[gdm/f16] Lock down the pam config,
Ray Strode
rstrode at fedoraproject.org
Tue Aug 9 18:41:51 UTC 2011
commit 69c2c9ba3c3a2fec4a2bd7f808e7bf8d129178c6
Author: Ray Strode <rstrode at redhat.com>
Date: Tue Aug 9 14:40:51 2011 -0400
Lock down the pam config,
We don't want to run the greeter
with unconfined/elevated privileges
Resolves: #729302
...register-in-PAM-in-addition-to-ConsoleKit.patch | 3 +--
gdm-welcome-pam | 6 +-----
gdm.spec | 7 ++++++-
3 files changed, 8 insertions(+), 8 deletions(-)
---
diff --git a/0001-welcome-register-in-PAM-in-addition-to-ConsoleKit.patch b/0001-welcome-register-in-PAM-in-addition-to-ConsoleKit.patch
index 301163d..e023064 100644
--- a/0001-welcome-register-in-PAM-in-addition-to-ConsoleKit.patch
+++ b/0001-welcome-register-in-PAM-in-addition-to-ConsoleKit.patch
@@ -232,12 +232,11 @@ new file mode 100644
index 0000000..8d2ea85
--- /dev/null
+++ b/data/gdm-welcome
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,4 @@
+#%PAM-1.0
+session optional pam_keyinit.so force revoke
+session include system-auth
+session required pam_loginuid.so
-+session optional pam_console.so
--
1.7.6
diff --git a/gdm-welcome-pam b/gdm-welcome-pam
index 96fcfe3..17f323e 100644
--- a/gdm-welcome-pam
+++ b/gdm-welcome-pam
@@ -1,15 +1,11 @@
- #%PAM-1.0
+#%PAM-1.0
auth required pam_env.so
auth required pam_permit.so
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
-session required pam_selinux.so close
session required pam_loginuid.so
-session optional pam_console.so
-session required pam_selinux.so open
session optional pam_keyinit.so force revoke
-session required pam_namespace.so
session include system-auth
session include postlogin
diff --git a/gdm.spec b/gdm.spec
index 28c2766..b72ea4b 100644
--- a/gdm.spec
+++ b/gdm.spec
@@ -15,7 +15,7 @@
Summary: The GNOME Display Manager
Name: gdm
Version: 3.1.2
-Release: 4%{?dist}
+Release: 5%{?dist}
Epoch: 1
License: GPLv2+
Group: User Interface/X
@@ -369,6 +369,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
%{_libdir}/gdm/simple-greeter/extensions/libfingerprint.so
%changelog
+* Tue Aug 09 2011 Ray Strode <rstrode at redhat.com> 3.1.2-5
+- Lock down the pam config, so we don't run the greeter
+ with unconfined/elevated privileges
+ Resolves: #729302
+
* Wed Aug 3 2011 Lennart Poettering <lpoetter at redhat.com> - 1:3.1.2-4
- Register welcome pseudo-session in PAM
More information about the scm-commits
mailing list