opendoas

my fork of doas with custom prompt
git clone git://git.kocotian.pl/opendoas.git
Log | Files | Refs | README | LICENSE

commit cfa9f0d3b306d6c1287ec4f2aa42be29de66c9de
parent 24b1a957cbe55363ca06a62b10c936e5c53e3423
Author: Duncan Overbruck <mail@duncano.de>
Date:   Fri, 29 Jan 2021 00:00:23 +0100

remove pam.d configuration files

pam configuration files are not portable, its the job of the
package maintainer or user who builds opendoas themselves to
configure pam in a safe and usable way.

Diffstat:
MGNUmakefile | 5+----
MREADME.md | 12++++++++++++
Mconfigure | 7-------
Dpam.d__doas__darwin | 5-----
Dpam.d__doas__linux | 4----
5 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/GNUmakefile b/GNUmakefile @@ -15,16 +15,13 @@ OBJS:= ${OBJS:.c=.o} ${PROG}: ${OBJS} ${CC} ${CFLAGS} $^ -o $@ ${LDFLAGS} ${LDLIBS} -install: ${PROG} ${PAM_DOAS} ${MAN} +install: ${PROG} ${MAN} mkdir -p -m 0755 ${DESTDIR}${BINDIR} - [ -n "${PAM_DOAS}" ] && mkdir -p -m 0755 ${DESTDIR}${PAMDIR} || true mkdir -p -m 0755 ${DESTDIR}${MANDIR}/man1 mkdir -p -m 0755 ${DESTDIR}${MANDIR}/man5 cp -f ${PROG} ${DESTDIR}${BINDIR} chown ${BINOWN}:${BINGRP} ${DESTDIR}${BINDIR}/${PROG} chmod ${BINMODE} ${DESTDIR}${BINDIR}/${PROG} - [ -n "${PAM_DOAS}" ] && cp ${PAM_DOAS} ${DESTDIR}${PAMDIR}/doas || true - [ -n "${PAM_DOAS}" ] && chmod 0644 ${DESTDIR}${PAMDIR}/doas || true cp -f doas.1 ${DESTDIR}${MANDIR}/man1 cp -f doas.conf.5 ${DESTDIR}${MANDIR}/man5 diff --git a/README.md b/README.md @@ -29,6 +29,18 @@ from openssh (`readpassphrase.c`) or from sudo (`closefrom.c`). The PAM and shadow authentication code does not come from the OpenBSD project. +### pam configuration + +I will not ship pam configuration files, they are distribution specific and +its simply not safe or productive to ship and install those files. + +If you want to use opendoas on your system and there is no package that +ships with a working pam configuration file, then you have to write and +test it yourself. + +A good starting point is probably the distribution maintained `/etc/pam.d/sudo` +file. + ### Perist/Timestamp/Timeout The persist feature is disabled by default and can be enabled with the configure diff --git a/configure b/configure @@ -15,7 +15,6 @@ usage: configure [options] --datadir=DIR architecture-independent data files [PREFIX/share] --mandir=DIR manual pages [DATADIR/man] --sysconfdir=DIR directory for configuration files [/etc] - --pamdir=DIR PAM directory [SYSCONFDIR/pam.d] --build=build-alias a cpu-vendor-opsys for the system where the application will be built --host=host-alias a cpu-vendor-opsys for the system where the application will run @@ -52,7 +51,6 @@ for x; do --datadir) SHAREDIR=$var ;; --mandir) MANDIR=$var ;; --sysconfdir) SYSCONFDIR=$var ;; - --pamdir) PAMDIR=$var ;; --build) BUILD=$var ;; --host) HOST=$var ;; --target) TARGET=$var ;; @@ -134,7 +132,6 @@ esac : ${SHAREDIR:=${PREFIX}/share} : ${MANDIR:=${SHAREDIR}/man} : ${SYSCONFDIR:=/etc} -: ${PAMDIR:=${SYSCONFDIR}/pam.d} : ${BINMODE:=4755} : ${BINOWN:=root} : ${BINGRP:=root} @@ -146,7 +143,6 @@ BINDIR ?= ${BINDIR} SHAREDIR ?= ${SHAREDIR} MANDIR ?= ${MANDIR} SYSCONFDIR?= ${SYSCONFDIR} -PAMDIR ?= ${PAMDIR} BINMODE ?= ${BINMODE} BINOWN ?= ${BINOWN} BINGRP ?= ${BINGRP} @@ -203,9 +199,6 @@ int main(void) { printf 'LDLIBS += -lpam\n' >>$CONFIG_MK printf '#define USE_PAM\n' >>$CONFIG_H printf 'pam\n' - - pam_file="pam.d__doas__${OS}" - [ -e "$pam_file" ] && printf 'PAM_DOAS = %s\n' "$pam_file" >>$CONFIG_MK return 0 } diff --git a/pam.d__doas__darwin b/pam.d__doas__darwin @@ -1,5 +0,0 @@ -# sudo: auth account password session -auth required pam_opendirectory.so -account required pam_permit.so -password required pam_deny.so -session required pam_permit.so diff --git a/pam.d__doas__linux b/pam.d__doas__linux @@ -1,4 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -session include system-auth