust the factory config
and other man pages at the same time.
2018-11-27 22:35:02 +01:00
Kay Sievers
c009072ec5 factory: remove broken pam_limits
Stupid PAM, please just go away!

login[26]: pam_limits(login:session): error parsing the configuration file: '/etc/security/limits.conf'
login[26]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
login[26]: Error in service module
2014-07-30 15:21:54 +02:00
Kay Sievers
32767cb1e8 login: update systemd-user PAM configuration file 2014-07-29 13:20:20 +02:00
Kay Sievers
ccc6fa0d6b factory: nss - add generic config 2014-07-27 14:53:21 +02:00
Kay Sievers
e5168066e7 factory: PAM - add generic fallback config
Single PAM fallback config file to be used in /etc to allow
bootstrapping of a system with an empty /etc.
2014-07-27 14:34:19 +02:00