diff options
| author | Serge Hallyn <serge@hallyn.com> | 2016-07-30 23:28:48 -0500 |
|---|---|---|
| committer | Serge Hallyn <serge@hallyn.com> | 2016-07-30 23:29:49 -0500 |
| commit | 5a6e0c0ebd4166f3df9b0b4c628705e5e3a05aa0 (patch) | |
| tree | cc01d829df509da63b34f35b7fe9e1b8621165e2 /debian/login.pam | |
| parent | f9aecd19f3cc7c1389cbeb3c8e0e6f0679d745b7 (diff) | |
| download | shadow-5a6e0c0ebd4166f3df9b0b4c628705e5e3a05aa0.tar.gz | |
Merge upstream 4.3
Diffstat (limited to 'debian/login.pam')
| -rw-r--r-- | debian/login.pam | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/debian/login.pam b/debian/login.pam index dccad1f2..b165d029 100644 --- a/debian/login.pam +++ b/debian/login.pam @@ -35,23 +35,13 @@ auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without this it is possible +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -# Sets the loginuid process attribute -session required pam_loginuid.so - -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) - # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. @@ -72,7 +62,7 @@ session required pam_env.so readenv=1 envfile=/etc/default/locale auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set -# time restraint on logins. +# time restrainst on logins. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so @@ -86,16 +76,16 @@ auth optional pam_group.so # (Replaces the use of /etc/limits in old login) session required pam_limits.so -# Prints the last login info upon successful login +# Prints the last login info upon succesful login # (Replaces the `LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so -# Prints the message of the day upon successful login. +# Prints the message of the day upon succesful login. # (Replaces the `MOTD_FILE' option in login.defs) session optional pam_exec.so type=open_session stdout /bin/uname -snrvm session optional pam_motd.so -# Prints the status of the user's mailbox upon successful login +# Prints the status of the user's mailbox upon succesful login # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). # # This also defines the MAIL environment variable @@ -105,7 +95,17 @@ session optional pam_motd.so # See comments in /etc/login.defs session optional pam_mail.so standard +# Sets the loginuid process attribute +session required pam_loginuid.so + # Standard Un*x account and session @include common-account @include common-session @include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) |