Commit Graph

24 Commits

Author SHA1 Message Date
Enji Cooper
2f4a73322e Conditionally install /etc/pam.d/ftp* and /etc/pam.d/telnetd
/etc/pam.d/ftp* should be installed with MK_FTP != no and
/etc/pam.d/telnetd should be installed when MK_TELNET != no.

MFC after:	7 weeks
Sponsored by:	Dell EMC Isilon
2017-04-14 06:42:46 +00:00
Enji Cooper
269960e4b7 Derive {AT,RCMDS}{DIR,MODE} from FILE{DIR,MODE}
This reduces duplicity a bit.

MFC after:	7 weeks
Sponsored by:	Dell EMC Isilon
2017-04-14 06:33:15 +00:00
Glen Barber
2971191a94 Create a rcmds package.
Sponsored by:	The FreeBSD Foundation
2016-01-21 17:33:31 +00:00
Baptiste Daroussin
084e5741bd Append the FILESGROUP rather than overriting 2015-03-15 13:48:50 +00:00
Baptiste Daroussin
58cf66a972 Make at(1) and related tools an individual package 2015-03-05 16:49:52 +00:00
Enji Cooper
a36aaa139e Honor MK_ACCT with etc/pam.d/atrun
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
2015-01-26 08:50:12 +00:00
Martin Wilke
57eef2a0b2 - FreeBSD ships a KDE PAM module in base, but it's missing support for passwordless login (kde-np),
and it doesn't really belong in base system.

PR:		misc/167261
Submitted by:	avilla@
Approved by:	rwatson (mentor)
MFC after:	3 days
2012-05-30 03:10:22 +00:00
Joe Marcus Clarke
8415b7620f Remove gdm as it is no longer needed.
Approved by:	re (kib)
Reminded by:	nork
2009-07-18 16:29:40 +00:00
Yaroslav Tykhiy
997c6eefd8 Add PAM support to cron(8). Now cron(8) will skip commands scheduled
by unavailable accounts, e.g., those locked, expired, not allowed in at
the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
This applies to personal crontabs only, /etc/crontab is unaffected.

In other words, now the account management policy will apply to
commands scheduled by users via crontab(1) so that a user can no
longer use cron(8) to set up a delayed backdoor and run commands
during periods when the admin doesn't want him to.

The PAM check is done just before running a command, not when loading
a crontab, because accounts can get locked, expired, and re-enabled
any time with no changes to their crontabs.  E.g., imagine that you
provide a system with payed access, or better a cluster of such
systems with centralized account management via PAM.  When a user
pays for some days of access, you set his expire field respectively.
If the account expires before its owner pays more, its crontab
commands won't run until the next payment is made.  Then it'll be
enough to set the expire field in future for the commands to run
again.  And so on.

Document this change in the cron(8) manpage, which includes adding
a FILES section and touching the document date.

X-Security: should benefit as users have access to cron(8) by default
2007-06-17 17:25:53 +00:00
Yaroslav Tykhiy
553284d74a Add PAM support to atrun(8). 2007-06-15 12:02:16 +00:00
Yaroslav Tykhiy
2422857757 Split the FILES list across multiple lines as in rc.d/Makefile
so that the change history stays easily readable as the number
of PAM-aware services grows.
2007-06-15 11:22:10 +00:00
Jacques Vidrine
a8e0b2e8ab Remove rexecd(8), a server that implements a particularly insecure
method of executing commands remotely.  There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat.  It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.
2005-06-10 20:52:36 +00:00
Ruslan Ermilov
e653b48c80 Start the dreaded NOFOO -> NO_FOO conversion.
OK'ed by:	core
2004-12-21 08:47:35 +00:00
Ruslan Ermilov
a35d88931c For variables that are only checked with defined(), don't provide
any fake value.
2004-10-24 15:33:08 +00:00
Dag-Erling Smørgrav
c3d7aa730d Add a system policy, and have the login and su policies include it rather
than duplicate it.  This requires OpenPAM Dianthus, which was committed two
weeks ago; installing these files on a system running a world older than
June 1st, 2003 will cause login(1) and su(1) to fail.
2003-06-14 12:35:05 +00:00
Ruslan Ermilov
14ab92b024 Use the canonical form of installing links.
Also, make "ftp" and "ftpd" hard links.

Not objected to by:	des
2003-03-14 09:01:22 +00:00
Dag-Erling Smørgrav
5eb3150c28 There's no reason to have two identical policies for FTP servers, so
make ftp a symlink to ftpd.
2003-02-10 00:47:46 +00:00
Dag-Erling Smørgrav
bc39792308 We don't use this any more.
Sponsored by:	DARPA, NAI Labs
2002-06-19 20:01:25 +00:00
Dag-Erling Smørgrav
05ade9be70 Add a PAM policy for rexecd(8).
Sponsored by:	DARPA, NAI Labs
2002-05-02 05:05:28 +00:00
Ruslan Ermilov
5b3e868df5 Fixed bugs in previous revision:
Added NOOBJ if anyone even attempts to "make obj" here.
Revert to installing files with mode 644 except README.
Make this overall look like a BSD-style Makefile rather
than roll-your-own (this is not a bug).

For the record.  Previous revision also fixed the breakage
introduced by the sys.mk,v 1.60 commit: bsd.own.mk is no
longer automatically included from sys.mk.

Reported by:	jhay
2002-04-18 10:58:14 +00:00
Dag-Erling Smørgrav
8abb6072c1 Use ${FILES} and <bsd.prog.mk> rather than roll-your-own. 2002-04-18 10:07:36 +00:00
Dag-Erling Smørgrav
a64210378b Add PAM policy for the "passwd" service, including a sample config line
for pam_passwdqc.

Sponsored by:	DARPA, NAI Labs
2002-04-15 03:01:32 +00:00
Dag-Erling Smørgrav
9446518a9a Install pam.d files with mode 0644, not 0755. 2001-12-06 23:28:12 +00:00
Dag-Erling Smørgrav
c5a332f021 Makefile for pam.d configuration files.
Sponsored by:	DARPA, NAI Labs
2001-12-06 13:16:47 +00:00