Add a system policy, and have the login and su policies include it rather

than duplicate it. This requires OpenPAM Dianthus, which was committed two weeks ago; installing these files on a system running a world older than June 1st, 2003 will cause login(1) and su(1) to fail.
svn path=/head/; revision=116331
2003-06-14 12:35:05 +00:00 · 2003-06-14 12:35:05 +00:00 · c3d7aa730d · 2020-12-20 02:59:44 +00:00
commit c3d7aa730d
parent b6723d4dfb
4 changed files with 35 additions and 23 deletions
--- a/etc/pam.d/Makefile
+++ b/etc/pam.d/Makefile
@ -2,7 +2,7 @@

 NOOBJ=	noobj
 FILES=	README ftpd gdm imap kde login other passwd pop3 \
-	rexecd rsh sshd su telnetd xdm
+	rexecd rsh sshd su system telnetd xdm
 FILESDIR=	/etc/pam.d
 FILESMODE=	644
 FILESMODE_README=	444
--- a/etc/pam.d/login
+++ b/etc/pam.d/login
@ -7,22 +7,14 @@
 # auth
 auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_self.so		no_warn
-auth		sufficient	pam_opie.so		no_warn no_fake_prompts
-auth		requisite	pam_opieaccess.so	no_warn allow_local
-#auth		sufficient	pam_krb5.so		no_warn try_first_pass
-#auth		sufficient	pam_ssh.so		no_warn try_first_pass
-auth		required	pam_unix.so		no_warn try_first_pass nullok
+auth		include		system

 # account
-#account 	required	pam_krb5.so
-account		required	pam_login_access.so
-account		required	pam_securetty.so
-account		required	pam_unix.so
+account		requisite	pam_securetty.so
+account		include		system

 # session
-#session 	optional	pam_ssh.so
-session		required	pam_lastlog.so		no_fail
+session		include		system

 # password
-#password	sufficient	pam_krb5.so		no_warn try_first_pass
-password	required	pam_unix.so		no_warn try_first_pass
+password	include		system
--- a/etc/pam.d/su
+++ b/etc/pam.d/su
@ -7,16 +7,11 @@
 # auth
 auth		sufficient	pam_rootok.so		no_warn
 auth		sufficient	pam_self.so		no_warn
-auth		requisite	pam_group.so		no_warn root_only fail_safe
-auth		sufficient	pam_opie.so		no_warn no_fake_prompts
-auth		requisite	pam_opieaccess.so	no_warn allow_local
-#auth		sufficient	pam_krb5.so		no_warn try_first_pass auth_as_self
-#auth		required	pam_ssh.so		no_warn try_first_pass
-auth		required	pam_unix.so		no_warn try_first_pass nullok
+auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe
+auth		include		system

 # account
-#account 	required	pam_krb5.so
-account		required	pam_unix.so
+account		include		system

 # session
-#session 	optional	pam_ssh.so
+session		include		system
--- a/etc/pam.d/system
+++ b/etc/pam.d/system
@ -0,0 +1,25 @@
+#
+# $FreeBSD$
+#
+# System-wide defaults
+#
+
+# auth
+auth		sufficient	pam_opie.so		no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn allow_local
+#auth		sufficient	pam_krb5.so		no_warn try_first_pass
+#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+auth		required	pam_unix.so		no_warn try_first_pass nullok
+
+# account
+#account 	required	pam_krb5.so
+account		required	pam_login_access.so
+account		required	pam_unix.so
+
+# session
+#session 	optional	pam_ssh.so
+session		required	pam_lastlog.so		no_fail
+
+# password
+#password	sufficient	pam_krb5.so		no_warn try_first_pass
+password	required	pam_unix.so		no_warn try_first_pass